Creating Access Levels

Access Levels are bundles of EmpowerID Operations and/or native system rights specific to resource types—such as Exchange mailboxes or user accounts— that when assigned to users give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment. These actions can range from simply viewing a resource in an EmpowerID user interface to provisioning and deprovisioning resources in native systems. The extent of the access is determined by the configuration of the Access Levels and the scope of the assignment.

EmpowerID provides a large library of Access Levels ready configured for most common resource types and delegation scenarios. You can use these out of the box as well as create your own.

To create Access Levels

  1. From the Navigation Sidebar, navigate to the Access Level management page by expanding Admin > RBAC and clicking Access Levels.
  2. From the Access Level management page, click the Actions tab and then click Create Access Level.
  3. In the below image the Navigation Sidebar has been collapsed to conserve screen real estate.

  4. In the Access Level Details form that appears, do the following:
    1. Type a name, display name, and description for the access level in the Name, Display Name and Description fields, respectively.
    2. Tick Enforced if you are creating the Access Level for a resource type that exists in an inventoried resource system with its own permissions management model, such as Exchange, and you want EmpowerID to enforce any native rights you are granting with the Access Level.
    3. Tick Is Default Role if the Access Level is the default for the resource type.
    4. Type a numeric value (from 1 to 100) in the Risk Factor field. This number is a user-defined value that can help you identify the potential security ramifications associated with the Access Level, based upon the volume and/or nature of operations and/or native system rights associated with it. The higher the number, the higher the risk.
    5. Select the resource type for which you are creating the Access Level from the Resource Type field. This specifies that the Access Level Definition will only apply to selected resource type.
    6. Tick Allow Access Assignments if you want users to be able to request the Access Level.
    7. Tick Hide In UI if you do not want users to be able to see the Access Level in EmpowerID.
    8. Click Save.
Once a Access Level Definition has been created, it needs to have EmpowerID Operations and/or native system rights added to it before it can be used to delegate resources to users. This is demonstrated in the Adding Operations to Access Level Definitions and the Adding Rights to Access Level Definitions topics.