Roles Needed to Access People
EmpowerID controls access to Person objects through Management Roles. Users must be assigned appropriate roles to work with people based on their organizational responsibilities and scope.
Management Role Types
Management Roles are prefixed by their function in EmpowerID:
- UI — Grants access to specific UI elements in the EmpowerID Web interface
- Example: UI-Person-Object-Administration grants access to Person management interfaces and workflows
- VIS — Grants visibility to view specific objects in EmpowerID
- Example: VIS-Person-MyLocations grants visibility to people in the same locations
- ACT — Grants permission to manage (create, update, delete) specific objects in EmpowerID
- Example: ACT-Person-Role-Assignment-All grants ability to assign and unassign roles for people
Most administrative tasks require a combination of UI, VIS, and ACT roles. For example, managing people in your location requires UI access to interfaces, VIS roles to see the people, and ACT roles to perform management actions.
Roles for Self-Service Profile Management
Users can view and edit their own profile information with the following roles:
View Roles for Self Profile Access
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Profile-Self-Service | Grants access to user interfaces and workflows for managing own profile attributes | Feature Set |
| VIS-Person-Self | Grants visibility to see own person (granted by default to all people) | Visibility |
| ACT-Person-Profile-Self-Service | Grants ability to edit own profile attributes | Activity |
| Profile Self-Service | Grants complete self-service profile management
Can be used in place of the three roles above
Contains:
• VIS-Person-Self
• ACT-Person-Profile-Self-Service
• UI-Person-Person-Profile-Self-Service | Role Bundle |
Roles for Viewing People
To view people in EmpowerID, users need one of the following visibility roles based on the required scope:
View Visibility Roles for People
| Management Role | Access Granted by Management Role | Role Type |
|---|
| VIS-Person-Self | Grants access to see own person (granted by default to all people) | Visibility |
| VIS-Person-MyDirectReports | Grants access to see direct reports | Visibility |
| VIS-Person-MyLocations | Grants access to see all people in the same locations | Visibility |
| VIS-Person-MyOrg | Grants access to see all people in the same organizations | Visibility |
| VIS-Person-All | Grants access to see all people in the default organization | Visibility |
Roles for Managing Profiles
To manage profile information for people, users need combinations of the following roles based on scope:
Roles needed by people to manage the profiles of their direct reports
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-Person-MyDirectReports | Grants visibility for all direct reports | Visibility |
| ACT-Person-Profile-Edit-DirectReports | Grants ability to edit profile attributes for direct reports | Activity |
Roles needed by people to manage the profiles of people in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| ACT-Person-Profile-Edit-MyLocations | Grants ability to edit profile attributes for all people in their locations | Activity |
Roles needed to manage the profile information of users belonging to the same organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| ACT-Person-Profile-Edit-MyOrg | Grants ability to edit profile attributes for all people in their organizations | Activity |
Roles needed to manage the profile information of partners and customers
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-People-All | Grants visibility for all people in the system | Visibility |
| ACT-Person-Profile-Edit-Customers | Grants ability to edit profile attributes for all people below the Customers location | Activity |
| ACT-Person-Profile-Edit-Partners | Grants ability to edit profile attributes for all people below the Partners location | Activity |
Roles needed to manage the profile information of all people
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-People-All | Grants visibility for all people in the system | Visibility |
| ACT-Person-Profile-Edit-All | Grants ability to edit profile attributes for all people in the system | Activity |
Roles for Managing Management Role Assignments
To manage Management Role assignments for people, users need combinations of the following roles:
Roles needed to manage Management Role assignments for people in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-Management-Role-MyLocations | Grants visibility for all Management Roles in the same locations | Visibility |
| ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for Management Roles in their locations | Activity |
Roles needed to manage Management Role assignments for people in their organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| VIS-Management-Role-MyOrg | Grants visibility for all Management Roles in the same organizations | Visibility |
| ACT-Management-Role-Membership-Management-MyOrg | Grants access to manage membership for Management Roles in their organization | Activity |
Roles needed to manage Management Role assignments for partners
