Access Needed to Manage Applications

EmpowerID employs Management Roles to control access to its resources. Users must be assigned appropriate roles to manage and interact with applications within the system. These Management Roles are categorized based on their functional prefixes in EmpowerID, as described below.

  • UI Roles: These roles, identified by the "UI" prefix, provide users access to specific interface elements within the EmpowerID interfaces. For instance, the role "UI-Res-Admin-MS-Application" enables access to user interfaces and workflows essential for managing applications.

  • VIS Roles: Roles starting with "VIS" enable users to view specific objects within EmpowerID. A typical role in this category is "VIS-Application-MyOrganization," which allows users to view applications and their subcomponents in their organizations.

  • ACT Roles: These roles, prefixed with "ACT," authorize users to actively manage specific objects in EmpowerID. For example, "ACT-Azure-Application-Administration-All" grants users access to create, update, and delete Azure applications.

To facilitate easy access assignments, EmpowerID offers "Role Bundle" Management Roles. These bundles are pre-configured with the requisite roles necessary for various operational scenarios, allowing for convenient and rapid deployment of access rights suited to specific user requirements and organizational workflows. This bundling strategy simplifies the administration of roles and enhances security by ensuring that users have precisely the access they need to perform their duties.

 

Application Role Bundles

Application Admin for All Azure Applications

This role bundle grants users access to manage all Azure applications. The role bundle is comprised of the following Management Roles:

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

1

ACT-Application-Create-All

Grants access to create new applications in all locations.

2

ACT-Azure-Application-Administration-All

Grants access to create, update, and delete all Azure applications.

3

ACT-Business-Role-CanUseInAssignments-All

Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.

4

ACT-Global-Right-Azure-Administrator-All

Grants access to create and delete Azure Application Roles, Scopes, and API Permissions.

5

ACT-Group-CanUseInAssignments-All

Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.

6

ACT-Local-Right-Assignment-Management-Azure-All

Grants access to manage Azure App Role/Right assignments for all App Roles in any tenant.

7

ACT-Local-Right-Create-All

Grants access to create Local Rights in all locations.

8

ACT-Local-Right-Assignment-Management-All

Grants access to can manage Local Right assignments for all Local Rights below Default Organization.

9

ACT-Local-Role-Assignment-Management-Azure-All

Grants access to manage role assignments for all roles in any tenant.

10

ACT-Local-Role-Create-All

Grants access to create Local Roles / Role Definitions in all locations.

11

ACT-Location-Assignment-All

Grants acces to operations for managing the assignments of people to all locations.

12

ACT-Location-CanUseInAssignments-All

Is able to grant a location an access assignment for another resource for all locations.

13

ACT-Management-Role-CanUseInAssignments-All

Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.

14

ACT-Person-CanUseInAssignments-All

Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.

15

ACT-SetGroup-CanUseInAssignments-All

Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup.

16

ACT-Shared-Credential-Create-All

Grants the ability able to create a shared credential anywhere.

17

ACT-Shared-Credential-Object-Administration-Azure-All

Grants the ability to create, edit, and delete all secrets and certificates in Azure.

18

UI-Res-Admin-MS-Application

Provides access to the UI for managing applications.

19

VIS-Accounts-Azure-All

Provides access to see all Azure accounts.

20

VIS-Application-MyOrganization

Grants access to see applications and their subcomponents in person's organizations.

21

VIS-AzGlobalRight-All

Grants access to see all AzGlobalRights.

22

VIS-AzLocalRight-All

Grants access to see all AzLocalRights.

23

VIS-AzLocalRole-All

Grants access to see all AzLocalRoles.

24

VIS-AzureApplication-All

Provides access to see all Azure Applications in any tenant.

25

VIS-BusinessRole-All

Grants access to see all Business Roles.

26

VIS-Groups-All

Grants access to see all groups.

27

VIS-Location-All

Grants access to see all locations.

28

VIS-Management-Role-All

Grants access to see all Management Roles.

29

VIS-Person-MyOrg

Grants access to see all people in my organizations.

30

VIS-SetGroup-All

Grants access to see all SetGroups (Query-Based Collections).

