Skip to main content

IAM Shop Permission Levels

In EmpowerID, IAM Shop Permission Levels define permissions for specific resources within native systems, such as shared folders, mailboxes, and computers. These levels can be configured to align with organizational requirements, ensuring that access to resources is controlled according to user roles and responsibilities. For example, a shared folder may have a 'Read-Only' permission level for general users, while a computer might have a 'Local Admin' access level designated for IT staff.

📄️ IAM Shop Permission Levels and Computers

In EmpowerID, IAM Shop Permission Levels define permissions for specific resources within native systems, such as shared folders, mailboxes, and computers. These levels can be configured to align with organizational requirements, ensuring that access to resources is controlled according to user roles and responsibilities. For example, a shared folder may have a "Read-Only" permission level for general users, while a computer might have a "Local Admin" access level designated for IT staff.

📄️ Assign IAM Shop Permission Levels to Computers

Organizations can customize requestable permissions for inventoried computers, enabling users to request those permissions when connecting through Privileged Session Management (PSM). Known as “IAM Shop Permission Levels” in EmpowerID, these permissions are crucial in fortifying IT security. They serve a dual purpose: they grant specific permissions during a computer session and enhance overall security by enforcing the principle of least privilege, automatically revoking these permissions once the session concludes.

📄️ Configure Computers for Just-In-Time Access

EmpowerID allows for the configuration of Just-In-Time (JIT) account provisioning on computers for specific groups. This feature automatically generates a user account, uniquely identified by combining the user's EmpowerID login with a random string (e.g., jposada\_566054625600), and assigns it to the appropriate group at the onset of a PSM session. The account is promptly removed from the group upon the session's conclusion. Depending on the specific JIT access settings, this account may either be retained for future use or completely deleted from the system. This JIT strategy reinforces a zero-trust, least-privilege environment, ensuring that access is provided strictly as needed and withdrawn immediately afterward.

📄️ Add IAM Shop Assignees for Requesting Access

IAM Shop Assignees for Requesting Access is a feature that enables eligible users to request specific permissions, known as IAM Shop Permission Levels, for computers within the IAM Shop. By default, permission levels include Local Admin and Domain Admin, but administrators can create custom levels as needed. Configuring assignees allows administrators to control the types of access users can request, enhancing security and ensuring compliance with organizational policies.