Granting Access to the IAM Shop

EmpowerID employs Management Roles to control access to the IAM Shop. Users must be assigned to relevant roles to gain access to this feature. These Management Roles are classified by their specific functions within EmpowerID and include:

  1. UI-Prefixed Roles: Management Roles that start with 'UI' provide users with access to certain UI elements within the EmpowerID Web interface. This allows for a tailored user experience, giving access only to the necessary interface components.

  2. VIS-Prefixed Roles: Roles prefixed with 'VIS' grant users visibility rights over specific objects within EmpowerID. This ensures that users can see only the objects relevant to their role, making for an efficient and clutter-free workspace.

  3. ACT-Prefixed Roles: Management Roles beginning with 'ACT' give users the capability to manage certain objects within EmpowerID. This provides users with the necessary permissions to perform specific actions on selected objects, aligning with their job responsibilities.

 

To shop for eligible resources in the IAM Shop, users need to have one or more of the below Management Role assignments (based on the needed scope):

Management Role

Role Type

Description

Management Role

Role Type

Description

UI-IT-Shop-MS-Application

Feature Set (Ui)

Grants access to shop for access to Applications in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and workflows:

UI-IT-Shop-MS-Application Role

Feature Set (UI)

Grants access to shop for Application Roles (Groups) in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Application-Role-Base

Feature Set (UI)

Grants the minimal access needed to shop for Application Roles (Groups) in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Azure-Admin-Role

Feature Set (UI)

Grants access to shop for Azure Admin Directory Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Azure-License

Feature Set (UI)

Grants access to shop for Azure Licenses in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Azure-RBAC-Role

Feature Set (UI)

Grants access to shop for Azure RBAC Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Business-Role

Feature Set (UI)

Grants access to shop for Business Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Common

Feature Set (UI)

Grants access for common/shared UI and APIs used by the IAM Shop. The role specifically grants access to the following applications, user interface controls, and web services:

UI-IT-Shop-MS-Computer

Feature Set (UI)

Grants access to shop for access to servers in the IAM Shop microservice app. . The role specifically grants access to the following user interface controls, pages and reports, and workflows:

UI-IT-Shop-MS-Full-Access

Feature Set (UI)

Grants access to all Item Types and UI in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, web services and workflows:

UI-IT-Shop-MS-Mailbox

Feature Set (UI)

Grants access to shop for access to Office 365 Mailboxes in the IAM Shop microservice app. The role specifically grants access to the following user interface controls and pages and reports:

UI-IT-Shop-MS-Management-Role

Feature Set (UI)

Grants access to shop for EmpowerID Management Roles in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, web services, and workflows:

UI-IT-Shop-MS-Risk

Feature Set (UI)

Grants access to view and interact with Risks in the IAM Shop microservice app. The role specifically grants access to the following user interface controls and web services:

UI-IT-Shop-MS-Shared-Credential

Feature Set (UI)

Grants access to shop for Shared Credentials in the IAM Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

VIS-IT-Shop-MS-API

Visibility (VIS)

Grants access to the base web services required by all users of the IAM Shop Microservice. The role specifically grants access to the following web services:

  • BusinessLocationsAPI.GetUserGroups

  • BusinessLocationsAPI.GetUser

  • BusinessLocationsAPI.GetEligibleLocation

  • ComputersAPI.GetAllAssignedComputers

  • AzureRolesAPI.CheckAssignmentStatus

  • MscAccessRequestPolicy.GetByResourceID

  • AzureRolesAPI.GetAllAssigned

  • BusinessLocationsAPI.GetChildren

  • MscPerson.GetPhoto

  • MscResourceAccessRequestAssignee.GetByResourceIdForAssignee

  • MscUIAction.GetByResourceID

  • MscUtility.ListItemsBySetName

  • ExternalCredentialsAPI.GetAllExternalCredentials

  • ExternalCredentialsAPI.ValidateMasterPassword

  • MscRenewableAssignment.IsRenewableAssignment

  • MscExternalCredential.DeleteCredential

  • MscExternalCredential.DeleteCredential

  • ComputersAPI.GetComputersForLoginSessionAccess

  • BusinessRolesAPI.GetAnonymousInfo

  • GroupsAPI.GetGroups

  • BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID

  • GroupsAPI.GetAssignedAppRolesByPersonGUID

  • CartSubmissionAPI

  • CartSubmissionAPI.ProcessOrgRoles

  • GroupsAPI.GetTargetSystemFilterdata

  • CartSubmissionAPI.ProcessLicenseBundles

  • AzureLicenseBundleAPI.GetAllEligibleLicenseBundlesByAssigneeId

  • ManagementRolesAPI.GetManagementRoles

  • AzureRolesAPI.GetSingleAzureAdminRole

  • GroupsAPI.GetOwnersAndApprovers

  • MscGlobalConfig.GetConfigSetting

  • MscPerson.PeopleToSetAsDelegate

  • ManagementRolesAPI.OwnersByManagementRoleId

  • SharedFoldersAPI.GetSingleSharedFolder

  • SharedFoldersAPI.GetAllAssignedSharedFolders

  • MailBoxesAPI.GetAllAssignedMailBoxes

  • ProtectedApplicationsAPI.GetOwnersOrDeputies

  • SharepointAPI.GetAllWebSites

  • ComputersAPI.GetComputerOperatingSystemTypes

  • MscUtility.ListMethodSignatures

  • MscExternalCredential.CheckOutCredential

  • MscUtility.GetAdditionalDynamicProperties

  • BusinessRolesAPI.GetUserGroups

  • BusinessRolesAPI.GetUser

  • GroupsAPI.GetUser

  • BusinessLocationsAPI.GetAnonymousInfo

  • BusinessFunctionsAPI.GetAnonymousInfo

  • BusinessFunctionsAPI.GetUser

  • BusinessLocationsAPI.GetOrgZoneTypes

  • BusinessRolesAPI.ExecuteMethod

  • CheckForSODAPI

  • CheckForSODAPI.CheckForSOD

  • GroupsAPI.GetAssignedMembershipByOrgRoleOrgZoneID

  • GroupsAPI.GetSingleOrgRole

  • CartSubmissionAPI.GetAnonymousInfo

  • All ITShop WebServices

  • CheckForSODAPI.GetAssigneesForOrgRoleType

  • AzureLicenseBundleAPI

  • AzureLicenseReportAPI.getReportByReportID

  • ManagementRolesAPI

  • ManagementRolesAPI.GetAllAssigned

  • ManagementRolesAPI.CheckAssignmentStatus

  • CartSubmissionAPI.ProcessAzureAdminRoles

  • AzureLicenseBundleAPI.GetTenantSubscriptionServices

  • LocalizationAPI.CountryHelpText

  • GroupsAPI.GetSuggestedAppRolesByOrgRoleIdOrgZoneId

  • GroupsAPI.OwnersByAppRoleId

  • BusinessFunctionsAPI.LocalFunctionsByAppRole

  • BusinessFunctionsAPI.LocalFunctionsByOrgRoleOrgZone

  • BusinessRolesAPI.OwnersByRoleId

  • BusinessRolesAPI.ApproversByRoleId

  • MscProtectedApplication.GetChildren

  • MscProtectedApplication.AllowedSsoApplications

  • MscPerson.PeopleToSetAsApprover

  • GroupsAPI.GetAssignedMembershipByAssigneeId

  • MailBoxesAPI.GetAllMailBoxTypes

  • MailBoxesAPI.GetAllMailBoxes

  • MscAccessRequestPolicy.GetAll

  • ComputersAPI.GetAllComputers

  • ComputersAPI.GetSingleComputer

  • ManagementRolesAPI.GetAllAssignedByOrgRoleOrgZoneId

  • MscBusinessRequestItem.GetByAssigneeIdResourceId

  • MscUIAction.GetByNounVerb

  • ExternalCredentialsAPI.GetCheckedOutByComputerIdPersonId

  • ManagementRolesAPI.GetAllAssignedByManagementRoleId

  • ProtectedApplicationsAPI.GetAllAssignedProtectedApplications

  • ComputersAPI.GetComputerPlatformTypes

  • ExternalCredentialsAPI.GetAllAssignedExternalCredentials

  • ExternalCredentialsAPI.GetExternalCredentialProxy

  • MscExternalCredential.GetExternalCredentialProxy

  • ResourceTag

  • BusinessRolesAPI

  • BusinessRolesAPI.GetOrgRole

  • BusinessRolesAPI.GetOrgRoles

  • GroupsAPI

  • GroupsAPI.GetAnonymousInfo

  • GroupsAPI.GetUserGroups

  • BusinessLocationsAPI

  • BusinessLocationsAPI.GetChildrenByOrgZoneGUID

  • BusinessFunctionsAPI

  • BusinessFunctionsAPI.GetUserGroups

  • BusinessFunctionsAPI.GetFunctions

  • BusinessLocationsAPI.ExecuteMethod

  • BusinessLocationsAPI.Search

  • BusinessLocationsAPI.GetOrgZonesByOrgZoneType

  • BusinessRolesAPI.GetApplicationRoleTemplates

  • LocalizationAPI

  • CheckForSODAPI.GetAnonymousInfo

  • CheckForSODAPI.GetUserGroups

  • CheckForSODAPI.GetUser

  • CheckForSODAPI.ExecuteMethod

  • BusinessRolesAPI.GetSingleOrgRole

  • BusinessRolesAPI.CheckAssignmentStatus

  • GroupsAPI.CheckAssignmentStatus

  • CartSubmissionAPI.GetUserGroups

  • CartSubmissionAPI.GetUser

  • CartSubmissionAPI.SubmitCart

  • CartSubmissionAPI.ProcessGroups

  • CartSubmissionAPI.ProcessManagementRoles

  • CartSubmissionAPI.GetCartItemResults

  • BusinessRolesAPI.GetAssignedAppRolesByPersonGUID

  • AzureLicenseBundleAPI.GetSingle

  • AzureLicenseBundleAPI.GetAllAssignedLicenseBundlesByAssigneeId

  • AzureLicenseBundleAPI.CheckAssignmentStatus

  • AzureLicenseBundleAPI.GetAllAzureAdScimResourceSystems

  • AzureLicenseBundleAPI.GetAllAzLocalServiceBundles

  • AzureLicenseBundleAPI.GetAllAzLicensePool

  • ManagementRolesAPI.GetSingleManagementRole

  • AzureRolesAPI

  • AzureRolesAPI.GetAzureAdminRoles

  • AzureRolesAPI.GetAzureRbacRoles

  • GroupsAPI.ApproversByAppRoleId

  • BusinessFunctionsAPI.LocalFunctionsByOrgRole

  • BusinessFunctionsAPI.GlobalFunctionsByOrgRole

  • BusinessRolesAPI.GetOwnersAndApprovers

  • AzureRolesAPI.GetAdTree

  • AzureRolesAPI.GetRoleTypes

  • AzureRolesAPI.GetSingleAzureRole

  • MscLocalization.GetByResourceSet

  • MscLocalization.AvailableLanguages

  • MscPerson.GetPersonByGUID

  • AccessRequestPolicyView

  • MscProtectedApplication.GetTargetSystemFilterData

  • CartSubmissionAPI.SuggestedApprovers

  • CartSubmissionAPI.DefaultApprover

  • BusinessFunctionsAPI.LocalRightsByAssigneeId

  • BusinessFunctionsAPI.LocalFunctionsByRole

  • GroupsAPI.GetSuggestedAppRolesByAssigneeId

  • MscProtectedApplication.SearchApplications

  • MscProtectedApplication.LinkedApplications

  • SharedFoldersAPI.GetAllSharedFolders

  • MscResourceTypeRole.GetByResourceId

  • ManagementRolesAPI.GetSuggestedManagementRolesByAssigneeId

  • MscPerson.OwnersByResourceId

  • BusinessFunctionsAPI.LocalFunctionsByAssignee

  • MailBoxesAPI.GetSingleMailBox

  • ProtectedApplicationsAPI.GetAllProtectedApplications

  • ProtectedApplicationsAPI.GetSingleProtectedApplication

  • ProtectedApplicationsAPI.GetSupportedResourceTypes

  • MscUIAction.GetByNoun

  • AzureRolesAPI.AzureRoleMembers

  • ProtectedApplicationsAPI.GetAllAzureApplications

  • ExternalCredentialsAPI.GetByComputerId

  • ExternalCredentialsAPI.GetCheckedOutByPersonId

  • ExternalCredentialsAPI.GetCheckedOutRecords

  • ExternalCredentialsAPI.CheckInCredential

  • SharepointAPI.GetSingleWebSite

  • ProtectedApplicationsAPI.GetSingleAzureApplication

  • ComputersAPI.GetITEnvironmentTypes

  • ComputersAPI.GetComputerRequestableDetailOptions

  • ExternalCredentialsAPI.GetSingleExternalCredential

  • MscExternalCredential.CheckInCredential

  • MscExternalCredential.ValidateMasterPassword

  • ComputersAPI.GetLoginSessionHistoryDetails

  • ComputersAPI.GetLoginSessionHistory

IAM Shop, My Tasks, and My Identity Self-Service Full Access

Role Bundle

 

Grants full access for using the IAM Shop, My Tasks, My Identity microservices.

The Role Bundle – Contains the below Management Roles:

  • ACT-Person-Delegate-All

  • ACT-Person-SetAsApprover-All

  • UI-IT-Shop-MS-Azure-Admin-Role

  • UI-IT-Shop-MS-Computer

  • UI-MyTasks-Participant-Full

  • UI-IT-Shop-MS-Management-Role

  • UI-IT-Shop-MS-Azure-License

  • UI-MyIdentity-PermanentDelegations

  • UI-MyIdentity-EmailNotification-Settings

  • UI-IT-Shop-MS-Business-Role

  • UI-IT-Shop-MS-Shared-Folder

  • UI-IT-Shop-MS-Application-Role

  • UI-IT-Shop-MS-Mailbox

  • UI-MyIdentity-Full

  • UI-IT-Shop-MS-Common

  • UI-IT-Shop-MS-Risk

  • VIS-Application-All

  • VIS-Location-MyLocationsAndBelow

  • VIS-Person-MyOrg

  • VIS-IT-Shop-MS-API

  • VIS-Computer-All

  • VIS-Management-Role-All

  • VIS-AzLocalRole-All

  • VIS-Mailbox-All

  • VIS-Groups-All

  • VIS-BusinessRequestType-All

  • VIS-MyTasks-MS-API

  • VIS-MyIdentity-MS-API

  • VIS-Location-All-BusinessStructure

  • VIS-AzGlobalFunction-All

  • VIS-Shared-Credential-All

  • VIS-AzLocalFunction-All

  • UI-IT-Shop-MS-Azure-RBAC-Role

  • VIS-License-Pool-All

  • VIS-OrgRoleOrgZone-ALL