Access Needed to Manage Groups
EmpowerID controls access to group management operations through Management Roles. To work with groups, users must be assigned the appropriate roles based on the operations they need to perform and the scope of their responsibilities.
Management Role Prefixes
Management Roles in EmpowerID use prefixes that indicate their function:
- UI – Grants access to specific user interface elements and workflows
- VIS – Grants visibility to specific objects in EmpowerID
- ACT – Grants the ability to manage specific objects
Group Management Scope
Group management roles are scoped in different ways to align with organizational delegation models:
- MyLocations – Manage groups in the same locations as the user
- MyOrg – Manage groups in the same organizations as the user
- System-specific – Manage groups in specific systems (AD, Azure, AWS, etc.)
- All – Manage groups across all systems and locations
note
If a user has UI and VIS roles but not ACT roles for a specific operation, the requested change will route for approval to someone with the necessary ACT role.
Roles for Managing Group Memberships in Your Locations
These roles allow users to add and remove members from groups in their locations without requiring approval.
Account-Related Roles
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Account-Membership-Management | Access to user interfaces and workflows for viewing accounts and managing account group memberships | Feature Set (UI) |
| VIS-Accounts-MyLocations | Visibility for all user accounts in the same locations as the user | Visibility (VIS) |
| ACT-Account-Membership-Management-MyLocations | Manage membership for user accounts in the same locations as the user | Activity (ACT) |
Group-Related Roles (by Group Type)
tip
Accounts can only be added to groups that belong to the same domain.
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Group-Membership-Management | Access to user interfaces and workflows for viewing groups and managing group memberships | Feature Set (UI) |
| Distribution Groups | ||
| VIS-Groups-Distribution-MyLocation | Visibility for all distribution groups in the same locations as the user | Visibility (VIS) |
| ACT-Group-Membership-Management-Distribution-MyLocations | Manage membership for distribution groups in the same locations as the user | Activity (ACT) |
| Generic Groups | ||
| VIS-Groups-Generic-MyLocation | Visibility for all generic groups in the same locations as the user | Visibility (VIS) |
| ACT-Group-Membership-Management-Generic-MyLocations | Manage membership for generic groups in the same locations as the user | Activity (ACT) |
| Security Groups | ||
| VIS-Groups-Security-MyLocations | Visibility for all security groups in the same locations as the user | Visibility (VIS) |
| ACT-Group-Membership-Management-Security-MyLocations | Manage membership for security groups in the same locations as the user | Activity (ACT) |
Roles for Managing Group Memberships in Your Organization
These roles allow users to add and remove members from groups in their organizations without requiring approval.
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Account-Membership-Management | Access to user interfaces and workflows for managing account group memberships | Feature Set (UI) |
| VIS-Accounts-MyOrg | Visibility for all user accounts in the same organizations as the user | Visibility (VIS) |
| ACT-Account-Membership-Management-MyOrg | Manage membership for user accounts in the same organizations as the user | Activity (ACT) |
| UI-Group-Membership-Management | Access to user interfaces and workflows for managing group memberships | Feature Set (UI) |
| Distribution Groups | ||
| VIS-Groups-Distribution-MyOrg | Visibility for distribution groups in the same organizations as the user | Visibility (VIS) |
| ACT-Group-Membership-Management-Distribution-MyOrg | Manage membership for distribution groups in the same organizations as the user | Activity (ACT) |
| Generic Groups | ||
| VIS-Groups-Generic-MyOrg | Visibility for generic groups in the same organizations as the user | Visibility (VIS) |
| ACT-Group-Membership-Management-Generic-MyOrg | Manage membership for generic groups in the same organizations as the user | Activity (ACT) |
| Security Groups | ||
| VIS-Groups-Security-MyOrg | Visibility for security groups in the same organizations as the user | Visibility (VIS) |
| ACT-Group-Membership-Management-Security-MyOrg | Manage membership for security groups in the same organizations as the user | Activity (ACT) |
Roles for Creating, Updating, and Deleting Groups in Your Organization
These roles allow users to create, modify, and delete groups in their organizations.
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Access to user interfaces and workflows for creating, updating, and deleting groups | Feature Set (UI) |
| VIS-Groups-Distribution-MyOrg | Visibility for distribution groups in the same organizations as the user | Visibility (VIS) |
| VIS-Groups-Generic-MyOrg | Visibility for generic groups in the same organizations as the user | Visibility (VIS) |
| VIS-Groups-Security-MyOrg | Visibility for security groups in the same organizations as the user | Visibility (VIS) |
| ACT-Group-Object-Administration-MyOrg | Create, edit, and delete groups in the same organizations as the user | Activity (ACT) |
Roles for Managing Groups in Specific Systems
In addition to the UI-Group-Object-Administration role, users need system-specific visibility and activity roles:
Active Directory Groups
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Groups-All-AD | Visibility for all Active Directory groups | Visibility (VIS) |
| ACT-Group-Object-Administration-AD | Create, edit, and delete all Active Directory groups | Activity (ACT) |
Azure Groups
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Groups-All-Azure | Visibility for all Azure groups | Visibility (VIS) |
| ACT-Group-Object-Administration-All | Create, edit, and delete all groups, including groups in Azure | Activity (ACT) |
AWS Groups
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Groups-All-AWS | Visibility for all AWS groups | Visibility (VIS) |
| ACT-Group-Object-Administration-AWS | Create, edit, and delete all AWS groups | Activity (ACT) |
Office 365 Groups
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Accounts-O365 | Visibility for all Office 365 groups | Visibility (VIS) |
| ACT-Account-Object-Administration-O365 | Create, edit, and delete accounts in Office 365 | Activity (ACT) |
SAP Groups
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Groups-SAP | Visibility for all SAP roles and profiles | Visibility (VIS) |
| ACT-Group-Object-Administration-All | Create, edit, and delete all groups, including those in SAP | Activity (ACT) |
Groups Under All IT Systems
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Groups-All-IT-Systems | Visibility for all groups under the All IT Systems location | Visibility (VIS) |
| ACT-Group-Object-Administration-All | Create, edit, and delete all groups, including those under All IT Systems | Activity (ACT) |
Roles for Managing Groups Across All Systems
These roles grant broad access to manage groups across all systems and locations.
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Group-Object-Administration | Access to user interfaces and workflows for creating, updating, and deleting groups | Feature Set (UI) |
| VIS-Groups-All | Visibility for all groups | Visibility (VIS) |
| ACT-Group-Object-Administration-All | Create, edit, and delete all groups anywhere | Activity (ACT) |
Related Topics
- About the View One Group Page – Navigate group management interfaces
- Add Groups to Groups – Nest groups for inherited permissions
- Role-Based Group Memberships – Configure dynamic membership assignments