IAM Shop Permissions Levels and Computers

Owned by Phillip Hanegan
Last updated: May 10, 2024
3 min read

In EmpowerID, IAM Shop Permission Levels represent permissions for specific resources within native systems, including shared folders, mailboxes, and computers. Organizations have the flexibility to configure these levels to suit their unique requirements. For example, a shared folder may be assigned a "read-only" permission level for general users, while a computer might have a "local admin" access level for IT staff. These levels ensure that access to resources is both controlled and appropriately aligned with user roles and tasks.

Application in Computer Administration

In the domain of computer administration, IAM Shop Permission Levels are essential, especially for facilitating Privileged Session Management (PSM). These permission levels enable administrators to define and control access rights efficiently during PSM sessions, allowing users to request necessary permissions from the IAM Shop.

IAM Shop Permission Levels for a computer being requested in the IAM Shop

Role of IAM Shop Permission Levels in PSM

IAM Shop Permission Levels are crucial for managing access during PSM sessions. They serve a dual purpose:

  1. Granting Specific Permissions: A user might be granted administrator-level access to perform specific tasks during a computer session.

  2. Enforcing Security Principles: Adhering to the principle of least privilege, these permissions are revoked immediately after the session concludes, minimizing security risks by preventing prolonged unauthorized access.

To implement these levels, organizations select specific groups within the native system with the required permissions and map the IAM Shop Permission Levels to those groups. Users who are members of these groups receive the specified access during their sessions. For example, if a group has read and write permissions on a database, a member initiating a PSM session will automatically receive these permissions.

 

Integration of Just-In-Time (JIT) Access

EmpowerID supports Just-In-Time (JIT) account provisioning on computers for specific groups. This feature generates a user account at the onset of a PSM session, assigns it to the appropriate group, and removes it at the session's end. This account, uniquely identified (e.g., jposada_566054625600), may be retained for future use or deleted based on JIT access settings. This strategy enhances a zero-trust, least-privilege security model by ensuring access is granted only as needed and withdrawn immediately afterward.



Eligibility in Access Provisioning

EmpowerID ensures that only users eligible for specific Permission Levels can access them, adhering to defined access controls. For instance, a database administrator might be eligible for high-level permissions appropriate to their role, while a customer service representative would not. Depending on organizational policies, users not eligible for certain Permission Levels can still initiate sessions but only as non-privileged users, which enhances the system’s security.

Conclusion

Implementing and managing IAM Shop Permission Levels in EmpowerID are pivotal for the secure and efficient operation of IT systems. These levels provide a structured and customizable approach to access control, allowing precise tailoring of permissions to specific roles and tasks. Integrating Just-In-Time access within these levels further strengthens this framework, ensuring permissions are granted on a need-to-use basis and revoked promptly, upholding the principles of least privilege and zero trust.

Understanding and effectively utilizing IAM Shop Permission Levels, coupled with JIT access, is fundamental for administrators aiming to optimize security and functionality within their IT infrastructure. By mastering these concepts, administrators can create a more secure, compliant, and streamlined IT environment where access to resources is meticulously managed and potential security risks are significantly minimized.

Â