31

VIS-Shared-Credential-All

Grants access to see all vaulted credentials.

32

VIS-Shared-Credential-Azure-All

Grants access to see all secrets and certificates in any Azure tenant.

 

Application Admin for all Non-Azure Applications

This role bundle grants users access to create, update, and delete all applications that are not Azure applications. The role bundle is comprised of the following Management Roles:

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

1

ACT-Application-Create-All

Grants access to create new applications in all locations.

2

ACT-Application-Object-Administration-All

Grants access to create, update, and delete all applications.

3

ACT-Business-Role-CanUseInAssignments-All

Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.

4

ACT-Group-CanUseInAssignments-All

Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.

5

ACT-Local-Right-Create-All

Grants access to create Local Rights in all locations.

6

ACT-Local-Right-Object-Administration-App-MyResponsible

Provides access to create, update, and delete all Local Rights belonging to an application where the person is responsible party.

7

ACT-Local-Right-Object-Administration-App-Owner

Provides access to create, update, and delete all Local Rights belonging to an application where the person is the RBAC Owner.

8

ACT-Local-Role-Object-Administration-App-MyResponsible

Grants access to create, update, and delete all Local Roles belonging to an application where the person is responsible party.

9

ACT-Local-Role-Object-Administration-App-Owner

Grants access to create, update, and delete all Local Roles belonging to an application where the person is the RBAC Owner.

10

ACT-Location-CanUseInAssignments-All

Is able to grant a location an access assignment for another resource for all locations.

11

ACT-Management-Role-CanUseInAssignments-All

Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.

12

ACT-Management-Role-Object-Administration-App-MyResponsible

Grants the ability to create, update, and delete all Management Roles associated with an application where the person is responsible party.

13

ACT-Management-Role-Object-Administration-App-Owner

Grants the ability to create, update, and delete all Management Roles associated with an application where the person is the RBAC owner.

14

ACT-Person-CanUseInAssignments-All

Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.

15

UI-Application-Object-Administration

Grants access to user interface and workflows for creating, editing, and deleting applications.

16

UI-Application-PBAC-Policy-Assigner

Grants access to user interface and workflows for viewing and assigning PBAC roles and rights.

17

UI-Eligibility-Policy-Management

Grants the ability to see user interfaces for eligibility policies and run workflows.

18

UI-Res-Admin-MS-Application

Provides access to the UI for managing applications.

19

UI-Res-Admin-MS-Common

Grants access to common/shared UI used by the Resource Admin microservice.

20

VIS-Application-All

Provides access to see all applications and subcomponents.

21

VIS-AzFieldType-All

Provides access to see all Field Types.

22

VIS-AzGlobalRight-All

Provides access to see all global rights.

23

VIS-AzGlobalRole-All

Provides access to see all global roles.

24

VIS-AzLocalRole-All

Grants access to see all AzLocalRoles.

25

VIS-BusinessRole-All

Grants access to see all Business Roles.

26

VIS-Location-All

Grants access to see all locations.

27

VIS-Management-Role-All

Grants access to see all Management Roles.

28

VIS-Misc-Admin

Provides visibility for miscellaneous admin required views.

29

VIS-OrgRoleOrgZone-ALL

Grants access to see all Business Role and Location combinations.

30

VIS-Person-All

Grants access to see all people.

 

Application Administrator for All Applications

This role bundle allows users to manage all applications via the Resource Admin microservice. This role bundle is comprised of the following Management Roles:

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

1

ACT-Azure-Application-Administration-All

Grants access to create, update, and delete all Azure applications.

2

ACT-Business-Role-CanUseInAssignments-All

Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.

3

ACT-Global-Right-Azure-Administrator-All

Grants access to create and delete Azure Application Roles, Scopes, and API Permissions.

4

ACT-Group-CanUseInAssignments-All

Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.

5

ACT-Local-Right-Assignment-Management-All

Grants access to manage Local Right assignments for all Local Rights below Default Organization.

6

ACT-Local-Role-Assignment-Management-All

Provides access to manage Local Role assignments for all Local Roles below Default Organization.

