Access Needed to Manage Applications

EmpowerID employs Management Roles to control access to its resources. Users must be assigned appropriate roles to manage and interact with applications within the system. These Management Roles are categorized based on their functional prefixes in EmpowerID, as described below.

UI Roles: These roles, identified by the "UI" prefix, provide users access to specific interface elements within the EmpowerID interfaces. For instance, the role "UI-Res-Admin-MS-Application" enables access to user interfaces and workflows essential for managing applications.
VIS Roles: Roles starting with "VIS" enable users to view specific objects within EmpowerID. A typical role in this category is "VIS-Application-MyOrganization," which allows users to view applications and their subcomponents in their organizations.
ACT Roles: These roles, prefixed with "ACT," authorize users to actively manage specific objects in EmpowerID. For example, "ACT-Azure-Application-Administration-All" grants users access to create, update, and delete Azure applications.

To facilitate easy access assignments, EmpowerID offers "Role Bundle" Management Roles. These bundles are pre-configured with the requisite roles necessary for various operational scenarios, allowing for convenient and rapid deployment of access rights suited to specific user requirements and organizational workflows. This bundling strategy simplifies the administration of roles and enhances security by ensuring that users have precisely the access they need to perform their duties.

Application Role Bundles

Application Admin for All Azure Applications

This role bundle grants users access to manage all Azure applications. The role bundle is comprised of the following Management Roles:

	Management Role	Access Granted by Management Role

	Management Role	Access Granted by Management Role
1	ACT-Application-Create-All	Grants access to create new applications in all locations.
2	ACT-Azure-Application-Administration-All	Grants access to create, update, and delete all Azure applications.
3	ACT-Business-Role-CanUseInAssignments-All	Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.
4	ACT-Global-Right-Azure-Administrator-All	Grants access to create and delete Azure Application Roles, Scopes, and API Permissions.
5	ACT-Group-CanUseInAssignments-All	Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.
6	ACT-Local-Right-Assignment-Management-Azure-All	Grants access to manage Azure App Role/Right assignments for all App Roles in any tenant.
7	ACT-Local-Right-Create-All	Grants access to create Local Rights in all locations.
8	ACT-Local-Right-Assignment-Management-All	Grants access to can manage Local Right assignments for all Local Rights below Default Organization.
9	ACT-Local-Role-Assignment-Management-Azure-All	Grants access to manage role assignments for all roles in any tenant.
10	ACT-Local-Role-Create-All	Grants access to create Local Roles / Role Definitions in all locations.
11	ACT-Location-Assignment-All	Grants acces to operations for managing the assignments of people to all locations.
12	ACT-Location-CanUseInAssignments-All	Is able to grant a location an access assignment for another resource for all locations.
13	ACT-Management-Role-CanUseInAssignments-All	Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.
14	ACT-Person-CanUseInAssignments-All	Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.
15	ACT-SetGroup-CanUseInAssignments-All	Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup.
16	ACT-Shared-Credential-Create-All	Grants the ability able to create a shared credential anywhere.
17	ACT-Shared-Credential-Object-Administration-Azure-All	Grants the ability to create, edit, and delete all secrets and certificates in Azure.
18	UI-Res-Admin-MS-Application	Provides access to the UI for managing applications.
19	VIS-Accounts-Azure-All	Provides access to see all Azure accounts.
20	VIS-Application-MyOrganization	Grants access to see applications and their subcomponents in person's organizations.
21	VIS-AzGlobalRight-All	Grants access to see all AzGlobalRights.
22	VIS-AzLocalRight-All	Grants access to see all AzLocalRights.
23	VIS-AzLocalRole-All	Grants access to see all AzLocalRoles.
24	VIS-AzureApplication-All	Provides access to see all Azure Applications in any tenant.
25	VIS-BusinessRole-All	Grants access to see all Business Roles.
26	VIS-Groups-All	Grants access to see all groups.
27	VIS-Location-All	Grants access to see all locations.
28	VIS-Management-Role-All	Grants access to see all Management Roles.
29	VIS-Person-MyOrg	Grants access to see all people in my organizations.
30	VIS-SetGroup-All	Grants access to see all SetGroups (Query-Based Collections).
31	VIS-Shared-Credential-All	Grants access to see all vaulted credentials.
32	VIS-Shared-Credential-Azure-All	Grants access to see all secrets and certificates in any Azure tenant.

