Default Access Levels Definitions

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights, with many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, being similar for each Resource Type. RBAC operations give the person assigned the operation the ability to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources. For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment will be routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.

For the RBAC operations listed below, we have inserted <%Actor%> as a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> as a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with the appropriate EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type. For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.

Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, have been listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.
To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.

Common Access Level Definitions

These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.

The number of ;default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12. You can view these in Configuration Manager as shown by the image above.
  • Administrator and EmpowerID Administrator
    • Add<%Actor%>To<%ResourceRole%> - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.
    • AddOperationToResourceTypeRole<%ResourceType%> - This operation grants the actor assigned the operation the ability to add operations to Access Levels for the Resource Type resource object.
    • AddTo<%ResourceRole%> - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.
    • AddTo<%ResourceRole%>InLocation - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.
    • AddTo<%ResourceRole%>InRelativeResource - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.
    • AssignResourceOrgZone - This operation grants the actor assigned the operation the ability to assign Resource Type resource objects to a location.
    • CreateResourceTypeRole<%ResourceType%> - This operation grants the actor assigned the operation the ability to create a Resource Type Role for the Resource Type.
    • Delete - This operation grants the actor assigned the operation the ability to delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.
    • DeleteResourceTypeRole<%ResourceType%> - This operation grants the actor assigned the operation the ability to delete a Resource Type Role for the Resource Type.
    • EditResourceTypeRole<%ResourceType%> - This operation grants the actor assigned the operation the ability to edit a Resource Type Role for the Resource Type.
    • Use - This operation grants the actor assigned the operation the ability to view the Resource Type resource object in EmpowerID.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for a group. This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for the Resource Type resource object. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval. By location operations, such as this, affect all objects in or below the location for which the operation is approved. For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named “United Kingdom,” and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously — including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.
    • RevokeResourceOrgZone - This operation grants the actor assigned the operation the ability to remove Resource Type resource objects from a location.
    • Remove<%Actor%>From<%ResourceRole%> - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.
    • Remove<%Actor%>From<%ResourceRole%> - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.
    • RemoveFrom<%ResourceRole%>InLocation - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.
    • RemoveFrom<%ResourceRole%>InRelativeResource - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location
  • Use

    This Access Level Definition allows the actor assigned the Access Level to see resource objects in EmpowerID and has the following operations set to allowed for all Resource Types.

    • Use - This operation grants the actor assigned the operation the ability to view a Resource Type resource object in EmpowerID.
  • Access Level Assigner

    This Access Level Definition allows the actor assigned the Access Level to assign or unassign any Access Levels for Resource Types in EmpowerID and has the following operations set to allowed for most Resource Types.

    • Use - This operation grants the actor assigned the operation the ability to view a Resource Type resource object in EmpowerID.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for the Resource Type resource object, such as the Use Access Level for a specific computer object, to any other EmpowerID Actor type. This operation is needed to grant or revoke direct assignments of Access Levels for a particular resource object to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for the Resource Type resource object. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval. By location operations, such as this, affect all objects in or below the location for which the operation is approved. For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named “United Kingdom,” and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously — including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.
  • Management Role Assigner

    The Management Role Assigner Access Level Definition gives the actor assigned the Access Level the ability to add or remove other EmpowerID Actors to and from a Management Role and has the following operations allowed for applicable Resource Types (EmpowerID Business Role, EmpowerID Location, EmpowerID Management Role, EmpowerID Management Role Definition, EmpowerID Person, and Group).

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • Use - This operation grants the actor assigned the operation the ability to view a location.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

Asset Catalog Item

  • Administrator and EmpowerID Administrator

    Administrator and EmpowerID Administrator - In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

    • Request - This operation grants the actor assigned the operation the ability to request an Asset Catalog Item.
    • UnassignFromAdministrator - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the Administrator Access Level for an Asset Catalog Item from any ;EmpowerID Actor type.
  • Requestor

    This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

    • Use - This operation grants the actor assigned the operation the ability to view an Access Request Catalog Item in EmpowerID.
    • Request -This operation grants the actor assigned the operation the ability to request an Access Request Catalog Item.