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-All | Grants visibility for all people | Visibility |
| VIS-Management-Role-All | Grants visibility for all Management Roles | Visibility |
| ACT-Management-Role-Membership-Management-Partners | Grants access to manage membership for Management Roles in or below the Partners location | Activity |
Roles needed to manage Management Role assignments for all people
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-Management-Role-All | Grants visibility for all Management Roles | Visibility |
| ACT-Management-Role-Membership-Management-All | Grants access to manage membership for all Management Roles | Activity |
Roles for Managing Business Role Assignments
To manage Business Role assignments for people, users need combinations of the following roles:
Roles needed to manage Business Role assignments for people in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Role-Assignment | Grants access to user interfaces and workflows for managing assignments of people to roles | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-BusinessRole-MyLocations | Grants visibility for Business Roles in the same locations (required to see Business Roles in trees) | Visibility |
| VIS-Location-MyLocationsAndBelow | Grants visibility for the person's locations and below (required to see Locations in trees) | Visibility |
| ACT-Business-Role-Assignment-MyLocations | Grants access to manage assignments of people to Business Roles in their locations and below | Activity |
Roles needed to manage Business Role assignments for people in their organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Role-Assignment | Grants access to user interfaces and workflows for managing assignments of people to roles | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| VIS-BusinessRole-MyOrg | Grants visibility for Business Roles in the same organizations | Visibility |
| VIS-Location-All-Business-Locations | Grants visibility for all locations under All Business Locations | Visibility |
| VIS-Location-MyLocationsAndAbove | Grants visibility for the person's locations and above | Visibility |
| ACT-Business-Role-Assignment-MyOrg | Grants access to manage assignments of people to Business Roles in their organizations | Activity |
Roles needed to manage all Business Role assignments
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Role-Assignment | Grants access to user interfaces and workflows for managing assignments of people to roles | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-BusinessRole-All | Grants visibility for all Business Roles | Visibility |
| VIS-Location-All | Grants visibility for all locations in the system | Visibility |
| ACT-Business-Role-Assignment-All | Grants access to manage assignments of people to any Business Role | Activity |
Roles for Managing Group Membership
To manage group membership for people, users need combinations of the following roles:
Roles needed to manage group membership for people in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Group-Membership-Management | Grants access to user interfaces and workflows for group membership management | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-Groups-Security-MyLocation | Grants visibility for all Security groups in the same locations | Visibility |
| VIS-Groups-Distribution-MyLocation | Grants visibility for all Distribution groups in the same locations | Visibility |
| VIS-Groups-Generic-MyLocation | Grants visibility for all Generic groups in the same locations | Visibility |
| ACT-Group-Membership-Management-Distribution-MyLocations | Grants access to manage membership for all distribution groups in their locations | Activity |
| ACT-Group-Membership-Management-Generic-MyLocations | Grants access to manage membership for all generic groups in their locations | Activity |
| ACT-Group-Membership-Management-Security-MyLocations | Grants access to manage membership for all security groups in their locations | Activity |
Roles needed to manage group membership for people in their organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Group-Membership-Management | Grants access to user interfaces and workflows for group membership management | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| VIS-Groups-Security-MyOrg | Grants visibility for all Security groups in the same organizations | Visibility |
| VIS-Groups-Distribution-MyOrg | Grants visibility for all Distribution groups in the same organizations | Visibility |
| VIS-Groups-Generic-MyOrg | Grants visibility for all Generic groups in the same organizations | Visibility |
| ACT-Group-Membership-Management-Security-MyOrganizations | Grants access to manage membership for all security groups in their organizations | Activity |
| ACT-Group-Membership-Management-Distribution-MyOrganizations | Grants access to manage membership for all distribution groups in their organizations | Activity |
| ACT-Group-Membership-Management-Generic-MyOrganizations | Grants access to manage membership for all generic groups in their organizations | Activity |
Roles needed to manage all group memberships
