In EmpowerID, IAM Shop Permission Levels represent permissions for specific resources within native systems, including shared folders, mailboxes, and computers. Organizations have the flexibility to configure these levels to suit their unique requirements. For example, a shared folder may be assigned a "read-only" permission level for general users, while a computer might have a "local admin" access level for IT staff. These levels ensure that access to resources is both controlled and appropriately aligned with user roles and tasks.
Application in Computer Administration
In the realm of computer administration, IAM Shop Permission Levels play a vital role, particularly in facilitating Privileged Session Management (PSM). These permission levels enable administrators to define and control access rights for PSM sessions, giving users the ability to request these permissions from the IAM Shop while ensuring secure and efficient management of computer resources.
Role of IAM Shop Permission Levels in PSM
IAM Shop Permission Levels are designed to represent specific permissions for computer resources that are crucial during PSM sessions. Their purpose is twofold. First, they provide distinct permissions during a computer session. For example, a user may be granted administrator-level access to perform specific tasks within their session. Second, they reinforce the overall security posture by adhering to the principle of least privilege. This principle entails that users have just enough access to perform their tasks, and as soon as their session ends, these permissions are immediately revoked. This minimizes potential security risks by limiting prolonged access.
Setting up IAM Shop Permission Levels involves selecting specific groups within the native system that already possess these permissions. If users are members of these groups, they are granted the specified access. For instance, if a group has read and write permissions on a specific database and a user is a member of this group, they'll receive these permissions when they initiate a PSM session.
Integration of JIT Access
EmpowerID allows for the configuration of Just-In-Time (JIT) account provisioning on computers for specific groups. This feature automatically generates a user account, uniquely identified by combining the user's EmpowerID login with a random string (e.g., jposada_566054625600), and assigns it to the appropriate group at the onset of a PSM session. Upon the session's conclusion, the account is promptly removed from the group. Depending on the specific JIT access settings, this account may either be retained for future use or completely deleted from the system. This JIT strategy reinforces a zero-trust, least-privilege environment, ensuring that access is provided strictly as needed and withdrawn immediately afterward.
Eligibility in Access Provisioning
With EmpowerID, only users eligible for specific Permission Levels can access them. This ensures strict adherence to defined access controls. For example, a database administrator may be eligible for high-level permissions due to the nature of their role. However, a customer service representative may not be granted these same permissions as they are not necessary for their role. Depending on organizational policies, users who are not eligible for certain Permission Levels can initiate sessions, but only as non-privileged users, enhancing the system's security framework.
Conclusion
To encapsulate, the implementation and management of IAM Shop Permission Levels in EmpowerID, particularly within the scope of Computer Administration and Privileged Session Management (PSM), are crucial for the secure and efficient operation of IT systems. These permission levels offer a structured and customizable approach to access control, allowing organizations to precisely tailor user permissions to fit specific tasks and roles. The integration of Just-In-Time (JIT) access within these levels further reinforces this framework, ensuring that permissions are granted on a need-to-use basis and revoked promptly after use, thereby upholding the principles of least privilege and zero trust.
Understanding and effectively utilizing IAM Shop Permission Levels in conjunction with JIT access is fundamental for administrators seeking to optimize the security and functionality of their IT infrastructure. By mastering these concepts, administrators are equipped to create a more secure, compliant, and streamlined IT environment, where access to resources is carefully managed and potential security risks are significantly minimized.
Create IAM Shop Permission Levels
Assign IAM Shop Permission Levels to Computers
Configure Computers for Just-In-Time Access
Enable Computers for Privileged Session Management