Access Needed to Manage Applications
Phillip Hanegan
EmpowerID employs Management Roles to control access to its resources. Users must be assigned appropriate roles to manage and interact with applications within the system. These Management Roles are categorized based on their functional prefixes in EmpowerID, as described below.
UI Roles: These roles, identified by the "UI" prefix, provide users access to specific interface elements within the EmpowerID interfaces. For instance, the role "UI-Res-Admin-MS-Application" enables access to user interfaces and workflows essential for managing applications.
VIS Roles: Roles starting with "VIS" enable users to view specific objects within EmpowerID. A typical role in this category is "VIS-Application-MyOrganization," which allows users to view applications and their subcomponents in their organizations.
ACT Roles: These roles, prefixed with "ACT," authorize users to actively manage specific objects in EmpowerID. For example, "ACT-Azure-Application-Administration-All" grants users access to create, update, and delete Azure applications.
To facilitate easy access assignments, EmpowerID offers "Role Bundle" Management Roles. These bundles are pre-configured with the requisite roles necessary for various operational scenarios, allowing for convenient and rapid deployment of access rights suited to specific user requirements and organizational workflows. This bundling strategy simplifies the administration of roles and enhances security by ensuring that users have precisely the access they need to perform their duties.
Â
Application Role Bundles
Application Admin for All Azure Applications
This role bundle grants users access to manage all Azure applications. The role bundle is comprised of the following Management Roles:
Management Role | Access Granted by Management Role |
|---|
Management Role | Access Granted by Management Role | |
|---|---|---|
| 1 | ACT-Application-Create-All | Grants access to create new applications in all locations. |
| 2 | ACT-Azure-Application-Administration-All | Grants access to create, update, and delete all Azure applications. |
| 3 | ACT-Business-Role-CanUseInAssignments-All | Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role. |
| 4 | ACT-Global-Right-Azure-Administrator-All | Grants access to create and delete Azure Application Roles, Scopes, and API Permissions. |
| 5 | ACT-Group-CanUseInAssignments-All | Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group. |
| 6 | ACT-Local-Right-Assignment-Management-Azure-All | Grants access to manage Azure App Role/Right assignments for all App Roles in any tenant. |
| 7 | ACT-Local-Right-Create-All | Grants access to create Local Rights in all locations. |
| 8 | ACT-Local-Right-Assignment-Management-All | Grants access to can manage Local Right assignments for all Local Rights below Default Organization. |
| 9 | ACT-Local-Role-Assignment-Management-Azure-All | Grants access to manage role assignments for all roles in any tenant. |
| 10 | ACT-Local-Role-Create-All | Grants access to create Local Roles / Role Definitions in all locations. |
| 11 | ACT-Location-Assignment-All | Grants acces to operations for managing the assignments of people to all locations. |
| 12 | ACT-Location-CanUseInAssignments-All | Is able to grant a location an access assignment for another resource for all locations. |
| 13 | ACT-Management-Role-CanUseInAssignments-All | Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role. |
| 14 | ACT-Person-CanUseInAssignments-All | Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person. |
| 15 | ACT-SetGroup-CanUseInAssignments-All | Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup. |
| 16 | ACT-Shared-Credential-Create-All | Grants the ability able to create a shared credential anywhere. |
| 17 | ACT-Shared-Credential-Object-Administration-Azure-All | Grants the ability to create, edit, and delete all secrets and certificates in Azure. |
| 18 | UI-Res-Admin-MS-Application | Provides access to the UI for managing applications. |
| 19 | VIS-Accounts-Azure-All | Provides access to see all Azure accounts. |
| 20 | VIS-Application-MyOrganization | Grants access to see applications and their subcomponents in person's organizations. |
| 21 | VIS-AzGlobalRight-All | Grants access to see all AzGlobalRights. |
| 22 | VIS-AzLocalRight-All | Grants access to see all AzLocalRights. |
| 23 | VIS-AzLocalRole-All | Grants access to see all AzLocalRoles. |
| 24 | VIS-AzureApplication-All | Provides access to see all Azure Applications in any tenant. |
| 25 | VIS-BusinessRole-All | Grants access to see all Business Roles. |
| 26 | VIS-Groups-All | Grants access to see all groups. |
| 27 | VIS-Location-All | Grants access to see all locations. |
| 28 | VIS-Management-Role-All | Grants access to see all Management Roles. |
| 29 | VIS-Person-MyOrg | Grants access to see all people in my organizations. |
| 30 | VIS-SetGroup-All | Grants access to see all SetGroups (Query-Based Collections). |
| 31 | VIS-Shared-Credential-All | Grants access to see all vaulted credentials. |
| 32 | VIS-Shared-Credential-Azure-All | Grants access to see all secrets and certificates in any Azure tenant. |
Â
Application Admin for all Non-Azure Applications
