Skip to main content

Onboard Management Roles

EmpowerID ships with comprehensive Management Roles for common scenarios. When your organization requires roles beyond what's provided out-of-box, use the Onboard Management Role wizard to create them. The wizard guides you through a 7-step process to configure ownership, IAM Shop settings, RBAC policies, and initial membership.

Prerequisites

Before onboarding a new Management Role, ensure you have:

  • Access to Resource Admin with permissions to create Management Roles

Customize Workflow Parameters (Optional)

info

The wizard can be customized to control field visibility, set organizational defaults, and enforce business rules. If you need to customize the wizard before using it, configure parameters in this section. Otherwise, skip to the Procedure.

The Onboard Management Role wizard supports the following parameters to adapt the wizard to your governance requirements:

ParameterDescription
DefaultAccessRequestPolicyIDDefault access request policy to be selected in the IAM Shop Settings step. The value must be a GUID.
DefaultManagementRoleDefinitionIDDefault management role definition to be selected in the Role Data Entry step. The value must be a GUID.
DefaultParentLocationIDRestricts management role creation to a specific location and its children. The value must be an OrgZoneID.
DeputyIsRequiredIndicates whether the Deputies field is mandatory. Possible values: true or false.
DeputyResourceTypeRoleNameAccess level assigned to management role deputies.
DeputySetGroupNameQuery-based collection name to filter the Deputy selection list.
GroupAccessLevelNameForRBACMembershipPoliciesGroup access level name used in RBAC Membership Policies.
ManagementRoleDefinition_IsVisibleControls visibility of the ManagementRoleDefinition field. If false, DefaultManagementRoleDefinitionID must be set.
ManagementRoleEmail_IsVisibleDetermines whether the ManagementRoleEmail field is visible.
ManagementRoleName_RestrictedCharactersDefines characters removed from ManagementRole names before creation. No delimiters required.
ManagementRoleTypeNameSets the type of management role. Leaving blank displays selection page. Possible values: Generic, etc.
OwnerIsRequiredIndicates whether the Owners field is mandatory. Possible values: true or false.
OwnerResourceTypeRoleNameAccess level assigned to management role owners.
OwnerSetGroupNameQuery-based collection name to filter the Owners selection list.
RBACMembership_AllowBusinessRoleAndLocationControls visibility of BusinessRoleAndLocation in RBAC Membership Policies. Possible values: true or false.
RBACMembership_AllowGroupControls visibility of the Group option in RBAC Membership Policies. Possible values: true or false.
RBACMembership_AllowManagementRoleControls visibility of the ManagementRole option in RBAC Membership Policies. Possible values: true or false.
RBACMembership_AllowManagementRoleDefinitionControls visibility of the ManagementRoleDefinition option in RBAC Membership Policies. Possible values: true or false.
RBACMembership_AllowPersonControls visibility of the Person option in RBAC Membership Policies. Possible values: true or false.
RBACMembership_AllowSetGroupControls visibility of the SetGroup option in RBAC Membership Policies. Possible values: true or false.
RBACMembershipCount_IsVisibleDisplays the resultant count of each assignment if true. Skips this step if count is below threshold.
RBACMembershipCountThresholdSets the threshold for RBAC membership counts. Values exceeding this block the workflow.
RBACMembershipResultantPreview_DefaultValueSets default state of the preview checkbox for RBAC membership results. Possible values: true or false.
RBACMembershipResultantPreview_IsVisibleEnables or disables the preview functionality for RBAC membership results. Possible values: true or false.
ResponsiblePartyIsRequiredIndicates whether the Responsible Party field is mandatory. Possible values: true or false.
ResponsiblePartySetGroupNameQuery-based collection name to filter the Responsible Party dropdown.
ShowOwnershipOptions_DeputiesControls visibility of Deputies for the management role. Possible values: true or false.
ShowOwnershipOptions_OwnersControls visibility of Owners for the management role. Possible values: true or false.
ShowOwnershipOptions_ResponsiblePartyControls visibility of the Responsible Party for the management role. Possible values: true or false.
Validate_UniqueOwnerAndResponsiblePartyEnsures that the Owner and Responsible Party are unique.

Configure Parameters

  1. Navigate to Low Code/No Code Workflow > Low Code Workflows.
  2. Select the Workflow tab and search for Onboard Management Role workflow.
  3. Click the Display Name for the workflow. Workflow Search Results
  4. Expand the Request Workflow Parameters accordion on the View One page.
  5. Search for the parameter you need to configure and click the edit button for the parameter.
  6. Enter the value in the Value field and click Save. Configure Workflow Parameter

Procedure

note

The following steps show the default wizard flow. Your organization may have customized which fields appear based on workflow parameter configuration.

Navigate to Resource Admin, select Management Roles from the Resource dropdown menu, click the Workflows tab, and find and click Onboard Management Role.

Onboard Management Role tile

Step 1: Basic Role Information

  1. Complete the basic role information:

    Role Data Entry

    • Name - Unique identifier for the Management Role
    • Display Name - User-friendly name that appears in interfaces
    • Management Role Definition - Select the template for the role (default is Blank Management Role Definition; clear and search to select a different definition)
    • Management Role Type - Select the role type for classification (default is Generic)
    • Select a Location - Choose the organizational location for RBAC visibility
    • Description - Brief explanation of the role's purpose and responsibilities

  2. Click Next.

Step 2: Owner Information

  1. Define who can manage this Management Role:

    Owner Information

    • Responsible Party - Person with ultimate business accountability for this role
    • Owners - People who can manage this role through RBAC access
    • Deputies - Backup managers for the role

  2. Click Next.

Step 3: IAM Shop Settings

  1. Configure whether users can request this role through self-service:

    IAM Shop Settings

    • Requestable in IAM Shop - Check this box to enable self-service requests

  2. If you enabled requestable, complete the additional settings:

    IAM Shop Details

    • Select Access Request Policy - Choose the policy that defines approval workflows and fulfillment behaviors
    • Select Assignees - Configure who can request this role:
      • Eligible Assignees - Users who can request access (requires approval)
      • Preapproved Assignees - Users automatically granted access without approval
      • Suggested Assignees - Users who see this role as suggested in the IAM Shop

    For each assignee type, select a type from the Choose Type dropdown, search for and select the entity, and use the Added counter to manage selections.

  3. Click Next.

Step 4: RBAC Membership Policies

  1. Define automatic membership based on organizational attributes, or leave blank for manual assignment only:

    RBAC Membership Policies

    • Select a type from the Choose Type dropdown (Person, Group, SetGroup, Management Role, Business Role, or Location)
    • Search for and select the specific entity
    • Use the Added counter to manage selections
    • Check Preview membership to see who will receive automatic membership

  2. Click Next.

Step 5: Groups Assignments

  1. Assign existing groups as members of this Management Role, or leave blank if not needed:

    Groups Assignments

    • Search for groups and check the box next to groups you want to include as members

  2. Click Next.

Step 6: Management Role Assignments

  1. Bundle other Management Roles into this new role, or leave blank if this role should stand alone:

    Management Role Assignments

    • Search for existing Management Roles and check the box next to roles you want to include

  2. Click Next.

Step 7: Summary and Create

  1. Review all configuration details across the summary tabs.
  2. Click Submit to create the Management Role.

Verify the Results

After submitting:

  1. Navigate to Resource Admin > Management Roles.
  2. Search for the newly created role by name and verify it appears in the list.