Roles Needed to Access User Accounts and Groups
EmpowerID restricts access to accounts and groups through the use of Management Roles. To view and work with accounts and groups users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:
- UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.
- VIS — Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID.
- ACT — Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID.
Roles needed by users to view and edit account profile information
To view and edit their basic account information, users need to have the following Management Role assignments:
Roles needed by people to view and initiate editing their user account profile information
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
Roles needed to view and initiate editing user account profiles belonging to the same locations as the people with the roles
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| VIS-Accounts-MyLocations | Grants visibility for all user accounts in the same locations as the currently logged in user. | Visibility |
Roles needed to view and initiate editing user account profiles belonging to the same organizations as the people with the roles
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| VIS-Accounts-MyOrg | Grants visibility for all user accounts in the same organizations as the currently logged in user. | Visibility |
Roles needed to view and initiate editing the profiles of additional types of user accounts
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| Active Directory User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Active Directory user accounts | ||
| VIS-Accounts-AD | Grants visibility for all Active Directory user accounts. | Visibility |
| AWS User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Amazon Web Services user accounts | ||
| VIS-Accounts-AWS | Grants visibility for all user accounts in any Amazon Web Services account store. | Visibility |
| Linux User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Linux user accounts | ||
| VIS-Accounts-Linux | Grants visibility for all Linux user accounts. | Visibility |
| Local Windows User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Local Windows Server user accounts | ||
| VIS-Accounts-LocalWindows | Grants visibility for all user accounts belonging to Local Windows Server account stores. | Visibility |
| Office 365 User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Office 365 user accounts | ||
| VIS-Accounts-O365 | Grants visibility for all Office 365 / Azure AD user accounts. | Visibility |
| SAP User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see SAP user accounts | ||
| VIS-Accounts-SAP | Grants visibility for all SAP user accounts. | Visibility |
Roles needed to view and initiate editing the profile information of all user accounts in any system under the All IT Systems location
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| VIS-Accounts-All-IT-Systems | Grants visibility for all accounts under All IT Systems. | Visibility |
Roles needed to view and initiate editing the profiles of all user accounts in the system
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page - Viewer for the page Account View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Group Membership Grid - Viewer for the Group Membership Changes Grid - Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups - Initiator for the workflow Remove Service Principal from Groups - Initiator for the workflow Update Account Group Membership - Initiator for the workflow |
| VIS-Accounts-All | Grants visibility for all accounts in any location. | Visibility |
Roles needed to add and remove accounts to and from groups
To manage the group assignments of user accounts, users need to have a combination of the following Management Role assignments (based on the needed scope).
Roles needed by people to manage the group assignments of user accounts and groups in their locations (without requiring approval)
info
Accounts can only be added to groups that belong to the same domain.
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| Account Roles Needed | ||
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page
WORKFLOW ACCESS Add Accounts to Groups
|
| VIS-Accounts-MyLocations | Grants visibility for all user accounts in the same locations as the currently logged in user. | Visibility |
| ACT-Account-Membership-Management-MyLocations | Grants access to manage membership for user accounts belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Group Roles Needed | ||
| UI-Group-Membership-Management | Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Group Page
Group View One Page
WORKFLOW ACCESS Add Accounts to Groups
|
| VIS-Groups-Distribution-MyLocation | Grants visibility for all distribution groups belonging to the same locations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Distribution-MyLocations | Grants access to manage membership for distribution groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| VIS-Groups-Generic-MyLocation | Grants visibility for all generic groups belonging to the same locations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Generic-MyLocations | Grants access to manage membership for generic groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| VIS-Groups-Security-MyLocations | Grants visibility for all security groups belonging to the same locations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Security-MyLocations | Grants access to manage membership for security groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
Roles needed by people to manage the group assignments of user accounts and groups in their organizations (without requiring approval)
info
Accounts can only be added to groups that belong to the same domain.