This role bundle grants users access to create, update, and delete all applications that are not Azure applications. The role bundle is comprised of the following Management Roles:
Management Role | Access Granted by Management Role |
|---|
Management Role | Access Granted by Management Role | |
|---|---|---|
| 1 | ACT-Application-Create-All | Grants access to create new applications in all locations. |
| 2 | ACT-Application-Object-Administration-All | Grants access to create, update, and delete all applications. |
| 3 | ACT-Business-Role-CanUseInAssignments-All | Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role. |
| 4 | ACT-Group-CanUseInAssignments-All | Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group. |
| 5 | ACT-Local-Right-Create-All | Grants access to create Local Rights in all locations. |
| 6 | ACT-Local-Right-Object-Administration-App-MyResponsible | Provides access to create, update, and delete all Local Rights belonging to an application where the person is responsible party. |
| 7 | ACT-Local-Right-Object-Administration-App-Owner | Provides access to create, update, and delete all Local Rights belonging to an application where the person is the RBAC Owner. |
| 8 | ACT-Local-Role-Object-Administration-App-MyResponsible | Grants access to create, update, and delete all Local Roles belonging to an application where the person is responsible party. |
| 9 | ACT-Local-Role-Object-Administration-App-Owner | Grants access to create, update, and delete all Local Roles belonging to an application where the person is the RBAC Owner. |
| 10 | ACT-Location-CanUseInAssignments-All | Is able to grant a location an access assignment for another resource for all locations. |
| 11 | ACT-Management-Role-CanUseInAssignments-All | Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role. |
| 12 | ACT-Management-Role-Object-Administration-App-MyResponsible | Grants the ability to create, update, and delete all Management Roles associated with an application where the person is responsible party. |
| 13 | ACT-Management-Role-Object-Administration-App-Owner | Grants the ability to create, update, and delete all Management Roles associated with an application where the person is the RBAC owner. |
| 14 | ACT-Person-CanUseInAssignments-All | Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person. |
| 15 | UI-Application-Object-Administration | Grants access to user interface and workflows for creating, editing, and deleting applications. |
| 16 | UI-Application-PBAC-Policy-Assigner | Grants access to user interface and workflows for viewing and assigning PBAC roles and rights. |
| 17 | UI-Eligibility-Policy-Management | Grants the ability to see user interfaces for eligibility policies and run workflows. |
| 18 | UI-Res-Admin-MS-Application | Provides access to the UI for managing applications. |
| 19 | UI-Res-Admin-MS-Common | Grants access to common/shared UI used by the Resource Admin microservice. |
| 20 | VIS-Application-All | Provides access to see all applications and subcomponents. |
| 21 | VIS-AzFieldType-All | Provides access to see all Field Types. |
| 22 | VIS-AzGlobalRight-All | Provides access to see all global rights. |
| 23 | VIS-AzGlobalRole-All | Provides access to see all global roles. |
| 24 | VIS-AzLocalRole-All | Grants access to see all AzLocalRoles. |
| 25 | VIS-BusinessRole-All | Grants access to see all Business Roles. |
| 26 | VIS-Location-All | Grants access to see all locations. |
| 27 | VIS-Management-Role-All | Grants access to see all Management Roles. |
| 28 | VIS-Misc-Admin | Provides visibility for miscellaneous admin required views. |
| 29 | VIS-OrgRoleOrgZone-ALL | Grants access to see all Business Role and Location combinations. |
| 30 | VIS-Person-All | Grants access to see all people. |
Â
Application Administrator for All Applications
This role bundle allows users to manage all applications via the Resource Admin microservice. This role bundle is comprised of the following Management Roles:
Management Role | Access Granted by Management Role |
|---|
Management Role | Access Granted by Management Role | |
|---|---|---|
| 1 | ACT-Azure-Application-Administration-All | Grants access to create, update, and delete all Azure applications. |
| 2 | ACT-Business-Role-CanUseInAssignments-All | Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role. |
| 3 | ACT-Global-Right-Azure-Administrator-All | Grants access to create and delete Azure Application Roles, Scopes, and API Permissions. |
| 4 | ACT-Group-CanUseInAssignments-All | Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group. |
| 5 | ACT-Local-Right-Assignment-Management-All | Grants access to manage Local Right assignments for all Local Rights below Default Organization. |
| 6 | ACT-Local-Role-Assignment-Management-All | Provides access to manage Local Role assignments for all Local Roles below Default Organization. |
| 7 | ACT-Local-Role-Assignment-Management-Azure-All | Provides access to manage role assignments for all roles in any tenant. |
| 8 | ACT-Local-Role-Create-All | Grants access to create Local Roles / Role Definitions in all locations. |
| 9 | ACT-Location-Assignment-All | Grants access to operations for managing assignments of people to all locations. |