Application Admin for all Non-Azure Applications

This role bundle grants users access to create, update, and delete all applications that are not Azure applications. The role bundle is comprised of the following Management Roles:

	Management Role	Access Granted by Management Role

	Management Role	Access Granted by Management Role
1	ACT-Application-Create-All	Grants access to create new applications in all locations.
2	ACT-Application-Object-Administration-All	Grants access to create, update, and delete all applications.
3	ACT-Business-Role-CanUseInAssignments-All	Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.
4	ACT-Group-CanUseInAssignments-All	Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.
5	ACT-Local-Right-Create-All	Grants access to create Local Rights in all locations.
6	ACT-Local-Right-Object-Administration-App-MyResponsible	Provides access to create, update, and delete all Local Rights belonging to an application where the person is responsible party.
7	ACT-Local-Right-Object-Administration-App-Owner	Provides access to create, update, and delete all Local Rights belonging to an application where the person is the RBAC Owner.
8	ACT-Local-Role-Object-Administration-App-MyResponsible	Grants access to create, update, and delete all Local Roles belonging to an application where the person is responsible party.
9	ACT-Local-Role-Object-Administration-App-Owner	Grants access to create, update, and delete all Local Roles belonging to an application where the person is the RBAC Owner.
10	ACT-Location-CanUseInAssignments-All	Is able to grant a location an access assignment for another resource for all locations.
11	ACT-Management-Role-CanUseInAssignments-All	Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.
12	ACT-Management-Role-Object-Administration-App-MyResponsible	Grants the ability to create, update, and delete all Management Roles associated with an application where the person is responsible party.
13	ACT-Management-Role-Object-Administration-App-Owner	Grants the ability to create, update, and delete all Management Roles associated with an application where the person is the RBAC owner.
14	ACT-Person-CanUseInAssignments-All	Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.
15	UI-Application-Object-Administration	Grants access to user interface and workflows for creating, editing, and deleting applications.
16	UI-Application-PBAC-Policy-Assigner	Grants access to user interface and workflows for viewing and assigning PBAC roles and rights.
17	UI-Eligibility-Policy-Management	Grants the ability to see user interfaces for eligibility policies and run workflows.
18	UI-Res-Admin-MS-Application	Provides access to the UI for managing applications.
19	UI-Res-Admin-MS-Common	Grants access to common/shared UI used by the Resource Admin microservice.
20	VIS-Application-All	Provides access to see all applications and subcomponents.
21	VIS-AzFieldType-All	Provides access to see all Field Types.
22	VIS-AzGlobalRight-All	Provides access to see all global rights.
23	VIS-AzGlobalRole-All	Provides access to see all global roles.
24	VIS-AzLocalRole-All	Grants access to see all AzLocalRoles.
25	VIS-BusinessRole-All	Grants access to see all Business Roles.
26	VIS-Location-All	Grants access to see all locations.
27	VIS-Management-Role-All	Grants access to see all Management Roles.
28	VIS-Misc-Admin	Provides visibility for miscellaneous admin required views.
29	VIS-OrgRoleOrgZone-ALL	Grants access to see all Business Role and Location combinations.
30	VIS-Person-All	Grants access to see all people.

Application Administrator for All Applications

This role bundle allows users to manage all applications via the Resource Admin microservice. This role bundle is comprised of the following Management Roles:

	Management Role	Access Granted by Management Role

	Management Role	Access Granted by Management Role
1	ACT-Azure-Application-Administration-All	Grants access to create, update, and delete all Azure applications.
2	ACT-Business-Role-CanUseInAssignments-All	Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.
3	ACT-Global-Right-Azure-Administrator-All	Grants access to create and delete Azure Application Roles, Scopes, and API Permissions.
4	ACT-Group-CanUseInAssignments-All	Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.
5	ACT-Local-Right-Assignment-Management-All	Grants access to manage Local Right assignments for all Local Rights below Default Organization.
6	ACT-Local-Role-Assignment-Management-All	Provides access to manage Local Role assignments for all Local Roles below Default Organization.
7	ACT-Local-Role-Assignment-Management-Azure-All	Provides access to manage role assignments for all roles in any tenant.
8	ACT-Local-Role-Create-All	Grants access to create Local Roles / Role Definitions in all locations.
9	ACT-Location-Assignment-All	Grants access to operations for managing assignments of people to all locations.
10	ACT-Location-CanUseInAssignments-All	Is able to grant a location an access assignment for another resource for all locations.
11	ACT-Management-Role-CanUseInAssignments-All	Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.
12	ACT-Person-CanUseInAssignments-All	Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.
13	ACT-SetGroup-CanUseInAssignments-All	Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup.
14	ACT-Shared-Credential-Create-All	Grants access to create a shared credential anywhere.
15	ACT-Shared-Credential-Object-Administration-Azure-All	Grants access to create, edit, and delete all secrets and certificates in Azure.
16	UI-Res-Admin-MS-Application	Provides access to the UI for managing applications.
17	VIS-Accounts-Azure-All	Grants access to see all Azure accounts.
18	VIS-Application-MyOrganization	Grants access to see applications and their subcomponents in person's organizations.
19	VIS-AzGlobalRight-All	Provides access to see all global rights.
20	VIS-AzLocalRight-All	Grants access to see all local rights.
21	VIS-AzLocalRole-All	Grants access to see all local roles.
22	VIS-AzureApplication-All	Grants access to see all Azure Applications in any tenant.
23	VIS-BusinessRole-All	Grants access to see all Business Roles.
24	VIS-Groups-All	Provides access to see all groups.
25	VIS-Location-All	Grants access to see all locations.
26	VIS-Management-Role-All	Grants access to see all Management Roles.
27	VIS-Person-MyOrg	Grants access to see all people in the person’s organization.
28	VIS-SetGroup-All	Provides access to see all Query-Based Collections (SetGroups).
29	VIS-Shared-Credential-All	Provides access to see all vaulted credentials.
30	VIS-Shared-Credential-Azure-All	Provides access to view all secrets and certificates in any Azure tenant.

Application RBAC Owner

This role bundle allows users to create new applications and manage all applications where they are the RBAC owner. The role bundle is comprised of the following Management Roles:

	Management Role	Access Granted by Management Role

	Management Role	Access Granted by Management Role
1	ACT-Account-CanUseInAssignments-All	Grants the ability to assign to all accounts access to other resources. This role does not permit the management of access assignments for the account because the assigner would still need access to the resource or role they wish to assign to the account.
2	ACT-Application-Create-All	Grants access to create new applications in all locations.
3	ACT-Application-Object-Administration-Owner	Grants access to manage all applications where the person is an RBAC owner.
4	ACT-Azure-Application-Object-Administration-Owner	Grants access to manage all Azure applications where the person is an RBAC owner.
5	ACT-Azure-Application-Create-All	Grants the ability to create Azure Applications in all locations.
6	ACT-Business-Role-CanUseInAssignments-All	Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.
7	ACT-FieldType-Create	Grants the ability to create Field Types.
8	ACT-FieldType-Object-Administration-All	Grants object administration (Create, Update, Delete) for all Field Types.
9	ACT-Group-CanUseInAssignments-All	Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.
10	ACT-Local-Right-Assignment-Management-App-Owner	Grants access to manage right assignments for rights where the person is the RBAC Owner for the application that owns the rights.
11	ACT-Local-Right-Create-All	Grants access to create Local Rights in all locations.
12	ACT-Local-Right-Object-Administration-App-Owner	Provides access to create, update, and delete all Local Rights belonging to an application where the person is the RBAC Owner.
13	ACT-Local-Role-Create-All	Grants access to create Local Roles / Role Definitions in all locations.
14	ACT-Local-Role-Object-Administration-App-Owner	Grants access to create, update, and delete all Local Roles belonging to an application where the person is the RBAC Owner.
15	ACT-Location-Assignment-All	Grants access to operations needed for managing assignments of people to locations.
16	ACT-Location-CanUseInAssignments-All	Is able to grant a location an access assignment for another resource for all locations.
17	ACT-Management-Role-CanUseInAssignments-All	Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.
18	ACT-Management-Role-Create-All	Grants access to create Management Roles in all locations.
19	ACT-Management-Role-Membership-Management-App-Owner	Grants access to manage the membership of Management Roles associated with an application where person is an owner.
20	ACT-Management-Role-Object-Administration-App-Owner	Grants the ability to create, update, and delete all Management Roles associated with an application where the person is the RBAC owner.
21	ACT-Person-CanUseInAssignments-All	Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.
22	ACT-SetGroup-CanUseInAssignments-All	Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup.
23	ACT-Shared-Credential-Object-Administration-App-Owner	Grants the ability to create, edit, and delete shared credentials associated with application where the person is owner.
24	UI-Application-Object-Administration	Grants access to user interface and workflows for creating, editing, and deleting applications.
25	UI-Application-PBAC-Object-Administration	Grants access to user interface and workflows for creating, editing, and deleting PBAC policy objects for applications (e.g., Rights, Field Types, Roles, etc.).
26	UI-Application-PBAC-Policy-Assigner	Grants access to user interfaces and workflows for viewing and assigning PBAC roles and rights.
27	UI-Eligibility-Policy-Management	Grants the ability to see user interfaces for eligibility policies and run workflows.
28	UI-Res-Admin-MS-Application	Provides access to the UI for managing applications.
29	VIS-Accounts-All	Grants access to see all accounts.
30	VIS-Application-WhereOwner	Grants access to see EmpowerID and Azure applications and their subcomponents where the person is the application owner in EmpowerID or Azure.
31	VIS-AzFieldType-All	Provides access to see all Field Types.
32	VIS-AzGlobalRight-All	Provides access to see all global rights.
33	VIS-AzGlobalRole-All	Provides access to see all global roles.
34	VIS-AzLocalRight-App-Owner	Grants access to see all local rights where the person is the RBAC Owner for the application with the local rights.
35	VIS-AZLocalRole-App-Owner	Grants access to see all local loles / role definitions where the person is the RBAC Owner for the application with the local roles and role definitions.
36	VIS-AzureApplications-MyResponsible	Grants the ability to see Azure applications for which the person is the responsibility party.
37	VIS-AzureApplications-Owner	This role allows the user to view all Azure applications for which they are the RBAC Owner.
38	VIS-BusinessRole-All	Grants access to see all Business Roles.
39	VIS-Groups-All	Grants access to see all groups.
40	VIS-Location-All	Grants access to see all locations.
41	VIS-Management-Role-All	Grants access to see all Management Roles.
42	VIS-Management-Role-App-Owner	Grants access to see all Management Roles where the person is an RBAC owner for the application with the Management Roles.
43	VIS-Misc-Admin	Provides visibility for miscellaneous admin required views.
44	VIS-OrgRoleOrgZone-ALL	Grants access to see all Business Role and Location combinations.
45	VIS-Person-All	Grants access to see all people.
46	VIS-Shared-Credential-App-Owner	Grants access to view all Shared Credentials belonging to an application where the person is RBAC Owner.

Azure Claims Mapping Policy Administrator for All Policies and Applications

This role bundle allows users to manage all Azure Claims Mapping Policies for all Azure applications. The role bundle is comprised of the following Management Roles:

	Management Role	Access Granted by Management Role

	Management Role	Access Granted by Management Role
1	ACT-Azure-Application-Administration-All	Grants access to create, update, and delete all Azure applications.
2	ACT-Azure-Claims-Mapping-Policy-Administration-All	Grants the ability to create, update, and delete all Azure Claims Mapping Policies.
3	ACT-Location-Assignment-All	Grants access to operations needed for managing assignments of people to locations.
4	UI-Res-Admin-MS-Application-Base	This is a least privilege role providing access to the Resource Admin UI for managing applications.
5	UI-Res-Admin-MS-Application-Claims-Mapping-Policy	Provides access to UI for managing Azure Claims Mapping Policies.
6	VIS-Application-All	Grants access to see all applications and subcomponents.
7	VIS-AzureApplication-All	Grants access to see all Azure Applications in any tenant.
8	VIS-Location-All	Grants access to see all Locations.

Mobile Application and Chatbot User

This role bundle allows users to access the mobile application and chatbot. The role bundle is comprised of the following Management Roles:

	Management Role	Access Granted by Management Role

	Management Role	Access Granted by Management Role
1	UI-Mobile-App-Chat-Full-Access	Grants full access to UI, workflows, and APIs for mobile app and chatbot.
2	VIS-Mobile-App-API	Provides access to Mobile App and Chatbot API endpoints and methods.

EmpowerID Admin Guide v7.211.0.0