IAM Shop Permission Levels in EmpowerID represent permissions for specific resources in native systems, such as shared folders, mailboxes, and computers. Organizations can configure these permission levels to grant particular permissions to resources, like "read-only" access for a shared folder or "local admin" access for a computer. When users request access from the IAM Shop to a resource configured with IAM Shop Permission Levels, they have the option to choose a permission level, as illustrated in the image below
In this example, the user sees two permission levels for a computer: "Local Admin" and "Domain Admin." Each of these levels is mapped to a specific group in the native system that grants the corresponding permissions. For instance, if a user selects the IAM Shop Permission Level named "Local Admin," EmpowerID fulfills the request by adding the user to the group granting local admin rights on the computer.
EmpowerID includes default IAM Shop Permission Levels for shared folders, computers, and mailboxes to represent native permissions. However, you can create custom permission levels with names that suit your environment. Once added to a resource, these custom permission levels appear to users shopping for those resources in the IAM Shop. For example, if you create an IAM Shop Permission Level for Computer X named "Power User," users will see "Power User" as a permission option for Computer X. The key to using IAM Shop Permission Levels effectively is ensuring they are mapped to the appropriate objects in the native system that grant the represented permissions. Without proper mapping, IAM Shop Permission Levels are merely labeled options.