7

ACT-Local-Role-Assignment-Management-Azure-All

Provides access to manage role assignments for all roles in any tenant.

8

ACT-Local-Role-Create-All

Grants access to create Local Roles / Role Definitions in all locations.

9

ACT-Location-Assignment-All

Grants access to operations for managing assignments of people to all locations.

10

ACT-Location-CanUseInAssignments-All

Is able to grant a location an access assignment for another resource for all locations.

11

ACT-Management-Role-CanUseInAssignments-All

Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.

12

ACT-Person-CanUseInAssignments-All

Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.

13

ACT-SetGroup-CanUseInAssignments-All

Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup.

14

ACT-Shared-Credential-Create-All

Grants access to create a shared credential anywhere.

15

ACT-Shared-Credential-Object-Administration-Azure-All

Grants access to create, edit, and delete all secrets and certificates in Azure.

16

UI-Res-Admin-MS-Application

Provides access to the UI for managing applications.

17

VIS-Accounts-Azure-All

Grants access to see all Azure accounts.

18

VIS-Application-MyOrganization

Grants access to see applications and their subcomponents in person's organizations.

19

VIS-AzGlobalRight-All

Provides access to see all global rights.

20

VIS-AzLocalRight-All

Grants access to see all local rights.

21

VIS-AzLocalRole-All

Grants access to see all local roles.

22

VIS-AzureApplication-All

Grants access to see all Azure Applications in any tenant.

23

VIS-BusinessRole-All

Grants access to see all Business Roles.

24

VIS-Groups-All

Provides access to see all groups.

25

VIS-Location-All

Grants access to see all locations.

26

VIS-Management-Role-All

Grants access to see all Management Roles.

27

VIS-Person-MyOrg

Grants access to see all people in the person’s organization.

28

VIS-SetGroup-All

Provides access to see all Query-Based Collections (SetGroups).

29

VIS-Shared-Credential-All

Provides access to see all vaulted credentials.

30

VIS-Shared-Credential-Azure-All

Provides access to view all secrets and certificates in any Azure tenant.

Application RBAC Owner

This role bundle allows users to create new applications and manage all applications where they are the RBAC owner. The role bundle is comprised of the following Management Roles:

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

1

ACT-Account-CanUseInAssignments-All

Grants the ability to assign to all accounts access to other resources. This role does not permit the management of access assignments for the account because the assigner would still need access to the resource or role they wish to assign to the account.

2

ACT-Application-Create-All

Grants access to create new applications in all locations.

3

ACT-Application-Object-Administration-Owner

Grants access to manage all applications where the person is an RBAC owner.

4

ACT-Azure-Application-Object-Administration-Owner

Grants access to manage all Azure applications where the person is an RBAC owner.

5

ACT-Azure-Application-Create-All

Grants the ability to create Azure Applications in all locations.

6

ACT-Business-Role-CanUseInAssignments-All

Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role.

7

ACT-FieldType-Create

Grants the ability to create Field Types.

8

ACT-FieldType-Object-Administration-All

Grants object administration (Create, Update, Delete) for all Field Types.

9

ACT-Group-CanUseInAssignments-All

Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group.

10

ACT-Local-Right-Assignment-Management-App-Owner

Grants access to manage right assignments for rights where the person is the RBAC Owner for the application that owns the rights.

11

ACT-Local-Right-Create-All

Grants access to create Local Rights in all locations.

12

ACT-Local-Right-Object-Administration-App-Owner

Provides access to create, update, and delete all Local Rights belonging to an application where the person is the RBAC Owner.

13

ACT-Local-Role-Create-All

Grants access to create Local Roles / Role Definitions in all locations.

14

ACT-Local-Role-Object-Administration-App-Owner

Grants access to create, update, and delete all Local Roles belonging to an application where the person is the RBAC Owner.

15

ACT-Location-Assignment-All


Grants access to operations needed for managing assignments of people to locations.

16

ACT-Location-CanUseInAssignments-All

Is able to grant a location an access assignment for another resource for all locations.

17

ACT-Management-Role-CanUseInAssignments-All

Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role.

18

ACT-Management-Role-Create-All

Grants access to create Management Roles in all locations.