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| Account Roles Needed | ||
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Group Membership Grid - Viewer for the Group Membership Changes Grid - Viewer for the Resultant Membership Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow - Update Account Group Membership - Initiator for the workflow |
| VIS-Accounts-MyOrg | Grants visibility for all user accounts in the same organizations as the currently logged in user. | Visibility |
| ACT-Account-Membership-Management-MyOrg | Grants access to manage membership for user accounts belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Group Roles Needed | ||
| UI-Group-Membership-Management | Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Dashboard Tab - Viewer for the All Groups Tab - Viewer for the Groups I Manage Tab - Group View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Membership Changes Tab - Viewer for the Group Members Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Update Group Account Membership - Initiator for the workflow - Add People to Groups - Initiator for the workflow - Update Person Group Membership - Initiator for the workflow - Temporary Group Membership - Initiator for the workflow - Add Groups to Group - Initiator for the workflow - Remove Groups from Group - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow |
| VIS-Groups-Distribution-MyOrganizations | Grants visibility for all distribution groups belonging to the same organizations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Distribution-MyOrganizations | Grants access to manage membership for distribution groups belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| VIS-Groups-Generic-MyOrg | Grants visibility for all generic groups belonging to the same organizations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Generic-MyOrganizations | Grants access to manage membership for generic groups belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| VIS-Groups-Security-MyOrg | Grants visibility for all security groups belonging to the same organizations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Security-MyOrganizations | Grants access to manage membership for security groups belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
Roles needed to manage the group assignments of user accounts and other group types (without requiring approval)
info
Accounts can only be added to groups that belong to the same domain.
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Group Membership Grid - Viewer for the Group Membership Changes Grid - Viewer for the Resultant Membership Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow - Update Account Group Membership - Initiator for the workflow |
| UI-Group-Membership-Management | Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Dashboard Tab - Viewer for the All Groups Tab - Viewer for the Groups I Manage Tab - Group View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Membership Changes Tab - Viewer for the Group Members Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Update Group Account Membership - Initiator for the workflow - Add People to Groups - Initiator for the workflow - Update Person Group Membership - Initiator for the workflow - Temporary Group Membership - Initiator for the workflow - Add Groups to Group - Initiator for the workflow - Remove Groups from Group - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow |
| Active Directory User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to see manage Active Directory group membership for Active Directory user accounts | ||
| VIS-Accounts-AD | Grants visibility for all Active Directory user accounts. | Visibility |
| VIS-Groups-All-AD | Grants visibility for all Active Directory user accounts. | Visibility |
| ACT-Account-Membership-Management-All-AD-Accounts | Grants access to manage group membership for all Active Directory user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-AD-Groups | Grants access to manage group membership for all Active Directory groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| AWS User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage AWS group memberships for AWS user accounts. | ||
| VIS-Accounts-AWS | Grants visibility for all AWS user accounts. | Visibility |
| VIS-Groups-All-AWS | Grants visibility for all AWS groups. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including AWS user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-AWS-Groups | Grants access to manage group membership for all AWS groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Linux User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage Linux group memberships for Linux user accounts | ||
| VIS-Accounts-Linux | Grants visibility for all Linux user accounts. | Visibility |
| VIS-Groups-All | Grants visibility for all groups, including all groups in Linux systems. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including Linux user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage group membership for all groups, including Linux groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Local Windows User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Local Windows Server user accounts and groups | ||
| VIS-Accounts-LocalWindows | Grants visibility for all user accounts belonging to Local Windows Server account stores. | Visibility |
| VIS-Groups-All | Grants visibility for all groups, including all groups in Local Windows Server account stores. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including Local Windows user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage group membership for all groups, including Local Windows groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Office 365 User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Office 365 user accounts and groups | ||
| VIS-Accounts-O365 | Grants visibility for all Office 365 / Azure AD user accounts. | Visibility |
| VIS-Groups-All-O365 | Grants visibility for all Office 365 groups. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including Office 365 / Azure AD user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-O365-Groups | Grants access to manage group membership for all Office 365 groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| SAP User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for SAP user accounts and groups | ||
| VIS-Accounts-SAP | Grants visibility for all SAP user accounts. | Visibility |
| VIS-Groups-All-SAP | Grants visibility for all Office 365 groups. | Visibility |
| ACT-Account-Membership-Management-All-SAP-Accounts | Grants access to manage group membership for all SAP and ABAP user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-SAP-Groups | Grants access to manage membership for all SAP Roles and Profiles. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
Roles needed by people to manage the group assignments for all user accounts and groups (without requiring approval)
info
Accounts can only be added to groups that belong to the same domain.