Attestation Policy

  • EmpowerID Administrator

    EmpowerID Administrator - In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

    • Provision - This operation grants the actor assigned the operation the ability to provision an Attestation Policy object.
    • Delete - This operation grants the actor assigned the operation the ability to provision an Attestation Policy object.
    • Edit - This operation grants the actor assigned the operation the ability to edit an Attestation Policy object.
    • Review - This operation grants the actor assigned the operation the ability to review an Attestation Policy.
  • ReUse

    This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.

    • Use - This operation grants the actor assigned the operation the ability to view an Attestation Policy object in EmpowerID.
    • Review - This operation grants the actor assigned the operation the ability to review an Attestation Policy.

Business Role

  • Administrator and EmpowerID Administrator

    In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Business Role Resource Type.

    • AssignGroupOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a group to a Business Role and Location.
    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location as a secondary Business Role and Location.
    • AssignPersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location.
    • Insert - This operation grants the actor assigned the operation the ability to create a Business Role.
    • Move Business Role - This operation grants the actor assigned the operation the ability to move the Business Role from one location to another.
    • RemoveGroupOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to remove a group from a Business Role and Location.
    • RemovePersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to unassign a person from a secondary Business Role and Location.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to assign the primary Business Role and Location for a person.
    • Update - This operation grants the actor assigned the operation the ability to edit a Business Role.
  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Business Role Resource Type.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
  • Assign and Unassign to Business Role

    This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign people to and from Business Roles in EmpowerID and has the following operations set to allowed:

    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location.
    • AssignPersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location as a secondary Business Role and Location.
    • Use - This operation grants the actor assigned the operation the ability to view a Business Role.
    • RemovePersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to unassign a person from a secondary Business Role and Location.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to set the primary Business Role and Location for a person.
  • Editor

    This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.

    • Edit - This operation grants the actor assigned the operation the ability to edit a Business Role.
    • Use - This operation grants the actor assigned the operation the ability to view a Business Role.
    • Update - This operation grants the actor assigned the operation the ability to edit a Business Role.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

    • AddOrgRoleOrgZoneToRelativeResourceRole - This operation grants the actor assigned the operation the ability to assign relative Access Levels to a Business Role and Location.
    • AddOrgRoleOrgZoneToResourceRole - This operation grants the actor assigned the operation the ability to assign Access Levels directly to a Business Role and Location.
    • AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location to a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromRelativeResourceRole - This operation grants the actor assigned the operation the ability to remove relative Access Levels from a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromResourceRole - This operation grants the actor assigned the operation the ability to remove Access Levels directly from a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to remove Access Levels scoped by location from a Business Role and Location.

Computer

  • Administrator and EmpowerID Administrator

    In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.

    • DeleteComputer - This operation grants the actor assigned the operation the ability to delete a Computer object when running the DeleteComputer workflow.
    • DeleteDirectory - This operation grants the actor assigned the operation the ability to delete a directory when running the DeleteDirectory workflow.
    • Disable Computer - This operation grants the actor assigned the operation the ability to disable a Computer object when running the DisableComputer workflow.
    • Edit Computer Advanced Settings - This operation grants the actor assigned the operation the ability to edit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.
    • Edit Description - This operation grants the actor assigned the operation the ability to edit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.
    • Enable Computer - This operation grants the actor assigned the operation the ability to enable a Computer object.
    • EnableDisableComputerOperation - This operation grants the actor assigned the operation the ability to enable and/or disable a Computer object.
    • Move Computer - This operation grants the actor assigned the operation the ability to move a Computer object from one location to another.
    • ProvisionComputer - This operation grants the actor assigned the operation the ability to provision a Computer object in EmpowerID.
  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.

    • Powershell Move Computer - This operation grants the actor assigned the operation the ability to move a Computer object using Powershell commands.
    • Restart Computer - This operation grants the actor assigned the operation the ability to restart a Computer object.
    • Restart Service - This operation grants the actor assigned the operation the ability to restart a service on an assigned Computer object.
    • Stop Application Pool - This operation grants the actor assigned the operation the ability to stop an application pool on an assigned Computer object.
    • Stop Process - This operation grants the actor assigned the operation the ability to stop a process on an assigned Computer object.
    • Stop Service - This operation grants the actor assigned the operation the ability to stop a service on an assigned Computer object.
  • Co-Owner

    The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.

    • Use - This operation grants the actor assigned the operation the ability to view the Computer object in EmpowerID.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for a Computer object. This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for the Resource Type resource object. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, for Computer objects by location to users, meaning the actor needs to have this operation allowed for computers in the location for which they are managing Access Level Assignments; otherwise the operation will route for approval.
  • Create, Enable, Disable, Move and Delete

    This Access Level Definition allows the actor assigned the Access Level to create, enable, disable, move and delete assigned Computer objects in EmpowerID and has the following operations set to allowed.

    • Use - This operation grants the actor assigned the operation the ability to view a Computer object in EmpowerID.
    • DeleteComputer - This operation grants the actor assigned the operation the ability to delete a Computer object from EmpowerID.
    • EnableComputer - This operation grants the actor assigned the operation the ability to enable a Computer object in EmpowerID.
    • DisableComputer - This operation grants the actor assigned the operation the ability to disable a Computer object in EmpowerID.
    • ProvisionComputer - This operation grants the actor assigned the operation the ability to provision a Computer object in EmpowerID.
    • MoveComputer - This operation grants the ability to move a Computer object from one location to another in EmpowerID.
    • EnableDisableComputerOperation - This operation grants the actor assigned the operation the ability to enable and/or disable a Computer object.

EmpowerID System

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

    • CreateAssetType - This operation grants the actor assigned the operation the ability to create an Asset Type when running the ProvisionCatalogRequest workflow.
    • EditCatalogRequest - This operation grants the actor assigned the operation the ability to edit a Catalog Request item when running the AssetCatalogItemEdit workflow.
    • ProvisionCatalogRequest - This operation grants the actor assigned the operation the ability to create a Catalog Request item when running the ProvisionCatalogRequest workflow.
    • RunPowerShellScript - This operation grants the actor assigned the operation the ability to run a PowerShell Script against resources in EmpowerID.
  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID System Resource Type.

    • Provision SharePoint Site - This operation grants the actor assigned the operation the ability to create a SharePoint Site.
  • Generic Person

    This Access Level Definition represents a Person object with no operations, rights, or ability to login to EmpowerID.

  • User

    This Access Level Definition grants the actor assigned the Access Level the ability to login and use EmpowerID and has the following operations set to allowed.

    • Use - This operation grants the person assigned the operation the ability to view the resource in EmpowerID.

Exchange Mailbox

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.

