If you have Windows servers with local users and groups, you can add those servers to EmpowerID as managed account stores. This allows you to inventory local users and groups and manage those objects from EmpowerID, providing you with automated role-based access control, delegated permissions administration, provisioning policy capabilities with a full audit trail of any actions involving those objects. This article demonstrates how to manage local Windows groups in EmpowerID.
To manage local Windows groups
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
Search for the Local Windows account store with the groups you want to manage and click the Account Store link to navigate to the Account Store Details page for the account store.
On the Account Store Details page, select the Groups tab.
Search for the group you want to manage and then click the Logon Name link for that account.
This directs you to the View One page for the group. View one pages allow you to view and edit the objects to which they are linked.
From the View One page for the group, you can expand any of the accordions available and view the data or perform an action against the group.Group View One Page Accordions
Purpose
General Accordions
Access to Application Roles (Groups)
Provides a view of Groups to which group members have potential or actual access. Access falls into one of the below categories:
Mandatory – Group members are automatically members of mandatory groups.
Pre-Approved – Approval is not required for membership in the listed groups. Requests for memberships do not route for approval.
Suggested – Membership in the group(s) listed is suggested based on current group membership. Members see these as suggested in the IT Shop. Group members may or may not request access to the suggested groups. Access requests route for approval.
Eligible – Group members are eligible to request membership in one or more of the listed groups. Eligible groups show for group members shopping in the IT Shop.
Group Members
Provides a view of current group members as well as grants delegated users the ability to add and remove users to and from groups.
Resultant Members
Provides a view of current group members whose membership in the group is granted by virtue of belonging to another role or group.
Access Managers
Provides a view of group owners as well as grants delegated users the ability to add and remove owners.
Actions
Provides links to initiate workflows and execute operations against the group. Actions displayed depend on the delegations of the user access the page. Available actions include the following:
Add Accounts to Groups
Add Group to Group
Delete Groups
Hide Group in GAL
Mail-Enable Group
Mail-Disable Group
Move Groups
Remove Accounts from Groups
Remove Group from Group
Show Group in GAL
Editable Multivalued Fields
Provides access to add and remove search tags to and from groups, as well at to add and remove categories to and from groups
Advanced Accordions
Membership Changes
Provides a view of group membership changes
Access Grant to Group
Provides a view of current access to resources members of the group have, as well as grants delegated users the ability to add and remove access to and from the group.
Net Result of Access Granted to Group
Provides a view of current access to resources granted to group members where that access is granted by virtue of belonging to another role or group.
Who Has Access to Group
Provides a view of who has access to the group as a resource as well as grants delegated users the ability to add and remove access to and from users.
Net Result of Who Has Access to Group
Provides a view of current who has access to the group where that access is granted by virtue of belonging to another role or group.
Direct Mapped Local Functions
Provides a view of current mapped local functions as well as grants delegated users the ability to map new local functions to the group and remove mapped local functions from the group.
For an overview of functions in EmpowerID, see About Functions.
Function Access Report
Provides a report of the access granted to group members by virtue of mapped functions.
User Interface Access
Provides a view of the current user interface access granted to group members.
Assigned Visibility Restriction Policies
Provides a view of current Visibility policies assigned to the group.
Inherited Resource Entitlements
Provides a view of resource entitlements members of the group currently have by virtue of the group belonging to a location where the parent has resource entitlements applied.
Inherited Attribute Policies
Provides a view of attribute policies members of the group currently have by virtue of the group belonging to a location where the parent has attribute policies applied.
Recertification History
Provides an historical view of recertification of the group (both membership and resource access).
Who is Eligible to Request (As Resource)
Provides a view of who is eligible to request access to the group from the IT Shop, as well as grants delegated users the ability to grant and remove eligibility to and from assignees.
Who is Excluded from Requesting (As Resource)
Provides a view of who cannot request access to the group from the IT Shop, as well as grants delegated users the ability to grant and remove eligibility exclusion to and from assignees.
Resources Members Eligible to Request (As Actor)
Provides a view of eligible resources group members may request from the IT Shop.
Resources Members May Not Request (As Actor)
Provides a view of resources group members may not request from the IT Shop. Eligibility exclusions always override eligibility inclusions.