Access to User Accounts and Groups

EmpowerID restricts access to accounts and groups through the use of Management Roles. To view and work with accounts and groups users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.
VIS — Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID.
ACT — Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID.

Roles needed by users to view and edit account profile information

To view and edit their basic account information, users need to have the following Management Role assignments:

Management Role	Access Granted by Management Role	Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

Management Role	Access Granted by Management Role	Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

VIS-Accounts-MyLocations

Grants visibility for all user accounts in the same locations as the currently logged in user.

Visibility

Management Role	Access Granted by Management Role	Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

VIS-Accounts-MyOrg

Grants visibility for all user accounts in the same organizations as the currently logged in user.

Visibility

Management Role	Access Granted by Management Role	Role Type

Management Role	Access Granted by Management Role	Role Type
UI-Account-Profile-Edit	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the Actions Accordion Viewer for the Advanced Tab Account Edit One Page Viewer for the page WORKFLOW ACCESS Resource Manager Account Update Initiator for the workflow
Active Directory User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Active Directory user accounts
VIS-Accounts-AD	Grants visibility for all Active Directory user accounts.	Visibility
AWS User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Amazon Web Services user accounts
VIS-Accounts-AWS	Grants visibility for all user accounts in any Amazon Web Services account store.	Visibility
Linux User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Linux user accounts
VIS-Accounts-Linux	Grants visibility for all Linux user accounts.	Visibility
Local Windows User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Local Windows Server user accounts
VIS-Accounts-LocalWindows	Grants visibility for all user accounts belonging to Local Windows Server account stores.	Visibility
Office 365 User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Office 365 user accounts
VIS-Accounts-O365	Grants visibility for all Office 365 / Azure AD user accounts.	Visibility
SAP User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see SAP user accounts
VIS-Accounts-SAP	Grants visibility for all SAP user accounts.	Visibility

Management Role	Access Granted by Management Role	Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

VIS-Accounts-All-IT-Systems

Grants visibility for all accounts under All IT Systems.

Visibility

Management Role	Access Granted by Management Role	Role Type

Management Role

Access Granted by Management Role

Role Type

UI-Account-Membership-Management

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the General Tab
- Viewer for the Group Membership Grid
- Viewer for the Group Membership Changes Grid
- Viewer for the Resultant Membership Grid

WORKFLOW ACCESS

Add Accounts to Groups
- Initiator for the workflow
Remove Service Principal from Groups
- Initiator for the workflow
Update Account Group Membership
- Initiator for the workflow

VIS-Accounts-All

Grants visibility for all accounts in any location.

Visibility

Roles needed to add and remove accounts to and from groups

To manage the group assignments of user accounts, users need to have a combination of the following Management Role assignments (based on the needed scope).

Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type

Management Role	Access Granted by Management Role	Role Type
Account Roles Needed
UI-Account-Membership-Management	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the General Tab Viewer for the Group Membership Grid Viewer for the Group Membership Changes Grid Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow Update Account Group Membership Initiator for the workflow
VIS-Accounts-MyLocations	Grants visibility for all user accounts in the same locations as the currently logged in user.	Visibility
ACT-Account-Membership-Management-MyLocations	Grants access to manage membership for user accounts belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Group Roles Needed
UI-Group-Membership-Management	Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Dashboard Tab Viewer for the All Groups Tab Viewer for the Groups I Manage Tab Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Group Members Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Update Group Account Membership Initiator for the workflow Add People to Groups Initiator for the workflow Update Person Group Membership Initiator for the workflow Temporary Group Membership Initiator for the workflow Add Groups to Group Initiator for the workflow Remove Groups from Group Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow
VIS-Groups-Distribution-MyLocation	Grants visibility for all distribution groups belonging to the same locations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Distribution-MyLocations	Grants access to manage membership for distribution groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
VIS-Groups-Generic-MyLocation	Grants visibility for all generic groups belonging to the same locations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Generic-MyLocations	Grants access to manage membership for generic groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
VIS-Groups-Security-MyLocations	Grants visibility for all security groups belonging to the same locations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Security-MyLocations	Grants access to manage membership for security groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity

Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type

Management Role

Access Granted by Management Role

Role Type

Account Roles Needed

UI-Account-Membership-Management

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the General Tab