19

ACT-Management-Role-Membership-Management-App-Owner

Grants access to manage the membership of Management Roles associated with an application where person is an owner.

20

ACT-Management-Role-Object-Administration-App-Owner

Grants the ability to create, update, and delete all Management Roles associated with an application where the person is the RBAC owner.

21

ACT-Person-CanUseInAssignments-All

Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person.

22

ACT-SetGroup-CanUseInAssignments-All

Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup.

23

ACT-Shared-Credential-Object-Administration-App-Owner

Grants the ability to create, edit, and delete shared credentials associated with application where the person is owner.

24

UI-Application-Object-Administration

Grants access to user interface and workflows for creating, editing, and deleting applications.

25

UI-Application-PBAC-Object-Administration

Grants access to user interface and workflows for creating, editing, and deleting PBAC policy objects for applications (e.g., Rights, Field Types, Roles, etc.).

26

UI-Application-PBAC-Policy-Assigner

Grants access to user interfaces and workflows for viewing and assigning PBAC roles and rights.

27

UI-Eligibility-Policy-Management

Grants the ability to see user interfaces for eligibility policies and run workflows.

28

UI-Res-Admin-MS-Application

Provides access to the UI for managing applications.

29

VIS-Accounts-All

Grants access to see all accounts.

30

VIS-Application-WhereOwner

Grants access to see EmpowerID and Azure applications and their subcomponents where the person is the application owner in EmpowerID or Azure.

31

VIS-AzFieldType-All

Provides access to see all Field Types.

32

VIS-AzGlobalRight-All

Provides access to see all global rights.

33

VIS-AzGlobalRole-All

Provides access to see all global roles.

34

VIS-AzLocalRight-App-Owner

Grants access to see all local rights where the person is the RBAC Owner for the application with the local rights.

35

VIS-AZLocalRole-App-Owner

Grants access to see all local loles / role definitions where the person is the RBAC Owner for the application with the local roles and role definitions.

36

VIS-AzureApplications-MyResponsible

Grants the ability to see Azure applications for which the person is the responsibility party.

37

VIS-AzureApplications-Owner

This role allows the user to view all Azure applications for which they are the RBAC Owner.

38

VIS-BusinessRole-All

Grants access to see all Business Roles.

39

VIS-Groups-All

Grants access to see all groups.

40

VIS-Location-All

Grants access to see all locations.

41

VIS-Management-Role-All

Grants access to see all Management Roles.

42

VIS-Management-Role-App-Owner

Grants access to see all Management Roles where the person is an RBAC owner for the application with the Management Roles.

43

VIS-Misc-Admin

Provides visibility for miscellaneous admin required views.

44

VIS-OrgRoleOrgZone-ALL

Grants access to see all Business Role and Location combinations.

45

VIS-Person-All

Grants access to see all people.

46

VIS-Shared-Credential-App-Owner

Grants access to view all Shared Credentials belonging to an application where the person is RBAC Owner.


Azure Claims Mapping Policy Administrator for All Policies and Applications

This role bundle allows users to manage all Azure Claims Mapping Policies for all Azure applications. The role bundle is comprised of the following Management Roles:

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

1

ACT-Azure-Application-Administration-All

Grants access to create, update, and delete all Azure applications.

2

ACT-Azure-Claims-Mapping-Policy-Administration-All

Grants the ability to create, update, and delete all Azure Claims Mapping Policies.

3

ACT-Location-Assignment-All

Grants access to operations needed for managing assignments of people to locations.

4

UI-Res-Admin-MS-Application-Base

This is a least privilege role providing access to the Resource Admin UI for managing applications.

5

UI-Res-Admin-MS-Application-Claims-Mapping-Policy

Provides access to UI for managing Azure Claims Mapping Policies.

6

VIS-Application-All

Grants access to see all applications and subcomponents.

7

VIS-AzureApplication-All

Grants access to see all Azure Applications in any tenant.

8

VIS-Location-All

Grants access to see all Locations.

Mobile Application and Chatbot User

This role bundle allows users to access the mobile application and chatbot. The role bundle is comprised of the following Management Roles: