Skip to main content

About IAM Shop Permission Levels

EmpowerID's IAM Shop Permission Levels provide a flexible framework for delegating access to native system resources such as shared folders, computers, and mailboxes. These permission levels are presented to users through the IAM Shop interface when they request access to a resource. Each level corresponds to a specific group or access control object in the native system that enforces the appropriate permissions.

Organizations can use the default permission levels provided by EmpowerID or define custom levels that reflect their internal naming standards and access policies. The result is a user-friendly, governed process that enables controlled access without compromising compliance.

How It Works

When a user selects a resource from the IAM Shop—for example, a computer—they are prompted to choose a Permission Level that best suits their access needs. These options are configured by administrators and mapped to native system groups.

Example Interface

The following screenshot illustrates how permission levels appear in the IAM Shop when a user requests access to a computer:

IAM Shop Permission Levels for a computer being requested

In this example, the user can select either:

  • Local Admin – granting administrative rights only on the target computer
  • Domain Admin – granting elevated rights at the domain level

Behind the Scenes

Selecting a permission level in the IAM Shop triggers a workflow in EmpowerID that assigns the user to the corresponding group in the native system. This mapping is critical: the IAM Shop Permission Level must be tied to a group or role that actually provides access in the external system.

The diagram below illustrates this process flow:

Permission Level Mapping Flow

  1. The user selects the "Local Admin" IAM Shop Permission Level for Computer X.
  2. EmpowerID adds the user to the native group that grants local admin rights.
  3. As a result, the user receives Local Admin permissions on Computer X.

Important: IAM Shop Permission Levels without proper mapping to enforcement groups in the native system do not result in any effective access. They serve only as labels in the UI unless backed by real permissions.

Customization

Administrators can create custom permission levels for each type of resource. These levels can carry names and semantics that make sense within the business context. For example:

  • Finance Read-Only for a shared drive
  • Tier 2 Support for remote desktop access
  • Power User for a developer workstation

Once defined and assigned to resources, these custom levels appear in the IAM Shop and can be selected just like default options. This enhances usability while aligning with internal security models.

Summary

IAM Shop Permission Levels allow EmpowerID administrators to:

  • Present clear, selectable access options to users
  • Control access through native group assignments
  • Customize access terminology to fit organizational policies
  • Ensure auditability and enforce governance through mapping

With the IAM Shop, users request what they need, and administrators retain control over how and when access is granted.