| 10 | ACT-Location-CanUseInAssignments-All | Is able to grant a location an access assignment for another resource for all locations. |
| 11 | ACT-Management-Role-CanUseInAssignments-All | Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role. |
| 12 | ACT-Person-CanUseInAssignments-All | Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person. |
| 13 | ACT-SetGroup-CanUseInAssignments-All | Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup. |
| 14 | ACT-Shared-Credential-Create-All | Grants access to create a shared credential anywhere. |
| 15 | ACT-Shared-Credential-Object-Administration-Azure-All | Grants access to create, edit, and delete all secrets and certificates in Azure. |
| 16 | UI-Res-Admin-MS-Application | Provides access to the UI for managing applications. |
| 17 | VIS-Accounts-Azure-All | Grants access to see all Azure accounts. |
| 18 | VIS-Application-MyOrganization | Grants access to see applications and their subcomponents in person's organizations. |
| 19 | VIS-AzGlobalRight-All | Provides access to see all global rights. |
| 20 | VIS-AzLocalRight-All | Grants access to see all local rights. |
| 21 | VIS-AzLocalRole-All | Grants access to see all local roles. |
| 22 | VIS-AzureApplication-All | Grants access to see all Azure Applications in any tenant. |
| 23 | VIS-BusinessRole-All | Grants access to see all Business Roles. |
| 24 | VIS-Groups-All | Provides access to see all groups. |
| 25 | VIS-Location-All | Grants access to see all locations. |
| 26 | VIS-Management-Role-All | Grants access to see all Management Roles. |
| 27 | VIS-Person-MyOrg | Grants access to see all people in the person’s organization. |
| 28 | VIS-SetGroup-All | Provides access to see all Query-Based Collections (SetGroups). |
| 29 | VIS-Shared-Credential-All | Provides access to see all vaulted credentials. |
| 30 | VIS-Shared-Credential-Azure-All | Provides access to view all secrets and certificates in any Azure tenant. |
Application RBAC Owner
This role bundle allows users to create new applications and manage all applications where they are the RBAC owner. The role bundle is comprised of the following Management Roles:
Management Role | Access Granted by Management Role |
|---|
Management Role | Access Granted by Management Role | |
|---|---|---|
| 1 | ACT-Account-CanUseInAssignments-All | Grants the ability to assign to all accounts access to other resources. This role does not permit the management of access assignments for the account because the assigner would still need access to the resource or role they wish to assign to the account. |
| 2 | ACT-Application-Create-All | Grants access to create new applications in all locations. |
| 3 | ACT-Application-Object-Administration-Owner | Grants access to manage all applications where the person is an RBAC owner. |
| 4 | ACT-Azure-Application-Object-Administration-Owner | Grants access to manage all Azure applications where the person is an RBAC owner. |
| 5 | ACT-Azure-Application-Create-All | Grants the ability to create Azure Applications in all locations. |
| 6 | ACT-Business-Role-CanUseInAssignments-All | Grants the ability to assign to all Business Roles access to other resources. This role does not permit the management of access assignments for the Business Role because the assigner would still need access to the resource or role they wish to assign to the Business Role. |
| 7 | ACT-FieldType-Create | Grants the ability to create Field Types. |
| 8 | ACT-FieldType-Object-Administration-All | Grants object administration (Create, Update, Delete) for all Field Types. |
| 9 | ACT-Group-CanUseInAssignments-All | Grants the ability to assign groups access to other resources. This role does not permit the management of access assignments for the group because the assigner would still need access to the resource or role they wish to assign to the group. |
| 10 | ACT-Local-Right-Assignment-Management-App-Owner | Grants access to manage right assignments for rights where the person is the RBAC Owner for the application that owns the rights. |
| 11 | ACT-Local-Right-Create-All | Grants access to create Local Rights in all locations. |
| 12 | ACT-Local-Right-Object-Administration-App-Owner | Provides access to create, update, and delete all Local Rights belonging to an application where the person is the RBAC Owner. |
| 13 | ACT-Local-Role-Create-All | Grants access to create Local Roles / Role Definitions in all locations. |
| 14 | ACT-Local-Role-Object-Administration-App-Owner | Grants access to create, update, and delete all Local Roles belonging to an application where the person is the RBAC Owner. |
| 15 | ACT-Location-Assignment-All |
|
| 16 | ACT-Location-CanUseInAssignments-All | Is able to grant a location an access assignment for another resource for all locations. |
| 17 | ACT-Management-Role-CanUseInAssignments-All | Grants the ability to assign to Management Roles an access assignment for other resources. This role does not permit the management of access assignments for the Management Role because the assigner would still need access to the resource or role they wish to assign to the Management Role. |
| 18 | ACT-Management-Role-Create-All | Grants access to create Management Roles in all locations. |