    • AddEmailAddress - This operation grants the actor assigned the operation the ability to add a new email address to an existing user mailbox.
    • DeleteEmailAddress - This operation grants the actor assigned the operation the ability to delete an email address from an existing user mailbox.
    • Disable ActiveSync - This operation grants the actor assigned the operation the ability to deselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Auto-Accept Calendar - This operation grants the actor assigned the operation the ability to deselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Mailbox - This operation grants the actor assigned the operation the ability to disable a mailbox by setting all quota values on the mailbox to 0.
    • Disable OWA - This operation grants the actor assigned the operation the ability to deselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Require Authenticated Senders - This operation grants the actor assigned the operation the ability to deselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Use Default Quota - This operation grants the actor assigned the operation the ability to deselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
    • Edit Mailbox Alias - This operation grants the actor assigned the operation the ability to edit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Edit Mailbox Extension Attributes - This operation grants the actor assigned the operation the ability to edit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.
    • Edit Mailbox Note - This operation grants the actor assigned the operation the ability to edit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Edit Room Capacity - This operation grants the actor assigned the operation the ability to edit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Edit Send and Receive Limits - This operation grants the actor assigned the operation the ability to edit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
    • EditAcceptFrom - This operation grants the actor assigned the operation the ability to edit the "Allowed" list for who may send email to a specific mailbox.
    • EditEmailAddress - This operation grants the actor assigned the operation the ability to edit an email address when running the EditExchangeMailboxAddress workflow.
    • EditExchangeMailbox - This operation grants the actor assigned the operation the ability to perform a general edit of a mailbox.
    • EditMailboxForwarding - This operation grants the actor assigned the operation the ability to edit who receives a copy of mail sent to a mailbox.
    • EditMailboxQuota - This operation grants the actor assigned the operation the ability to edit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
    • EditSMTPAddresses - This operation grants the actor assigned the operation the ability to edit the SMTP address for a mailbox.
    • EditRejectFrom - This operation grants the actor assigned the operation the ability to edit the "Allowed" list for who may not send email to a specific mailbox.
    • Enable Require Authenticated Senders - This operation grants the actor assigned the operation the ability to select the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Enable ActiveSync - This operation grants the actor assigned the operation the ability to select the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Enable Auto-Accept Calendar - This operation grants the actor assigned the operation the ability to select the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Enable Mailbox - This operation grants the actor assigned the operation the ability to enable a mailbox.
    • Enable OWA - This operation grants the actor assigned the operation the ability to select the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Enable Use Default Quota - This operation grants the actor assigned the operation the ability to select the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
    • EnableAutoAccept - This operation grants the actor assigned the operation the ability to enable auto-accept for appointments on room or equipment mailboxes.
    • Hide in GAL - This operation grants the actor assigned the operation the ability to select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • LinkAccountToMailbox - This operation grants the actor assigned the operation the ability to link a user account to a mailbox.
    • MoveMailbox - This operation grants the actor assigned the operation the ability to move a mailbox from one location to another.
    • ReActiviateMailbox - This operation grants the actor assigned the operation the ability to activate a deactivated mailbox.
    • RemoteDeviceWipe - This operation grants the actor assigned the operation the ability to wipe data from an Active Sync device the next time the device tries to sync with the server (usually a phone).
    • RestoreDeletedMailbox - This operation grants the actor assigned the operation the ability to restore a mailbox that has been deleted in EmpowerID.
    • SetMasterAccount - This operation grants the actor assigned the operation the ability to set the master account for a linked mailbox to an account in a trusted domain in another forest.
    • Show in GAL - This operation grants the actor assigned the operation the ability to deselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • SuspendMailbox - This operation grants the actor assigned the operation the ability to set the quota values on a mailbox to 0.
    • View Mailbox Extension Attributes - This operation grants the actor assigned the operation the ability to view the Extension Attributes for a mailbox.
    • View Mailbox Feature Attributes - This operation grants the actor assigned the operation the ability to select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • View Mailbox Quota Attributes - This operation grants the actor assigned the operation the ability to view the Quota Attributes for a mailbox.
    • View Mailbox Send and Receive Limits Attributes - This operation grants the actor assigned the operation the ability to view the Send and Receive Limits Attributes for a mailbox.
    • ViewDeviceStatus - This operation grants the actor assigned the operation the ability to view the status of an Active Sync device.
  • Full Access In Outlook

    This Access Level Definition grants native Full Access permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

  • Reader In Outlook

    This Access Level Definition grants Read permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

  • Recipient Management

    This Access Level Definition grants the actor assigned the Access Level the ability to manage mailboxes in EmpowerID and has the following operations set to allowed.

