Skip to main content

Removing App Right Assignments

Removing app right assignments ensures users do not retain permissions beyond what their roles require. This supports least privilege enforcement, strengthens security, and maintains clean audit trails.

This article demonstrates how to remove app right assignments from users or groups in EmpowerID.

Prerequisites

Before removing app right assignments, ensure you have:

  • Access to Resource Admin with the Application RBAC Owner Management Role (or higher)
  • An existing PBAC application with app right assignments to remove

Procedure

  1. In Resource Admin, search for the PBAC application containing the assignment you want to remove.

  2. Click the Details button for the application record.

    • Applications list with Details button:
      image-20240207-171518.png

    • Application Overview page:
      image-20240207-171610.png

  3. Expand PBAC Assignments from the left navigation pane and select App Rights Assignments.

  4. Search for the assignment you want to remove.

  5. Click the Delete button on the assignment record.

    • Assignment deletion action:
      image-20240212-182756.png

  6. Confirm the deletion in the confirmation prompt.

    • Confirmation dialog:
      image-20240212-182629.png

Verify the Results

After removing the assignment:

  1. Re-run the search in the App Rights Assignments grid to confirm the assignment no longer appears.
  2. (Optional) Verify the removal in audit logs:

    • Open the EmpowerID Web App.

    • Navigate to System Logs > Audit Logs.

    • In the search field, enter Remove [Assignee Name] (replace with the actual assignee name).

    • Review audit log entries confirming:

      • The object from which the right was removed
      • The app right name
      • The associated application

    • Audit log entries confirming removal:
      image-20240212-185155.png

Security Note

Only users with the Application RBAC Owner Management Role can remove app right assignments. All removals are logged for audit purposes. Deleting an assignment immediately revokes user access—ensure proper authorization before removal.

Next Steps

After removing app right assignments, verify that users no longer have access to the application resources associated with the removed right.