| 19 | ACT-Management-Role-Membership-Management-App-Owner | Grants access to manage the membership of Management Roles associated with an application where person is an owner. |
| 20 | ACT-Management-Role-Object-Administration-App-Owner | Grants the ability to create, update, and delete all Management Roles associated with an application where the person is the RBAC owner. |
| 21 | ACT-Person-CanUseInAssignments-All | Grants the ability to assign any person an access assignment for other resources. This role does not permit the management of access assignments for the person because the assigner would still need access to the resource or role they wish to assign to the person. |
| 22 | ACT-SetGroup-CanUseInAssignments-All | Grants the ability to assign to SetGroups an access assignment for other resources. This role does not permit the management of access assignments for the SetGroup because the assigner would still need access to the resource or role they wish to assign to the SetGroup. |
| 23 | ACT-Shared-Credential-Object-Administration-App-Owner | Grants the ability to create, edit, and delete shared credentials associated with application where the person is owner. |
| 24 | UI-Application-Object-Administration | Grants access to user interface and workflows for creating, editing, and deleting applications. |
| 25 | UI-Application-PBAC-Object-Administration | Grants access to user interface and workflows for creating, editing, and deleting PBAC policy objects for applications (e.g., Rights, Field Types, Roles, etc.). |
| 26 | UI-Application-PBAC-Policy-Assigner | Grants access to user interfaces and workflows for viewing and assigning PBAC roles and rights. |
| 27 | UI-Eligibility-Policy-Management | Grants the ability to see user interfaces for eligibility policies and run workflows. |
| 28 | UI-Res-Admin-MS-Application | Provides access to the UI for managing applications. |
| 29 | VIS-Accounts-All | Grants access to see all accounts. |
| 30 | VIS-Application-WhereOwner | Grants access to see EmpowerID and Azure applications and their subcomponents where the person is the application owner in EmpowerID or Azure. |
| 31 | VIS-AzFieldType-All | Provides access to see all Field Types. |
| 32 | VIS-AzGlobalRight-All | Provides access to see all global rights. |
| 33 | VIS-AzGlobalRole-All | Provides access to see all global roles. |
| 34 | VIS-AzLocalRight-App-Owner | Grants access to see all local rights where the person is the RBAC Owner for the application with the local rights. |
| 35 | VIS-AZLocalRole-App-Owner | Grants access to see all local loles / role definitions where the person is the RBAC Owner for the application with the local roles and role definitions. |
| 36 | VIS-AzureApplications-MyResponsible | Grants the ability to see Azure applications for which the person is the responsibility party. |
| 37 | VIS-AzureApplications-Owner | This role allows the user to view all Azure applications for which they are the RBAC Owner. |
| 38 | VIS-BusinessRole-All | Grants access to see all Business Roles. |
| 39 | VIS-Groups-All | Grants access to see all groups. |
| 40 | VIS-Location-All | Grants access to see all locations. |
| 41 | VIS-Management-Role-All | Grants access to see all Management Roles. |
| 42 | VIS-Management-Role-App-Owner | Grants access to see all Management Roles where the person is an RBAC owner for the application with the Management Roles. |
| 43 | VIS-Misc-Admin | Provides visibility for miscellaneous admin required views. |
| 44 | VIS-OrgRoleOrgZone-ALL | Grants access to see all Business Role and Location combinations. |
| 45 | VIS-Person-All | Grants access to see all people. |
| 46 | VIS-Shared-Credential-App-Owner | Grants access to view all Shared Credentials belonging to an application where the person is RBAC Owner. |
Azure Claims Mapping Policy Administrator for All Policies and Applications
This role bundle allows users to manage all Azure Claims Mapping Policies for all Azure applications. The role bundle is comprised of the following Management Roles:
Management Role | Access Granted by Management Role |
|---|
Management Role | Access Granted by Management Role | |
|---|---|---|
| 1 | ACT-Azure-Application-Administration-All | Grants access to create, update, and delete all Azure applications. |
| 2 | ACT-Azure-Claims-Mapping-Policy-Administration-All | Grants the ability to create, update, and delete all Azure Claims Mapping Policies. |
| 3 | ACT-Location-Assignment-All | Grants access to operations needed for managing assignments of people to locations. |
| 4 | UI-Res-Admin-MS-Application-Base | This is a least privilege role providing access to the Resource Admin UI for managing applications. |
| 5 | UI-Res-Admin-MS-Application-Claims-Mapping-Policy | Provides access to UI for managing Azure Claims Mapping Policies. |
| 6 | VIS-Application-All | Grants access to see all applications and subcomponents. |
| 7 | VIS-AzureApplication-All | Grants access to see all Azure Applications in any tenant. |
| 8 | VIS-Location-All | Grants access to see all Locations. |
Mobile Application and Chatbot User
This role bundle allows users to access the mobile application and chatbot. The role bundle is comprised of the following Management Roles: