You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

IT Shop Management Roles

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Current »

EmpowerID restricts access to the IT Shop through the use of Management Roles. To access the IT Shop, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.

  • VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID.

  • ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID.

Roles needed to shop in the IT Shop

To shop for eligible resources in the IT Shop, users need to have one or more of the below Management Role assignments (based on the needed scope):

Management Role

Role Type

Description

UI-IT-Shop-MS-Application

Feature Set (Ui)

Grants access to shop for access to Applications in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and workflows:

UI-IT-Shop-MS-Application Role

Feature Set (UI)

Grants access to shop for Application Roles (Groups) in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Azure-Admin-Role

Feature Set (UI)

Grants access to shop for Azure Admin Directory Roles in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Azure-License

Feature Set (UI)

Grants access to shop for Azure Licenses in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Azure-RBAC-Role

Feature Set (UI)

Grants access to shop for Azure RBAC Roles in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Business-Role

Feature Set (UI)

Grants access to shop for Business Roles in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, and web services:

UI-IT-Shop-MS-Common

Feature Set (UI)

Grants access for common/shared UI and APIs used by the IT Shop. The role specifically grants access to the following applications, user interface controls, and web services:

UI-IT-Shop-MS-Full-Access

Feature Set (UI)

Grants access to all Item Types and UI in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, web services and workflows:

VIS-IT-Shop-MS-API

Visibility (VIS)

Grants access to the base web services required by all users of the IT Shop Microservice. The role specifically grants access to the following web services:

  • BusinessLocationsAPI.GetUserGroups

  • BusinessLocationsAPI.GetUser

  • BusinessLocationsAPI.GetEligibleLocation

  • ComputersAPI.GetAllAssignedComputers

  • AzureRolesAPI.CheckAssignmentStatus

  • MscAccessRequestPolicy.GetByResourceID

  • AzureRolesAPI.GetAllAssigned

  • BusinessLocationsAPI.GetChildren

  • MscPerson.GetPhoto

  • MscResourceAccessRequestAssignee.GetByResourceIdForAssignee

  • MscUIAction.GetByResourceID

  • MscUtility.ListItemsBySetName

  • ExternalCredentialsAPI.GetAllExternalCredentials

  • ExternalCredentialsAPI.ValidateMasterPassword

  • MscRenewableAssignment.IsRenewableAssignment

  • MscExternalCredential.DeleteCredential

  • MscExternalCredential.DeleteCredential

  • ComputersAPI.GetComputersForLoginSessionAccess

  • BusinessRolesAPI.GetAnonymousInfo

  • GroupsAPI.GetGroups

  • BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID

  • GroupsAPI.GetAssignedAppRolesByPersonGUID

  • CartSubmissionAPI

  • CartSubmissionAPI.ProcessOrgRoles

  • GroupsAPI.GetTargetSystemFilterdata

  • CartSubmissionAPI.ProcessLicenseBundles

  • AzureLicenseBundleAPI.GetAllEligibleLicenseBundlesByAssigneeId

  • ManagementRolesAPI.GetManagementRoles

  • AzureRolesAPI.GetSingleAzureAdminRole

  • GroupsAPI.GetOwnersAndApprovers

  • MscGlobalConfig.GetConfigSetting

  • MscPerson.PeopleToSetAsDelegate

  • ManagementRolesAPI.OwnersByManagementRoleId

  • SharedFoldersAPI.GetSingleSharedFolder

  • SharedFoldersAPI.GetAllAssignedSharedFolders

  • MailBoxesAPI.GetAllAssignedMailBoxes

  • ProtectedApplicationsAPI.GetOwnersOrDeputies

  • SharepointAPI.GetAllWebSites

  • ComputersAPI.GetComputerOperatingSystemTypes

  • MscUtility.ListMethodSignatures

  • MscExternalCredential.CheckOutCredential

  • MscUtility.GetAdditionalDynamicProperties

  • BusinessRolesAPI.GetUserGroups

  • BusinessRolesAPI.GetUser

  • GroupsAPI.GetUser

  • BusinessLocationsAPI.GetAnonymousInfo

  • BusinessFunctionsAPI.GetAnonymousInfo

  • BusinessFunctionsAPI.GetUser

  • BusinessLocationsAPI.GetOrgZoneTypes

  • BusinessRolesAPI.ExecuteMethod

  • CheckForSODAPI

  • CheckForSODAPI.CheckForSOD

  • GroupsAPI.GetAssignedMembershipByOrgRoleOrgZoneID

  • GroupsAPI.GetSingleOrgRole

  • CartSubmissionAPI.GetAnonymousInfo

  • All ITShop WebServices

  • CheckForSODAPI.GetAssigneesForOrgRoleType

  • AzureLicenseBundleAPI

  • AzureLicenseReportAPI.getReportByReportID

  • ManagementRolesAPI

  • ManagementRolesAPI.GetAllAssigned

  • ManagementRolesAPI.CheckAssignmentStatus

  • CartSubmissionAPI.ProcessAzureAdminRoles

  • AzureLicenseBundleAPI.GetTenantSubscriptionServices

  • LocalizationAPI.CountryHelpText

  • GroupsAPI.GetSuggestedAppRolesByOrgRoleIdOrgZoneId

  • GroupsAPI.OwnersByAppRoleId

  • BusinessFunctionsAPI.LocalFunctionsByAppRole

  • BusinessFunctionsAPI.LocalFunctionsByOrgRoleOrgZone

  • BusinessRolesAPI.OwnersByRoleId

  • BusinessRolesAPI.ApproversByRoleId

  • MscProtectedApplication.GetChildren

  • MscProtectedApplication.AllowedSsoApplications

  • MscPerson.PeopleToSetAsApprover

  • GroupsAPI.GetAssignedMembershipByAssigneeId

  • MailBoxesAPI.GetAllMailBoxTypes

  • MailBoxesAPI.GetAllMailBoxes

  • MscAccessRequestPolicy.GetAll

  • ComputersAPI.GetAllComputers

  • ComputersAPI.GetSingleComputer

  • ManagementRolesAPI.GetAllAssignedByOrgRoleOrgZoneId

  • MscBusinessRequestItem.GetByAssigneeIdResourceId

  • MscUIAction.GetByNounVerb

  • ExternalCredentialsAPI.GetCheckedOutByComputerIdPersonId

  • ManagementRolesAPI.GetAllAssignedByManagementRoleId

  • ProtectedApplicationsAPI.GetAllAssignedProtectedApplications

  • ComputersAPI.GetComputerPlatformTypes

  • ExternalCredentialsAPI.GetAllAssignedExternalCredentials

  • ExternalCredentialsAPI.GetExternalCredentialProxy

  • MscExternalCredential.GetExternalCredentialProxy

  • ResourceTag

  • BusinessRolesAPI

  • BusinessRolesAPI.GetOrgRole

  • BusinessRolesAPI.GetOrgRoles

  • GroupsAPI

  • GroupsAPI.GetAnonymousInfo

  • GroupsAPI.GetUserGroups

  • BusinessLocationsAPI

  • BusinessLocationsAPI.GetChildrenByOrgZoneGUID

  • BusinessFunctionsAPI

  • BusinessFunctionsAPI.GetUserGroups

  • BusinessFunctionsAPI.GetFunctions

  • BusinessLocationsAPI.ExecuteMethod

  • BusinessLocationsAPI.Search

  • BusinessLocationsAPI.GetOrgZonesByOrgZoneType

  • BusinessRolesAPI.GetApplicationRoleTemplates

  • LocalizationAPI

  • CheckForSODAPI.GetAnonymousInfo

  • CheckForSODAPI.GetUserGroups

  • CheckForSODAPI.GetUser

  • CheckForSODAPI.ExecuteMethod

  • BusinessRolesAPI.GetSingleOrgRole

  • BusinessRolesAPI.CheckAssignmentStatus

  • GroupsAPI.CheckAssignmentStatus

  • CartSubmissionAPI.GetUserGroups

  • CartSubmissionAPI.GetUser

  • CartSubmissionAPI.SubmitCart

  • CartSubmissionAPI.ProcessGroups

  • CartSubmissionAPI.ProcessManagementRoles

  • CartSubmissionAPI.GetCartItemResults

  • BusinessRolesAPI.GetAssignedAppRolesByPersonGUID

  • AzureLicenseBundleAPI.GetSingle

  • AzureLicenseBundleAPI.GetAllAssignedLicenseBundlesByAssigneeId

  • AzureLicenseBundleAPI.CheckAssignmentStatus

  • AzureLicenseBundleAPI.GetAllAzureAdScimResourceSystems

  • AzureLicenseBundleAPI.GetAllAzLocalServiceBundles

  • AzureLicenseBundleAPI.GetAllAzLicensePool

  • ManagementRolesAPI.GetSingleManagementRole

  • AzureRolesAPI

  • AzureRolesAPI.GetAzureAdminRoles

  • AzureRolesAPI.GetAzureRbacRoles

  • GroupsAPI.ApproversByAppRoleId

  • BusinessFunctionsAPI.LocalFunctionsByOrgRole

  • BusinessFunctionsAPI.GlobalFunctionsByOrgRole

  • BusinessRolesAPI.GetOwnersAndApprovers

  • AzureRolesAPI.GetAdTree

  • AzureRolesAPI.GetRoleTypes

  • AzureRolesAPI.GetSingleAzureRole

  • MscLocalization.GetByResourceSet

  • MscLocalization.AvailableLanguages

  • MscPerson.GetPersonByGUID

  • AccessRequestPolicyView

  • MscProtectedApplication.GetTargetSystemFilterData

  • CartSubmissionAPI.SuggestedApprovers

  • CartSubmissionAPI.DefaultApprover

  • BusinessFunctionsAPI.LocalRightsByAssigneeId

  • BusinessFunctionsAPI.LocalFunctionsByRole

  • GroupsAPI.GetSuggestedAppRolesByAssigneeId

  • MscProtectedApplication.SearchApplications

  • MscProtectedApplication.LinkedApplications

  • SharedFoldersAPI.GetAllSharedFolders

  • MscResourceTypeRole.GetByResourceId

  • ManagementRolesAPI.GetSuggestedManagementRolesByAssigneeId

  • MscPerson.OwnersByResourceId

  • BusinessFunctionsAPI.LocalFunctionsByAssignee

  • MailBoxesAPI.GetSingleMailBox

  • ProtectedApplicationsAPI.GetAllProtectedApplications

  • ProtectedApplicationsAPI.GetSingleProtectedApplication

  • ProtectedApplicationsAPI.GetSupportedResourceTypes

  • MscUIAction.GetByNoun

  • AzureRolesAPI.AzureRoleMembers

  • ProtectedApplicationsAPI.GetAllAzureApplications

  • ExternalCredentialsAPI.GetByComputerId

  • ExternalCredentialsAPI.GetCheckedOutByPersonId

  • ExternalCredentialsAPI.GetCheckedOutRecords

  • ExternalCredentialsAPI.CheckInCredential

  • SharepointAPI.GetSingleWebSite

  • ProtectedApplicationsAPI.GetSingleAzureApplication

  • ComputersAPI.GetITEnvironmentTypes

  • ComputersAPI.GetComputerRequestableDetailOptions

  • ExternalCredentialsAPI.GetSingleExternalCredential

  • MscExternalCredential.CheckInCredential

  • MscExternalCredential.ValidateMasterPassword

  • ComputersAPI.GetLoginSessionHistoryDetails

  • ComputersAPI.GetLoginSessionHistory

IT Shop, My Tasks, and My Identity Self-Service Full Access

Role Bundle – Contains the below Management Roles:

  • ACT-Person-Delegate-All

  • ACT-Person-SetAsApprover-All

  • UI-IT-Shop-MS-Azure-Admin-Role

  • UI-IT-Shop-MS-Computer

  • UI-MyTasks-Participant-Full

  • UI-IT-Shop-MS-Management-Role

  • UI-IT-Shop-MS-Azure-License

  • UI-MyIdentity-PermanentDelegations

  • UI-MyIdentity-EmailNotification-Settings

  • UI-IT-Shop-MS-Business-Role

  • UI-IT-Shop-MS-Shared-Folder

  • UI-IT-Shop-MS-Application-Role

  • UI-IT-Shop-MS-Mailbox

  • UI-MyIdentity-Full

  • UI-IT-Shop-MS-Common

  • UI-IT-Shop-MS-Risk

  • VIS-Application-All

  • VIS-Location-MyLocationsAndBelow

  • VIS-Person-MyOrg

  • VIS-IT-Shop-MS-API

  • VIS-Computer-All

  • VIS-Management-Role-All

  • VIS-AzLocalRole-All

  • VIS-Mailbox-All

  • VIS-Groups-All

  • VIS-BusinessRequestType-All

  • VIS-MyTasks-MS-API

  • VIS-MyIdentity-MS-API

  • VIS-Location-All-BusinessStructure

  • VIS-AzGlobalFunction-All

  • VIS-Shared-Credential-All

  • VIS-AzLocalFunction-All

  • UI-IT-Shop-MS-Azure-RBAC-Role

  • VIS-License-Pool-All

  • VIS-OrgRoleOrgZone-ALL

Grants full access for using the IT Shop, My Tasks, My Identity microservices.

  • No labels