    • AddEmailAddress - This operation grants the actor assigned the operation the ability to add a new email address to an existing user mailbox.
    • DeleteEmailAddress - This operation grants the actor assigned the operation the ability to delete an email address from an existing user mailbox.
    • Disable ActiveSync - This operation grants the actor assigned the operation the ability to deselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Auto-Accept Calendar - This operation grants the actor assigned the operation the ability to deselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Mailbox - This operation grants the actor assigned the operation the ability to disable a mailbox by setting all quota values on the mailbox to 0.
    • Disable OWA - This operation grants the actor assigned the operation the ability to deselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Require Authentication - This operation grants the actor assigned the operation the ability to deselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Disable Use Default Quota - This operation grants the actor assigned the operation the ability to deselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
    • Edit Accept From - This operation grants the actor assigned the operation the ability to edit the "Allowed" list for who may send email to a specific mailbox.
    • Edit Mailbox Alias - This operation grants the actor assigned the operation the ability to edit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Edit Mailbox Extension Attributes - This operation grants the actor assigned the operation the ability to edit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.
    • Edit Mailbox Note - This operation grants the actor assigned the operation the ability to edit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Edit Reject From - This operation grants the actor assigned the operation the ability to edit the "Allowed" list for who may not send email to a specific mailbox.
    • Edit Room Capacity - This operation grants the actor assigned the operation the ability to edit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Edit Send and Receive Limits - This operation grants the actor assigned the operation the ability to edit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
    • EditEmailAddress - This operation grants the actor assigned the operation the ability to edit an email address when running the EditExchangeMailboxAddress workflow.
    • EditExchangeMailbox - This operation grants the actor assigned the operation the ability to perform a general edit of a mailbox.
    • EditMailboxForwarding - This operation grants the actor assigned the operation the ability to edit who receives a copy of mail sent to a mailbox.
    • EditMailboxQuota - This operation grants the actor assigned the operation the ability to edit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
    • EditSMTPAddresses - This operation grants the actor assigned the operation the ability to edit the SMTP address for a mailbox.
    • Enable ActiveSync - This operation grants the actor assigned the operation the ability to select the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Enable Auto-Accept Calendar - This operation grants the actor assigned the operation the ability to select the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
    • Enable Mailbox - This operation grants the actor assigned the operation the ability to enable a mailbox.
    • Enable OWA - This operation grants the actor assigned the operation the ability to select the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • Enable Use Default Quota - This operation grants the actor assigned the operation the ability to select the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
    • EnableAutoAccept - This operation grants the actor assigned the operation the ability to enable auto-accept for appointments on room or equipment mailboxes.
    • Hide in GAL - This operation grants the actor assigned the operation the ability to select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • MoveMailbox - This operation grants the actor assigned the operation the ability to move a mailbox from one location to another.
    • ReActivateMailbox - This operation grants the actor assigned the operation the ability to activate a deactivated mailbox.
    • RemoveFromReader - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the Reader Access Level from another EmpowerID Actor type.
    • RemoveFromRecipient Management - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove the Recipient Management Access Level from another EmpowerID Actor.
    • RestoreDeletedMailbox - This operation grants the actor assigned the operation the ability to restore a mailbox that has been deleted in EmpowerID.
    • Show in GAL - This operation grants the actor assigned the operation the ability to deselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • View Mailbox Extension Attributes - This operation grants the actor assigned the operation the ability to view the Extension Attributes for a mailbox.
    • View Mailbox Feature Attributes - This operation grants the actor assigned the operation the ability to select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
    • View Mailbox Quota Attributes - This operation grants the actor assigned the operation the ability to view the Quota Attributes for a mailbox.
    • View Mailbox Send and Receive Limits Attributes - This operation grants the actor assigned the operation the ability to view the Send and Receive Limits Attributes for a mailbox.
  • Send As In Outlook

    This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

  • Send On Behalf In Outlook

    This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Group (Distribution, Security, Generic) Access Level Definitions

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Group Resource Types.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • Edit AD Group Name Attributes - This operation grants the actor assigned the operation the ability to edit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
    • Edit Exchange Settings - This operation grants the actor assigned the operation the ability to edit the fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
    • Edit Group Advanced Settings - This operation grants the actor assigned the operation the ability to edit the fields in the Advanced Options section of the Advanced Tab on the Group Resource Management screen (Group Details form).
    • Edit Group Description and Note - This operation grants the actor assigned the operation the ability to edit the Description and Note fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
    • Edit Group extension Attributes - This operation grants the actor assigned the operation the ability to edit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
    • Edit Group Type - This operation grants the actor assigned the operation the ability to edit the Group Type drop-down in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
    • EditAcceptFrom - This operation grants the actor assigned the operation the ability to edit the "Allowed" list for who may send email to a specific group.
    • EditRejectFrom - This operation grants the actor assigned the operation the ability to edit the "Denied" list for who may not send email to a specific group.
    • EditSMTPAddresses - This operation grants the actor assigned the operation the ability to edit the SMTP addresses for a group when running the EditSMTPAddresses workflow.
    • Hide Group in GAL - This operation grants the actor assigned the operation the ability to select the Hidden In GAL option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).
    • Mail Disable Group - This operation grants the actor assigned the operation the ability to disable mail for a group by deselecting the Is Mail-Enabled option in the Exchange Options section of the ExchangeTab on the Group Resource Management screen (Group Details form).
    • Mail Enable Group - This operation grants the actor assigned the operation the ability to assign an email address to a group by selecting the Is Mail-Enabled option in the Exchange Options section of the ExchangeTab on the Group Resource Management screen (Group Details form).
    • Move Computer - This operation grants the actor assigned the operation the ability to move a computer from one location to another.
    • Move Group - This operation grants the actor assigned the operation the ability to move a group from one location to another.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
    • Show Group in GAL - This operation grants the actor assigned the operation the ability to designate that a selected group be visible in the Gloabal Address List when running the ShowDLInGAL workflow.
  • Group Co-Owner

    This Access Level grants the person assigned the Access Level owner status for a Group and has the following operations allowed.

    • AddToGroupMember - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add any EmpowerID Actor type to the Member Access Level for the group.
    • Use - This operation grants the actor assigned the operation the ability to view a group.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for a group. This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for the group. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.
    • RemoveFromGroupMember - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove any EmpowerID Actor type from the Member Access Level for the group.
  • Membership Manager

    This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.

    • Add Account To Group - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add an account to a group.
    • Add<%Actor%>ToGroupMember - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to grant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question.
    • AddToGroupMember - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add People, Groups, or Business Role to the Member Access Level.
    • Use - This operation grants the actor assigned the operation the ability to view a group.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for a group. This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for the group. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location , meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.
    • Remove<%Actor%>FromGroupMember - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove People, Groups, or Business Roles from the Member Access Level.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Groups has the following additional operations allowed.

    • AddGroupToRelativeResourceRole - This operation grants the actor assigned the operation the ability to assign relative Access Levels to a Distribution Group.
    • AddGroupToResourceRole - This operation grants the actor assigned the operation the ability to assign Access Levels directly to a Distribution Group.
    • AddGroupToResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location to a Distribution Group.
    • Use - This operation grants the actor assigned the operation the ability to view a Distribution Group.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for a group. This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for the group. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location , meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.
    • RemoveGroupFromRelativeResourceRole - This operation grants the actor assigned the operation the ability to remove relative Access Levels from a Distribution Group.
    • RemoveGroupFromResourceRole - This operation grants the actor assigned the operation the ability to remove Access Levels directly from a Distribution Group.
    • RemoveGroupFromResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to remove Access Levels scoped by location from a Distribution Group.

Location

  • Administrator and EmpowerID Administrator

    In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Location Resource Type.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • AssignGroupOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a group to a Business Role and Location.
    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location as a secondary Business Role and Location.
    • AssignPersonOrgRoleZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
    • RemoveGroupOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to remove a group from a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromResourceRole - This operation grants the actor assigned the operation the ability to directly remove Access Levels from a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to remove Access Levels from a Business Role and Location scoped by location.
    • RemovePersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to unassign a person from a secondary Business Role and Location.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to set the primary Business Role and Location for a person.
    • Update - This operation grants the actor assigned the operation the ability to edit a location.
  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Location Resource Type.

    • Create OU - This operation grants the actor assigned the operation the ability to create an AD OU.
    • Edit OU - This operation grants the actor assigned the operation the ability to edit an AD OU.
    • Move Business Location - This operation grants the actor assigned the operation the ability to move a business location to another location.
    • ProvisionPartner - This operation grants the actor assigned the operation the ability to create a partner location.
  • Assign and Unassign to Location

    This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign People to and from locations in EmpowerID and has the following operations set to allowed.

    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location as a secondary Business Role and Location.
    • AssignPersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location.
    • AssignResourceOrgZone - This operation grants the actor assigned the operation the ability a resource to a location.
    • Use - This operation grants the actor assigned the operation the ability to view a location.
    • RemovePersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to unassign a person from a Business Role and Location as a secondary Business Role and Location.
    • RevokeResourceOrgZone - This operation grants the actor assigned the operation the ability to remove Resource Type resource objects from a location.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to set the primary Business Role and Location for a person.
  • Editor

    This Access Level Definition grants the actor assigned the Access Level the ability to edit locations in EmpowerID and has the following operations set to allowed.

    • Edit - This operation grants the actor assigned the operation the ability to edit a location.
    • Edit OU - This operation grants the actor assigned the operation the ability to edit an AD OU.
    • Use - This operation grants the actor assigned the operation the ability to view a location.
    • Update - This operation grants the actor assigned the operation the ability to edit a location.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

    • AddOrgRoleOrgZoneToRelativeResourceRole - This operation grants the actor assigned the operation the ability to assign relative Access Levels to a Business Role and Location.
    • AddOrgRoleOrgZoneToResourceRole - This operation grants the actor assigned the operation the ability to assign Access Levels directly to a Business Role and Location.
    • AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location to a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromRelativeResourceRole - This operation grants the actor assigned the operation the ability to remove relative Access Levels from a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromResourceRole - This operation grants the actor assigned the operation the ability to directly remove Access Levels from a Business Role and Location.
    • RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to remove Access Levels from a Business Role and Location scoped by location.

Management Role and EmpowerID Management Role Definition

  • Administrator

    This Access Level Definition gives the actor assigned the Access Level the ability to create, edit, and delete Management Roles, but does not grant them the ability to manage assignments to Management Roles or RBAC delegations. The Administrator Access Level Definition for the Management Role and Management Role Definition Resource Types has the following operations set to allowed.

    • Delete - This operation grants the actor assigned the operation the ability to delete a Management Role or Management Role Definition.
    • Edit - This operation grants the actor assigned the operation the ability to edit a Management Role or Management Role Definition.
    • Use - This operation grants the actor assigned the operation the ability to view a Management Role or Management Role Definition.
    • Provision - This operation grants the actor assigned the operation the ability to create a Management Role or Management Role Definition.
  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Management Role and Management Role Definition Resource Types.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
    • ManageManagementRoleAssignments - This operation grants the actor assigned the operation the ability to manage the Access Level Assignments of the Management Role.
    • ManageManagementRoleDefinitionAssignments (Management Role Definition Only) - This operation grants the actor assigned the operation the ability to add or remove Access Level Assignments to and from the Management Role Definition.
  • Assignment Definition Editor

    This Access Level Definition grants the actor assigned the Access Level the ability to manage the Access Levels of the Management Role and Management Role Definition and has the following operations set to allowed.

    • Use - This operation grants the actor assigned the operation the ability to view a Management Role or Management Role Definition.
    • ManageManagementRoleAssignments (Management Role Only) - This operation grants the actor assigned the operation the ability to manage the Access Level Assignments of the Management Role.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.

    • ManageManagementRoleAssignments (Management Role Only) - This operation grants the actor assigned the operation the ability to add or remove Access Level Assignments to and from the Management Role.
    • ManageManagementRoleDefinitionAssignments (Management Role Definitions Only) - This operations grants the actor assigned the operation the ability to add or remove Access Level Assignments to and from the Management Role Definition.

