IAM Shop Permission Levels and Computers

Owned by Phillip Hanegan
Last updated: Dec 04, 2024
3 min read

In EmpowerID, IAM Shop Permission Levels define permissions for specific resources within native systems, such as shared folders, mailboxes, and computers. These levels can be configured to align with organizational requirements, ensuring that access to resources is controlled according to user roles and responsibilities. For example, a shared folder may have a "Read-Only" permission level for general users, while a computer might have a "Local Admin" access level designated for IT staff.

Application in Computer Administration

Within computer administration, IAM Shop Permission Levels are important for facilitating Privileged Session Management (PSM). These permission levels enable administrators to define and control access rights during PSM sessions, allowing users to request specific permissions directly from the IAM Shop.

IAM Shop Permission Levels for a computer being requested in the IAM Shop

Role of IAM Shop Permission Levels in PSM

IAM Shop Permission Levels assist in managing access during PSM sessions by:

  • Granting Specific Permissions: Users can be given administrator-level access to perform designated tasks during a computer session.

  • Enforcing Security Principles: Permissions are revoked immediately after the session concludes, adhering to the principle of least privilege and reducing security risks by preventing prolonged unauthorized access.

To implement these levels, organizations select specific groups within the native system that have the required permissions and map the IAM Shop Permission Levels to those groups. Users who are members of these groups receive the specified access during their sessions. For instance, if a group has read and write permissions on a database, a member initiating a PSM session will automatically receive these permissions.

 

Integration of Just-In-Time (JIT) Access

EmpowerID supports Just-In-Time (JIT) account provisioning on computers for specific groups. This feature generates a user account at the start of a PSM session, assigns it to the appropriate group, and removes it when the session ends. The account, uniquely identified (e.g., jposada_566054625600), may be retained for future use or deleted based on JIT access settings. This method ensures that access is granted only as needed and withdrawn immediately afterward.



Eligibility in Access Provisioning

EmpowerID ensures that only eligible users can access specific Permission Levels, following defined access controls. For example, a database administrator might be eligible for higher-level permissions appropriate to their role, while a customer service representative would not. Depending on organizational policies, users not eligible for certain Permission Levels can still initiate sessions but only as non-privileged users, enhancing system security.

 

Create IAM Shop Permission Levels

Assign IAM Shop Permission Levels to Computers

Configure Computers for Just-In-Time Access

Enable Computers for Privileged Session Management

Access Request Policies and Privileged Session Management

Assign PSM-Enabled Computers to Access Request Policies