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| Account Roles Needed | ||
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Group Membership Grid - Viewer for the Group Membership Changes Grid - Viewer for the Resultant Membership Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow - Update Account Group Membership - Initiator for the workflow |
| VIS-Accounts-All | Grants visibility for all user accounts. | Visibility |
| ACT-Account-Membership-Management-All-Accounts | Grants access to manage membership for all user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Group Roles Needed | ||
| UI-Group-Membership-Management | Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Dashboard Tab - Viewer for the All Groups Tab - Viewer for the Groups I Manage Tab - Group View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Membership Changes Tab - Viewer for the Group Members Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Update Group Account Membership - Initiator for the workflow - Add People to Groups - Initiator for the workflow - Update Person Group Membership - Initiator for the workflow - Temporary Group Membership - Initiator for the workflow - Add Groups to Group - Initiator for the workflow - Remove Groups from Group - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow |
| VIS-Groups-All | Grants visibility for all groups. | Visibility |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage membership for all groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
Roles needed to manage the group assignments of user accounts and other group types (without requiring approval)
info
Accounts can only be added to groups that belong to the same domain.
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Group Membership Grid - Viewer for the Group Membership Changes Grid - Viewer for the Resultant Membership Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow - Update Account Group Membership - Initiator for the workflow |
| UI-Group-Membership-Management | Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Dashboard Tab - Viewer for the All Groups Tab - Viewer for the Groups I Manage Tab - Group View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Membership Changes Tab - Viewer for the Group Members Grid #### WORKFLOW ACCESS - Add Accounts to Groups - Initiator for the workflow - Update Group Account Membership - Initiator for the workflow - Add People to Groups - Initiator for the workflow - Update Person Group Membership - Initiator for the workflow - Temporary Group Membership - Initiator for the workflow - Add Groups to Group - Initiator for the workflow - Remove Groups from Group - Initiator for the workflow - Remove Service Principal from Groups - Initiator for the workflow |
| Active Directory User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to see manage Active Directory group membership for Active Directory user accounts | ||
| VIS-Accounts-AD | Grants visibility for all Active Directory user accounts. | Visibility |
| VIS-Groups-All-AD | Grants visibility for all Active Directory groups. | Visibility |
| ACT-Account-Membership-Management-All-AD-Accounts | Grants access to manage group membership for all Active Directory user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-AD-Groups | Grants access to manage group membership for all Active Directory groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| AWS User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage AWS group memberships for AWS user accounts. | ||
| VIS-Accounts-AWS | Grants visibility for all AWS user accounts. | Visibility |
| VIS-Groups-All-AWS | Grants visibility for all AWS groups. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including AWS user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-AWS-Groups | Grants access to manage group membership for all AWS groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Linux User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage Linux group memberships for Linux user accounts | ||
| VIS-Accounts-Linux | Grants visibility for all Linux user accounts. | Visibility |
| VIS-Groups-All | Grants visibility for all groups, including all groups in Linux systems. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including Linux user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage group membership for all groups, including Linux groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Local Windows User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Local Windows Server user accounts and groups | ||
| VIS-Accounts-LocalWindows | Grants visibility for all user accounts belonging to Local Windows Server account stores. | Visibility |
| VIS-Groups-All | Grants visibility for all groups, including all groups in Local Windows Server account stores. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including Local Windows user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage group membership for all groups, including Local Windows groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Office 365 User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Office 365 user accounts and groups | ||
