Roles Needed to Access User Accounts and Groups
EmpowerID controls access to user accounts and groups through Management Roles. Users must be assigned appropriate roles to view and manage accounts and groups based on their organizational responsibilities and scope.
Management Role Types
Management Roles are prefixed by their function in EmpowerID:
- UI — Grants access to specific UI elements in the EmpowerID Web interface
- VIS — Grants visibility to view specific objects in EmpowerID
- ACT — Grants permission to manage (create, update, delete) specific objects in EmpowerID
Role Combination
Most administrative tasks require a combination of UI, VIS, and ACT roles. For example, managing accounts in your location requires UI access to the interface, VIS roles to see the accounts, and ACT roles to perform management actions.
Roles for Viewing and Editing Account Profiles
The following sections detail role combinations needed for different scopes of account profile access.
Roles needed by people to view and initiate editing their user account profile information
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
Roles needed to view and initiate editing user account profiles belonging to the same locations as the people with the roles
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| VIS-Accounts-MyLocations | Grants visibility for all user accounts in the same locations as the currently logged in user. | Visibility |
Roles needed to view and initiate editing user account profiles belonging to the same organizations as the people with the roles
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| VIS-Accounts-MyOrg | Grants visibility for all user accounts in the same organizations as the currently logged in user. | Visibility |
Roles needed to view and initiate editing the profiles of additional types of user accounts
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| Active Directory User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Active Directory user accounts | ||
| VIS-Accounts-AD | Grants visibility for all Active Directory user accounts. | Visibility |
| AWS User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Amazon Web Services user accounts | ||
| VIS-Accounts-AWS | Grants visibility for all user accounts in any Amazon Web Services account store. | Visibility |
| Linux User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Linux user accounts | ||
| VIS-Accounts-Linux | Grants visibility for all Linux user accounts. | Visibility |
| Local Windows User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Local Windows Server user accounts | ||
| VIS-Accounts-LocalWindows | Grants visibility for all user accounts belonging to Local Windows Server account stores. | Visibility |
| Office 365 User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Office 365 user accounts | ||
| VIS-Accounts-O365 | Grants visibility for all Office 365 / Azure AD user accounts. | Visibility |
| SAP User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see SAP user accounts | ||
| VIS-Accounts-SAP | Grants visibility for all SAP user accounts. | Visibility |
Roles needed to view and initiate editing the profile information of all user accounts in any system under the All IT Systems location
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Profile-Edit | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS - Find Account Page - Viewer for the page - Account View One Page - Viewer for the page - Viewer for the Actions Accordion - Viewer for the Advanced Tab - Account Edit One Page - Viewer for the page WORKFLOW ACCESS - Resource Manager Account Update - Initiator for the workflow |
| VIS-Accounts-All-IT-Systems | Grants visibility for all accounts under All IT Systems. | Visibility |
Roles needed to view and initiate editing the profiles of all user accounts in the system
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page - Viewer for the page Account View One Page - Viewer for the page - Viewer for the General Tab - Viewer for the Group Membership Grid - Viewer for the Group Membership Changes Grid - Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups - Initiator for the workflow Remove Service Principal from Groups - Initiator for the workflow Update Account Group Membership - Initiator for the workflow |
| VIS-Accounts-All | Grants visibility for all accounts in any location. | Visibility |
Roles for Managing Group Assignments
To manage group assignments for user accounts, users need combinations of the following roles based on the required scope.
Important
Accounts can only be added to groups that belong to the same domain.
Approval Routing
If ACT (Activity) roles are not included, changes to group membership route for approval to someone authorized to approve the request.
Roles needed by people to manage the group assignments of user accounts and groups in their locations (without requiring approval)
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| Account Roles Needed | ||
| UI-Account-Membership-Management | Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows. | Feature Set |
| VIS-Accounts-MyLocations | Grants visibility for all user accounts in the same locations as the currently logged in user. | Visibility |
| ACT-Account-Membership-Management-MyLocations | Grants access to manage membership for user accounts belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request. | Activity |
| Group Roles Needed | ||
| UI-Group-Membership-Management | Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows. | Feature Set |
| VIS-Groups-Distribution-MyLocation | Grants visibility for all distribution groups belonging to the same locations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Distribution-MyLocations | Grants access to manage membership for distribution groups belonging to the same locations as the currently logged in user. | Activity |
| VIS-Groups-Generic-MyLocation | Grants visibility for all generic groups belonging to the same locations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Generic-MyLocations | Grants access to manage membership for generic groups belonging to the same locations as the currently logged in user. | Activity |
| VIS-Groups-Security-MyLocations | Grants visibility for all security groups belonging to the same locations as the currently logged in user. | Visibility |
| ACT-Group-Membership-Management-Security-MyLocations | Grants access to manage membership for security groups belonging to the same locations as the currently logged in user. | Activity |
Finding the Right Roles
Use EmpowerID's role search functionality to locate appropriate Management Roles for your organization's specific structure and requirements.
Roles for Creating, Updating, and Deleting Accounts
To create, update, and delete user accounts in EmpowerID, users need combinations of the following roles based on the required scope.
Roles needed by people to create, update and delete user accounts in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set |
| VIS-Accounts-MyLocations | Grants visibility for all accounts in the same locations as the currently logged in user. | Visibility |
| ACT-Account-Object-Administration-MyLocations | Grants access to create, edit and delete all accounts in the same location as the currently logged in user. | Activity |
Roles needed to create, update and delete accounts in any system
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Account-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting user accounts. | Feature Set |
| VIS-Accounts-All | Grants visibility for all accounts. | Visibility |
| ACT-Account-Object-Administration-All | Grants access to create, edit and delete all accounts. | Activity |
Roles for Creating, Updating, and Deleting Groups
To create, update, and delete groups in EmpowerID, users need combinations of the following roles based on the required scope.
Roles needed by people to create, update and delete groups in their locations
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting groups. | Feature Set |
| VIS-Groups-Distribution-MyLocation | Grants visibility for distribution groups in the same locations as the currently logged in user. | Visibility |
| VIS-Groups-Generic-MyLocation | Grants visibility for generic groups in the same locations as the currently logged in user. | Visibility |
| VIS-Groups-Security-MyLocation | Grants visibility for security groups in the same locations as the currently logged in user. | Visibility |
| ACT-Group-Object-Administration-MyLocations | Grants access to create, edit and delete groups in the same location as the currently logged in user. | Activity |
Roles needed to create, update and delete groups in any system
| Management Role | Access Granted by Management Role | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Grants access to the user interfaces and workflows for creating, updating and deleting groups. | Feature Set |
| VIS-Groups-All | Grants visibility for all groups. | Visibility |
| ACT-Group-Object-Administration-All | Grants access to create, edit and delete all groups anywhere. | Activity |
note
For complete role details including workflow access, page controls, and web service access, expand each section above. Additional system-specific roles (Active Directory, AWS, Linux, Office 365, SAP) are documented in the expanded views.
Related Topics
- Understanding EmpowerID Management Roles
- Role-Based Access Control (RBAC) in EmpowerID
- Delegated Administration Best Practices