Management Roles Needed to Access People

EmpowerID employs Management Roles to control access to its resources. Users must be assigned appropriate roles to manage and interact with personnel data within the system. These Management Roles are categorized based on their functional prefixes in EmpowerID, as described below.

  • UI Roles: These roles, identified by the "UI" prefix, provide users access to specific interface elements within the EmpowerID interfaces. For instance, the role "UI-Person-Object-Administration" enables access to user interfaces and workflows essential for managing Person objects.

  • VIS Roles: Roles starting with "VIS" enable users to view specific objects within EmpowerID. A typical role in this category is "VIS-Person-MyLocations," which allows users to view personnel in the same location as the person in this role.

  • ACT Roles: These roles, prefixed with "ACT," authorize users to actively manage specific objects in EmpowerID. For example, "ACT-Person-Role-Assignment-All" grants users access to assign or unassign roles to personnel.

To facilitate efficient role management, EmpowerID offers "Role Bundle" Management Roles. These bundles are pre-configured with the requisite roles necessary for various operational scenarios, allowing for convenient and rapid deployment of access rights suited to specific user requirements and organizational workflows. This bundling strategy simplifies the administration of roles and enhances security by ensuring that users have precisely the access they need to perform their duties.

EmpowerID restricts access to resources through the use of Management Roles. Users must be assigned to the appropriate roles to work with Person objects. Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for people is UI-Person-Object-Administration. This role grants access to the user interfaces and workflows for managing Person objects.

  • VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for people is VIS-Person-MyLocations. This role grants access to see people that belong to same location as the person with the role.

  • ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An  example of this type of role for people is ACT-Person-Role-Assignment-All. This role grants users with the role the ability to assign and unassign people to and from roles.

Person Role Bundles

Profile Self-Service

Grants users access to view and edit their profiles. The bundle is comprised of the following Management Roles:

Management Role

Access Granted by Management Role

Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Person-Profile-Self-Service

Grants people access to the user interfaces and workflows for managing their own profile attributes.

Feature Set – Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS
  • View Self Page

    • Viewer for the Page

    • Viewer for the General Tab

  • Edit Self Person Page

    • Viewer for the Page

    • Viewer for the Photo Edit Control

WORKFLOW ACCESS
  • Profile Manager Workflow

    • Initiator for the workflow

  • Person Edit Workflow

    • Initiator for the workflow

  • Person Photo Approval Workflow

    • Initiator for the workflow

VIS-Person-Self

Grants people visibility to see their own person. Granted by default to all people.

Visibility

ACT-Person-Profile-Self-Service

Grants people the ability to edit their profile attributes.

Activity

 

Person Identity Admin for Your Locations

Roles needed to view people

To view people in EmpowerID, users need to have one of the following Management Role assignments (based on the needed scope):

Management Role

Access Granted by Management Role

Role Type

Management Role

Access Granted by Management Role

Role Type

VIS-Person-Self

Grants users access to see their own person. Granted by default to all people.

Visibility

VIS-Person-MyDirectReports

Grants users access to see their direct reports

 

VIS-Person-MyLocations

Grants users access to see all people in their locations

 

VIS-Person-MyOrg

Grants users access to see all people in their organization

 

VIS-Person-All

Grants users access to see all people in the default organization

 

Roles needed to manage profiles

To manage the profile information of people, users need to have a combination of the following Management Role assignments (based on the needed scope):

Management Role

Access Granted by Management Role

Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Person-Profile-Edit

Grants access to the user interfaces and workflows for editing people’s profile attributes.

Feature Set – Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS
  • Find Person Page

    • Viewer for the page

    • Viewer for the People Tab

  • View One Person Page

    • Viewer for the page

    • Viewer for the Manage Tab

  • Edit Person Page

    • Viewer for the page

  • Edit Person Contextual Page

    • Viewer for the page

  • Global Search Box

    • Viewer for the search box

 

WORKFLOW ACCESS
  • Person Edit

    • Initiator for the workflow

  • Edit Person Photo Approval

    • Initiator for the workflow

VIS-Person-MyDirectReports

Grants visibility for all direct reports of the person with the role. Can view basic information about their direct reports.

Visibility

ACT-Person-Profile-Edit-DirectReports

Grants the ability to edit the profile attributes for their Direct Reports

Activity

Management Role

Access Granted by Management Role

Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Person-Profile-Edit

Grants access to the user interfaces and workflows for editing people’s profile attributes.

Feature Set – Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS
  • Find Person Page

    • Viewer for the page

    • Viewer for the People Tab

  • View One Person Page

    • Viewer for the page

    • Viewer for the Manage Tab

  • Edit Person Page

    • Viewer for the page

  • Edit Person Contextual Page

    • Viewer for the page

  • Global Search Box

    • Viewer for the search box

 

WORKFLOW ACCESS
  • Person Edit

    • Initiator for the workflow

  • Edit Person Photo Approval

    • Initiator for the workflow

VIS-Person-MyLocations

Grants visibility for all people in a person's locations. Can view basic information about people belonging to the same locations.

Visibility

ACT-Person-Profile-Edit-MyLocations

Grants the ability to edit the profile attributes for all people in their locations.

Activity

Management Role

Access Granted by Management Role

Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Person-Profile-Edit

Grants access to the user interfaces and workflows for editing people’s profile attributes.

Feature Set – Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS
  • Find Person Page

    • Viewer for the page

    • Viewer for the People Tab

  • View One Person Page

    • Viewer for the page

    • Viewer for the Manage Tab

  • Edit Person Page

    • Viewer for the page

  • Edit Person Contextual Page

    • Viewer for the page

  • Global Search Box

    • Viewer for the search box



WORKFLOW ACCESS
  • Person Edit

    • Initiator for the workflow

  • Edit Person Photo Approval

    • Initiator for the workflow

VIS-Person-MyOrg

Grants visibility for people in a person's organizations. Can view basic information about people belonging to the same organizations.

Visibility

ACT-Person-Profile-Edit-MyOrg

Grants the ability to edit the profile attributes for all people in their organizations.

Activity

Roles needed to manage Management Role assignments

To manage the Management Role assignments of people, users need to have a combination of the following Management Role assignments (based on the needed scope):

Roles needed to manage Business Role assignments

To manage the Business Role assignments of people, users need to have a combination of the following Management Role assignments (based on the needed scope):

Roles needed to manage group membership

To manage the group membership of people, users need to have the following Management Role assignment:

Roles Needed to Create Person Objects

To create new Person objects in EmpowerID, users need to have a combination of the following Management Role assignments (based on the needed scope):

Roles Needed to Administer People

To perform administrative actions against people, such as creating and deleting them from EmpowerID, users need to have a combination of the following Management Role assignments (based on the needed scope):