| VIS-Accounts-O365 | Grants visibility for all Office 365 / Azure AD user accounts. | Visibility |
| VIS-Groups-All-O365 | Grants visibility for all Office 365 groups. | Visibility |
| ACT-Account-Membership-Management-All | Grants access to manage group membership for all user accounts, including Office 365 / Azure AD user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-O365-Groups | Grants access to manage group membership for all Office 365 groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| SAP User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for SAP user accounts and groups | ||
| VIS-Accounts-SAP | Grants visibility for all SAP user accounts. | Visibility |
| VIS-Groups-All-SAP | Grants visibility for all Office 365 groups. | Visibility |
| ACT-Account-Membership-Management-All-SAP-Accounts | Grants access to manage group membership for all SAP and ABAP user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| ACT-Group-Membership-Management-All-SAP-Groups | Grants access to manage membership for all SAP Roles and Profiles. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
Roles needed to create, update and delete accounts
To create, update and delete user accounts in EmpowerID, people need to have a combination of the following Management Role assignments (based on the needed scope):
Roles needed by people to create, update and delete user accounts in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Viewer for the Location Tree - Viewer for the Deleted Accounts Tab - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Viewer for the Deleted Accounts Tab - Account Edit One Page - Viewer for the page #### WORKFLOW ACCESS - Create User Account - Initiator for the workflow - Disable User Account - Initiator for the workflow - Enable User Account - Initiator for the workflow - Delete Account - Initiator for the workflow - Restore Deleted Account - Initiator for the workflow |
| VIS-Accounts-MyLocations | Grants visibility for all accounts in the same locations as the currently logged in user. | Visibility |
| ACT-Account-Object-Administration-MyLocations | Grants access to create, edit and delete all accounts in the same location as the currently logged in user. | Activity |
Roles needed by people to create, update and delete user accounts in their organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Viewer for the Location Tree - Viewer for the Deleted Accounts Tab - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Viewer for the Deleted Accounts Tab - Account Edit One Page - Viewer for the page #### WORKFLOW ACCESS - Create User Account - Initiator for the workflow - Disable User Account - Initiator for the workflow - Enable User Account - Initiator for the workflow - Delete Account - Initiator for the workflow - Restore Deleted Account - Initiator for the workflow |
| VIS-Accounts-MyOrg | Grants visibility for all accounts in the same organizations as the currently logged in user. | Visibility |
| ACT-Account-Object-Administration-MyOrg | Grants access to create, edit and delete all accounts in the same location as the currently logged in user. | Activity |
Roles needed to create, update and delete accounts in specific systems
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Viewer for the Location Tree - Viewer for the Deleted Accounts Tab - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Viewer for the Deleted Accounts Tab - Account Edit One Page - Viewer for the page #### WORKFLOW ACCESS - Create User Account - Initiator for the workflow - Disable User Account - Initiator for the workflow - Enable User Account - Initiator for the workflow - Delete Account - Initiator for the workflow - Restore Deleted Account - Initiator for the workflow |
| Active Directory User Accounts | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete AD user accounts. VIS-Accounts-AD — Grants visibility for all Active Directory user accounts. ACT-Account-Object-Administration-AD — Grants access to create, edit, and delete all Active Directory accounts. | |
| AWS User Accounts | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete AWS user accounts. VIS-Accounts-AWS— Grants visibility for all AWS user accounts. ACT-Account-Object-Administration-AWS— Grants access to create, edit, and delete all AWS accounts. | |
| Linux User Accounts | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Linux user accounts. VIS-Accounts-Linux — Grants visibility for all Linux user accounts. ACT-Account-Object-Administration-All — Grants access to create, edit, and delete all user accounts, including accounts in Linux systems. | |
