Default Access Level Definitions

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

RBAC operations allow the person assigned the operation to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources.

For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment is routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.

In the RBAC operations listed below, <%Actor%> is a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> is a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with an EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type.

For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.

Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, are listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.

To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.

 

Common Access Level Definitions

These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.

The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12.

Operation

Enables any assigned actor to

Operation

Enables any assigned actor to

Add<%Actor%>To<%ResourceRole%>

add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.

AddOperationToResourceTypeRole<%ResourceType%>

add operations to Access Levels for the Resource Type resource object.

AddTo<%ResourceRole%>

grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.

AddTo<%ResourceRole%>InLocation

grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.

AddTo<%ResourceRole%>InRelativeResource

grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.

AssignResourceOrgZone

assign Resource Type resource objects to a location.

CreateResourceTypeRole<%ResourceType%>

create a Resource Type Role for the Resource Type.

Delete

delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.

DeleteResourceTypeRole<%ResourceType%>

delete a Resource Type Role for the Resource Type.

EditResourceTypeRole<%ResourceType%>

edit a Resource Type Role for the Resource Type.

Use

view the Resource Type resource object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels

This operation is needed to grant or revoke direct assignments of Access Levels

 

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the Resource Type resource object.

 

RevokeResourceOrgZone

remove Resource Type resource objects from a location.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.

RemoveFrom<%ResourceRole%>InLocation

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.

RemoveFrom<%ResourceRole%>InRelativeResource

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location

 

Asset Catalog Item

In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

Operation

Enables any assigned actor to 

Operation

Enables any assigned actor to 

Request

request an Asset Catalog Item.

UnassignFromAdministrator

remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.

 

This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Operation

Enables any assigned actor to 

Use

view an Access Request Catalog Item in EmpowerID.

Request

request an Access Request Catalog Item.

 

Attestation Policy

In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

Operation

Enables any assigned actor to 

Operation

Enables any assigned actor to 

Provision

provision an Attestation Policy object.

Delete

delete an Attestation Policy object.

Edit

edit an Attestation Policy object.

Review

review an Attestation Policy.

This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Operation

Enables any assigned actor to 

Use

view an Attestation Policy object in EmpowerID.

Review

review an Attestation Policy.

 

Business Role

Computer

EmpowerID System

Exchange Mailbox

Group (Distribution, Security, Generic) Access Level Definitions

Location

Management Role and EmpowerID Management Role Definition

Person

SAML SSO Connection

Separation of Duties

Set Group

SSO Application

SSO Application Definition

SharePoint (Document, Folder, and List)

The Access Level Definitions for SharePoint Document, Folder and List contain no EmpowerID Operations. They are used to grant native permissions for SharePoint objects managed by EmpowerID. Definitions include:

  • Approve

  • Contribute

  • Design

  • Full Control

  • Limited Access

  • Manage Hierarchy

  • Read Only

  • Restricted Read

User Account

Windows Shared Folder

Windows Shared Printer

Workflow

WS-Federation SSO Connection