You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

IT Shop Management Roles

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

EmpowerID restricts access to the IT Shop through the use of Management Roles. To access the IT Shop, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for Password Manager is UI-Person-Password-Self-Service. This role grants users access to the user interfaces and workflows for enrolling for self-service password reset and changing their own passwords.

  • VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for Password Manager is VIS-Person-Self. All users have this Management Role by default.

  • ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An example of this type of role for Password Manager is ACT-Password-Self-Service. This role grants users access to change passwords, enroll for password self-service reset, and perform other password self-service operations.

Roles needed to shop in the IT Shop

To shop for eligible resources in the IT Shop, users need to have one of the below Management Role assignments (based on the needed scope):

Management Role

Description

Role Type

ACT-Person-Password-Self-Service

Grants users access to change password, enroll and other password self-service operations.

Activity

UI-Person-Password-Self-Service

Grants access to change password, enroll and other password self-service workflows and user interfaces.

Feature Set

IT Shop, My Tasks, and My Identity Self-Service Full Access

Grants full access for using the IT Shop, My Tasks, My Identity microservices

Role Bundle – Contains the below Management Roles

Management Role

Access Granted by Management Role

UI-IT-Shop-MS-Full-Access

Inherits the below Access Levels from the parent Management Role Definition:

Workflow Access

Initiator Access Level for following workflows:

  • UpdatePersonDirectAssignment

  • UpdatePersonBusinessRoles

Control (User Interface) Access

Viewer Access Level for the following controls:

  • Application Process Control

  • Business Roles TCode Control

  • Business Roles Owners Attribute Control

  • Business Roles Advanced Search Control

  • Business Roles Role Approvers Attribute Control

  • Application Roles Resource System Attribute Control

  • Business Roles Name Attribute Control

  • Target System Control

  • Application Roles TCode Control

  • Application Roles Advanced Search Control

  • Shop for Target Person Control

  • Business Functions Control

  • Business Roles Parent Business Roles Attribute Control

  • Application Roles Owners Attribute Control

  • Application Roles High Level Classification Attribute Control

  • Business Domains Control

  • Business Roles High Level Classification Attribute Control

  • Application Roles Name Attribute Name

 Application Access

Viewer Access Level for the following applications:

  • IT Shop Microservice App

  • EmpowerID Web

Web Service Access

Executor Access Level for the following Web services:

  • All ITShop WebServices

  • AllRbacObjects

  • CartSubmissinoAPI.SubmitCart

 Pages and Reports Access

Viewer Access Level for the following pages and reports:

  • Groups Page (IT Shop)

  • Business Roles Page (IT Shop)

 

VIS-IT-SHOP-MS-API

Grants visibility to the base Web services required by all users of the IT Shop microservice.

Web Service Access

Executor Access Level for the following Web services:

  • BusinessFunctionsAPI

  • BusinessFunctionsAPI.GetChildrenByOrgZoneType

  • BusinessFunctionsAPI.GetOrgZonesByOrgZoneTypeTypes

  • BusinessLocationsAPI.GetOrgZoneTypes

  • BusinessLocationsAPI.Search

  • BusinessRolesAPI

  • BusinessRolesAPI.CheckAssignmentStatus

  • BusinessRolesAPI.GetApplicationRoleTemplates

  • BusinessRolesAPI.GetAssignedAppRolesByPersonGUID

  • BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID

  • BusinessRolesAPI.GetOrgRole

  • BusinessRolesAPI.GetOrgRoles

  • BusinessRolesAPI.GetSingleOrgRole

  • CartSubmissionAPI

  • CartSubmissionAPI.SubmitCart

  • CheckForSODAPI

  • CheckForSODAPI.GetAssigneesForOrgRoleType

  • GlobalSettingsAPI

  • GlobalSettingsAPI.GetConfigSetting

  • GroupsAPI

  • GroupsAPI.CheckAssignmentStatus

  • GroupsAPI.GetAssignedAppRolesByPersonGUID

  • GroupsAPI.GetAssignedMembershipByOrgRolesOrgZoneID

  • GroupsAPI.GetGroups

  • GroupsAPI.GetSingleOrgRole

  • GroupsAPI.GetTargetSystemsFilterdata

  • LocalizationAPI

  • LocalizationAPI.CountryHelpText

  • LocalizationAPI.GetByResourceSet

  • ProtectedAppResourceAPI

  • ProtectedAppResourceAPI.AlllowedSsoApplications

  • ProtectedAppResourceAPI.GetChildrenByProtectedApplication

  • No labels