| Local Windows User Accounts | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Local Windows user accounts. VIS-Accounts-LocalWindows — Grants visibility for all Local Windows user accounts. ACT-Account-Object-Administration-All — Grants access to create, edit, and delete all user accounts, including accounts in Local Windows systems. | |
| Office 365 User Accounts | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Office 365 user accounts. VIS-Accounts-O365 — Grants visibility for all Office 365/Azure user accounts. ACT-Account-Object-Administration-O365 — Grants access to create, edit, and delete accounts in Office 365. | |
| SAP User Accounts | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete SAP user accounts. VIS-Accounts-SAP — Grants visibility for all SAP user accounts. ACT-Account-Object-Administration-SAP — Grants access to create, edit, and delete accounts in SAP ABAP. |
Roles needed to create, update and delete accounts in any system
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Viewer for the Location Tree - Viewer for the Deleted Accounts Tab - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Viewer for the Deleted Accounts Tab - Account Edit One Page - Viewer for the page #### WORKFLOW ACCESS - Create User Account - Initiator for the workflow - Disable User Account - Initiator for the workflow - Enable User Account - Initiator for the workflow - Delete Account - Initiator for the workflow - Restore Deleted Account - Initiator for the workflow |
| VIS-Accounts-All | Grants visibility for all accounts. | Visibility |
| ACT-Account-Object-Administration-All | Grants access to create, edit and delete all accounts. | Activity |
Roles needed to create, update and delete groups
To create, update and delete groups in EmpowerID, people need to have a combination of the following Management Role assignments (based on the needed scope):
Roles needed by people to create, update and delete groups in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Location Tree - Viewer for the All Groups Tab - Viewer for the Deleted Tab - Group View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Owners Grid - Viewer for the Advanced Tab - Viewer for the Advanced Tab Membership Changes Accordion - Viewer for the Advanced Tab Accept Reject Mail Accordion - Edit Group Page - Viewer for the page - Create Group Page - Viewer for the page - Create Group Simple Page - Viewer for the page - Group Resource Type Dropdown Item - Viewer for the control #### WEB SERVICE ACCESS - Group View - Executor for the service - Group Account View - Executor for the service - Group Account History View - Executor for the service #### WORKFLOW ACCESS - Create Group - Initiator for the workflow - Move Group - Initiator for the workflow - Resource Manager Edit Group - Initiator for the workflow - Update Resource Locations - Initiator for the workflow - Update Resource Tags - Initiator for the workflow - Update Owner Assignee - Initiator for the workflow - Update Person Catalog Category Requestable Entitlements - Initiator for the workflow - Restore Deleted Groups Bulk - Initiator for the workflow |
| VIS-Groups-Distribution-MyLocation | Grants visibility for distribution groups in the same locations as the currently logged in user. | Visibility |
| VIS-Groups-Generic-MyLocation | Grants visibility for generic groups in the same locations as the currently logged in user. | Visibility |
| VIS-Groups-Security-MyLocation | Grants visibility for security groups in the same locations as the currently logged in user. | Visibility |
| ACT-Group-Object-Administration-MyLocations | Grants access to create, edit and delete groups in the same location as the currently logged in user. | Activity |
Roles needed by people to create, update and delete groups in their organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Location Tree - Viewer for the All Groups Tab - Viewer for the Deleted Tab - Group View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Owners Grid - Viewer for the Advanced Tab - Viewer for the Advanced Tab Membership Changes Accordion - Viewer for the Advanced Tab Accept Reject Mail Accordion - Edit Group Page - Viewer for the page - Create Group Page - Viewer for the page - Create Group Simple Page - Viewer for the page - Group Resource Type Dropdown Item - Viewer for the control #### WEB SERVICE ACCESS - Group View - Executor for the service - Group Account View - Executor for the service - Group Account History View - Executor for the service #### WORKFLOW ACCESS - Create Group - Initiator for the workflow - Move Group - Initiator for the workflow - Resource Manager Edit Group - Initiator for the workflow - Update Resource Locations - Initiator for the workflow - Update Resource Tags - Initiator for the workflow - Update Owner Assignee - Initiator for the workflow - Update Person Catalog Category Requestable Entitlements - Initiator for the workflow - Restore Deleted Groups Bulk - Initiator for the workflow |
| VIS-Groups-Distribution-MyOrg | Grants visibility for distribution groups in the same organizations as the currently logged in user. | Visibility |
