Granting Access to PAM with Management Roles

Owned by Phillip Hanegan
Last updated: Jul 23, 2024
6 min read

EmpowerID restricts access to PAM and PSM through the use of Management Roles. To work with PAM and PSM, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for PAM is UI-Computer-PAM-User-Full-Access. This role grants access to the user interfaces and workflows for requesting PSM access to computers.

  • VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for PAM is VIS-Computer-MyLocations. This role grants access to see computers that belong to the same location as the person with the role.

  • ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An example of this type of role for PAM is ACT-Computer-Shared-Credential-Assigner-MyLocations. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.

Roles needed to use credentials and access computers

To use vaulted credentials and access computers, users need to be a member of one of the below Management Roles (based on the needed scope):

Management Role

Access Granted

Management Role

Access Granted

PAM User for All Creds and Computers (Role Bundle)

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Use-All

    • Grants access to check-out all shared credentials

  • ACT-Computer-Shared-Credential-Login-All

    • Grants access to use a shared credential to initiate a Privileged Session to any computer

  • VIS-Computer-All

    • Grants access to see all computers

  • VIS-Shared-Credential-All

    • Grants access to see all vaulted credentials

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM User for Creds and Computers in My Locations (Role Bundle)

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Use-MyLocations

    • Grants access to check-out shared credentials in the person’s locations

  • ACT-Computer-Shared-Credential-Login-MyLocations

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s locations

  • VIS-Computer-MyLocations

    • Grants access to see computers in the person’s locations

  • VIS-Shared-Credential-MyLocations

    • Grants access to see vaulted credentials in the person’s locations

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM User for Creds and Computers in My Org (Role Bundle)

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Use-MyOrg

    • Grants access to check-out shared credentials in the person’s organizations

  • ACT-Computer-Shared-Credential-Login-MyOrg

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s organizations

  • VIS-Computer-MyOrg

    • Grants access to see computers in the person’s organizations

  • VIS-Shared-Credential-MyOrg

    • Grants access to see vaulted credentials in the person’s organizations

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM User for Creds and Computers I Own

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Login-Responsible

    • Grants access to use a shared credential to initiate a privileged session to the computer where the person is assigned as the responsible person

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

Roles needed to manage credentials and computers

To manage credentials and computers, users need to be a member of one of the below Management Roles (based on the needed scope):

Management Role

Access Granted

Management Role

Access Granted

PAM Administrator for All Credentials and Computers

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • ACT-Shared-Credential-Object-Administration-All

    • Grants access to create, edit and delete all shared credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • VIS-Groups-LocalWindows

    • Grants access to see all Local Windows Server groups

  • UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI))

    • Grants access to the user interfaces and workflows for managing shared credentials.

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • VIS-Location-All

    • Grants access to see all locations

  • VIS-Accounts-AD

    • Grants access to see all Active Directory accounts

  • UI-Computer-PAM-Local-Identity-Administration

    • Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services

  • ACT-Computer-Shared-Credential-Login-All

    • Grants access to use a shared credential to initiate a Privileged Session to any computer

  • VIS-Computer-All

    • Grants access to see all computers

  • VIS-Groups-Linux

    • Grants access to see all Linux groups

  • VIS-Accounts-Linux

    • Grants access to see all Linux accounts

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IT Shop microservice app

  • VIS-Accounts-LocalWindows

    • Grants access to see all Local Windows Server User accounts

  • VIS-Shared-Credential-All

    • Grants access to see all vaulted credentials

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM Administrator for Credentials and Computers in Person’s Locations

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI))

    • Grants access to the user interfaces and workflows for managing shared credentials.

  • VIS-Location-MyLocationsAndBelow

    • Grants access to see locations in the person’s location and below

  • ACT-Computer-Shared-Credential-Login-MyLocations

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s locations

  • UI-Computer-PAM-Local-Identity-Administration

    • Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services

  • ACT-Shared-Credential-Object-Administration-MyLocations

    • Grants access to create, edit and delete shared credentials in the person’s locations

  • ACT-Shared-Credential-Use-MyLocations

    • Grants access to check-out shared credentials in the person’s locations

  • VIS-Computer-MyLocations

    • Grants access to see computers in the person’s locations

  • VIS-Shared-Credential-MyLocations

    • Grants access to see vaulted credentials in the person’s locations

  • ACT-Computer-Object-Administration-MyLocations

    • Grants access to create, edit, and delete computers in the person’s locations

  • UI-Computer-PSM-User-Full-Access

    • Grants access to the user interfaces and workflows for managing computer objects for PSM

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

  • ACT-Computer-Shared-Credential-Assigner-MyLocations

    • Grants access to assign and unassign shared credentials to computers in the person's locations

PAM Administrator for Credentials and Computers in Person’s Organization

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI))

    • Grants access to the user interfaces and workflows for managing shared credentials.

  • VIS-Location-MyLocationsAndBelow

    • Grants access to see locations in the person’s location and below

  • ACT-Computer-Shared-Credential-Use-MyOrg

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s locations

  • UI-Computer-PAM-Local-Identity-Administration

    • Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services

  • UI-Computer-PSM-User-Full-Access

    • Grants access to the user interfaces and workflows for managing computer objects for PSM

  • ACT-Computer-Shared-Credential-Assigner-MyOrganization

    • Grants access to assign and unassign shared credentials to computers in the person's organization

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • VIS-Shared-Credential-MyOrg

    • Grants access to see vaulted credentials in the person’s organization

  • VIS-Computer-MyOrg

    • Grants access to see computers in the person’s organization

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

  • ACT-Computer-Shared-Credential-Login-MyOrg

    • Grants access to use a shared credential to initiate a Privileged Session to any computer in person's organization

  • ACT-Shared-Credential-Object-Administration-MyOrg

    • Grants access to create, edit and delete shared credentials in the person’s organization

  • ACT-Computer-Object-Administration-MyOrg

    • Grants access to create, edit, and delete computers in the person’s organization

Roles needed to administer PAM Settings

To use PAM credentials and computers, users need to be a member of the below Management Role:

Management Role

Purpose of Management Role

Management Role

Purpose of Management Role

PAM Settings Admin

Grants access to user interfaces and workflows for managing Privileged Access Settings and Policies.

Â