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Group-Membership-Management | Grants access to user interfaces and workflows for group membership management | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-Groups-All | Grants visibility for all groups | Visibility |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage membership for all groups | Activity |
Additional system-specific group management roles
| Management Role | Purpose | Role Type |
|---|
| VIS-Groups-All-AD | Grants visibility for all Active Directory groups | Visibility |
| VIS-Groups-All-AWS | Grants visibility for all AWS groups | Visibility |
| VIS-Groups-All-Azure | Grants visibility for all Azure groups in any tenant | Visibility |
| VIS-Groups-All-IT-Systems | Grants visibility for all groups under All IT Systems | Visibility |
| VIS-Groups-All-O365 | Grants visibility for all Office 365 groups | Visibility |
| VIS-Groups-All-SAP | Grants visibility for all SAP Roles and Profiles | Visibility |
| ACT-Group-Membership-Management-All-AD-Groups | Grants access to manage membership for all Active Directory groups | Activity |
| ACT-Group-Membership-Management-All-AWS-Groups | Grants access to manage membership for all AWS groups | Activity |
| ACT-Group-Membership-Management-All-IT-Systems | Grants access to manage membership for all groups under All IT Systems | Activity |
| ACT-Group-Membership-Management-All-O365-Groups | Grants access to manage membership for all Office 365 groups | Activity |
| ACT-Group-Membership-Management-All-SAP-Groups | Grants access to manage membership for all SAP Roles and Profiles | Activity |
Roles for Creating Person Objects
To create new Person objects, users need combinations of the following roles:
Roles needed to create new people in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Object-Create | Grants access to user interfaces and workflows to create Person objects | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-BusinessRole-MyLocations | Grants visibility for Business Roles in the same locations (all people require a Business Role) | Visibility |
| VIS-Location-MyLocationsAndBelow | Grants visibility for the person's locations and below (all people require a location) | Visibility |
| ACT-Business-Role-Assignment-MyLocations | Grants access to assign people to Business Roles in their locations and below | Activity |
| Additionally, if assigning Management Roles during creation: | | |
| VIS-Management-Role-MyLocations | Grants visibility for Management Roles in the same locations | Visibility |
| ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for Management Roles in the same locations | Activity |
Roles needed to create new people in any location
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Object-Create | Grants access to user interfaces and workflows to create Person objects | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-BusinessRole-All | Grants visibility for all Business Roles | Visibility |
| VIS-Location-All | Grants visibility for all locations in the system | Visibility |
| ACT-Business-Role-Assignment-All | Grants access to assign people to any Business Role | Activity |
| Additionally, if assigning Management Roles during creation: | | |
| VIS-Management-Role-All | Grants visibility for all Management Roles | Visibility |
| ACT-Management-Role-Membership-Management-All | Grants access to manage membership for all Management Roles | Activity |
Roles for Person Administration
To perform comprehensive administrative actions (create, update, delete, restore), users need combinations of the following roles:
Roles needed to administer people in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| ACT-Person-Object-Administration-MyLocations | Grants access to create, update, and delete people in the same locations | Activity |
Roles needed to administer people in their organizations
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-MyOrg | Grants visibility for all people in the same organizations | Visibility |
| ACT-Person-Object-Administration-MyOrg | Grants access to create, update, and delete people in the same organizations | Activity |
Roles needed to administer partners and customers
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-All | Grants visibility for all people | Visibility |
| ACT-Person-Object-Administration-Partners | Grants access to create, update, and delete all people below the Partners location | Activity |
| ACT-Person-Object-Administration-Customers | Grants access to create, update, and delete all people below the Customers location | Activity |
Roles needed to administer all people
| Management Role | Access Granted by Management Role | Role Type |
|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-All | Grants visibility for all people | Visibility |
| ACT-Person-Object-Administration-All | Grants access to create, update, and delete all people | Activity |
For complete role details including specific workflow access, page controls, and web service access, expand each section above. The UI-Person-Object-Administration role provides the most comprehensive access for person management tasks.