| VIS-Groups-Generic-MyOrg | Grants visibility for generic groups in the same organizations as the currently logged in user. | Visibility |
| VIS-Groups-Security-MyOrg | Grants visibility for security groups in the same organizations as the currently logged in user. | Visibility |
| ACT-Group-Object-Administration-MyOrg | Grants access to create, edit and delete groups in the same organizations as the currently logged in user. | Activity |
Roles needed to create, update and delete groups in specific systems
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Location Tree - Viewer for the All Groups Tab - Viewer for the Deleted Tab - Group View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Owners Grid - Viewer for the Advanced Tab - Viewer for the Advanced Tab Membership Changes Accordion - Viewer for the Advanced Tab Accept Reject Mail Accordion - Edit Group Page - Viewer for the page - Create Group Page - Viewer for the page - Create Group Simple Page - Viewer for the page - Group Resource Type Dropdown Item - Viewer for the control #### WEB SERVICE ACCESS - Group View - Executor for the service - Group Account View - Executor for the service - Group Account History View - Executor for the service #### WORKFLOW ACCESS - Create Group - Initiator for the workflow - Move Group - Initiator for the workflow - Resource Manager Edit Group - Initiator for the workflow - Update Resource Locations - Initiator for the workflow - Update Resource Tags - Initiator for the workflow - Update Owner Assignee - Initiator for the workflow - Update Person Catalog Category Requestable Entitlements - Initiator for the workflow - Restore Deleted Groups Bulk - Initiator for the workflow |
| Active Directory Groups | In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete AD groups. VIS-Groups-All-AD — Grants visibility for all Active Directory groups. ACT-Group-Object-Administration-AD — Grants access to create, edit, and delete all Active Directory groups. | |
| AWS Groups | In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete groups in AWS. VIS-Groups-All-AWS— Grants visibility for all AWS groups. ACT-Group-Object-Administration-AWS— Grants access to create, edit, and delete all AWS groups. | |
| Azure Groups | In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete groups in Azure. VIS-Groups-All-Azure— Grants visibility for all Azure groups. ACT-Group-Object-Administration-All — Grants access to create, edit, and delete all groups, including groups in Azure. | |
| Office 365 Groups | In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete groups in Office 365. VIS-Accounts-O365 — Grants visibility for all Office 365 groups. ACT-Account-Object-Administration-O365 — Grants access to create, edit, and delete accounts in Office 365. | |
| SAP Groups | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete SAP roles and profiles. VIS-Groups-SAP — Grants visibility for all SAP roles and profiles. ACT-Group-Object-Administration-All— Grants access to create, edit, and delete all groups, including those in SAP. | |
| Groups Under All IT Systems | In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete group under the All IT Systems location. VIS-Groups-All-IT-Systems— Grants visibility for all groups under the All IT Systems location. ACT-Group-Object-Administration-All— Grants access to create, edit, and delete all groups, including those under the All IT Systems location. |
Roles needed to create, update and delete groups in any system
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: #### PAGES AND CONTROLS ACCESS - Find Group Page - Viewer for the page - Viewer for the Location Tree - Viewer for the All Groups Tab - Viewer for the Deleted Tab - Group View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Owners Grid - Viewer for the Advanced Tab - Viewer for the Advanced Tab Membership Changes Accordion - Viewer for the Advanced Tab Accept Reject Mail Accordion - Edit Group Page - Viewer for the page - Create Group Page - Viewer for the page - Create Group Simple Page - Viewer for the page - Group Resource Type Dropdown Item - Viewer for the control #### WEB SERVICE ACCESS - Group View - Executor for the service - Group Account View - Executor for the service - Group Account History View - Executor for the service #### WORKFLOW ACCESS - Create Group - Initiator for the workflow - Move Group - Initiator for the workflow - Resource Manager Edit Group - Initiator for the workflow - Update Resource Locations - Initiator for the workflow - Update Resource Tags - Initiator for the workflow - Update Owner Assignee - Initiator for the workflow - Update Person Catalog Category Requestable Entitlements - Initiator for the workflow - Restore Deleted Groups Bulk - Initiator for the workflow |
| VIS-Groups-All | Grants visibility for all groups. | Visibility |
| ACT-Group-Object-Administration-All | Grants access to create, edit and delete all groups anywhere. | Activity |