Person

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor , giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • Allow Login - This operation grants the actor assigned the operation the ability to select the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.
    • Allow Password Operations - This operation grants the actor assigned the operation the ability to select the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.
    • Allow Sync Attributes - This operation grants the actor assigned the operation the ability to select the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.
    • Assign Account to SSO Application - This operation grants the actor assigned the operation the ability to register an account for a given SSO application configured in EmpowerID to a Person. This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.
    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location as a secondary Business Role and Location.
    • AssignPersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location.
    • ClaimAccount - This operation grants the actor assigned the operation the ability to claim an orphaned account.
    • Claim SSO Application Account - This operation grants the actor assigned the operation the ability to claim an account from an SSO application configured in EmpowerID, such as Google Apps.

      The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

    • Deny Login - This operation grants the actor assigned the operation the ability to deselect the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.
    • Deny Password Operations - This operation grants the actor assigned the operation the ability to deselect the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.
    • Deny Sync Attributes - This operation grants the actor assigned the operation the ability to deselect the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.
    • Disable Person - This operation grants the actor assigned the operation the ability to disable a Person object.
    • Edit Person About Attribute - This operation grants the actor assigned the operation the ability to edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit Person Demographics - This operation grants the actor assigned the operation the ability to update information on the Edit Person Demographics screen for a Person object.
    • Edit Person Extension Attributes - This operation grants the actor assigned the operation the ability to edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.
    • Edit Person Must Change Password on Next Login - This operation grants the actor assigned the operation the ability to select the Must Change Password option on the Person Edit form for the Person object.
    • Edit Person Name Attributes - This operation grants the actor assigned the operation the ability to edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit Person Organization Attributes - This operation grants the actor assigned the operation the ability to edit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.
    • EditPersonMultiOperations - This operation grants the actor assigned the operation the ability to edit all attributes of a Person object.
    • Enable Person - This operation grants the actor assigned the operation the ability to enable a Person object.
    • Enroll - This operation grants the actor assigned the operation the ability to enroll a Person object in the Password Reset Center.
    • JoinAccountToPerson - This operation grants the actor assigned the operation the ability to join an orphaned account to a Person object.
    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
    • Read - This operation grants the actor assigned the operation the ability to view a Person object.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for a Person object.
    • RestoreDeletedPerson - This operation grants the actor assigned the operation the ability to restore a deleted Person object.
    • SelfServiceChangePassword - This operation grants the actor assigned the operation the ability to change their password.
    • SelfServiceResetPassword - This operation grants the actor assigned the operation the ability to reset their password.
    • Set Password Manager Policy - This operation grants the actor assigned the operation the ability to select the Password Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to set the Primary Business Role and Location for a Person object.
    • Set Profile Manager Policy - This operation grants the actor assigned the operation the ability to select the Profile Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.
    • Terminate - This operation grants the actor assigned the operation the ability to terminate a Person object.
    • Unassign Account from SSO Application - This operation grants the actor assigned the operation the ability to remove from a Person an account for a given SSO application configured in EmpowerID. This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.
    • UnClaim SSO Application Account - This operation grants the actor assigned the operation the ability to remove a selected SSO Application account from their Person object, removing their ability to SSO into that account from EmpowerID. The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.
    • Unenroll - This operation grants the actor assigned the operation the ability to unenroll a Person object from the Password Reset Center.
    • UnjoinAccountFromPerson - This operation grants the actor assigned the operation the ability to unjoin an account from a Person object.
    • UnlockFromResetCenter - This operation grants the actor assigned the operation the ability to unlock an account for a Person object that has been locked out of the Password Reset Center.
    • UnlockPerson - This operation grants the actor assigned the operation the ability to unlock a Person object.
    • UnlockPersonAccounts - This operation grants the actor assigned the operation the ability to unlock accounts for a Person object.
    • View Street Address Attribute - This operation grants the actor assigned the operation the ability to view the Address section on the Edit Person Demographics screen.
    • ViewAboutPersonAttributes - This operation grants the actor assigned the operation the ability to view the About Person section on the Person Tab of the Resource Management Screen for a Person object.
    • ViewAddressandPhoneNumbers - This operation grants the actor assigned the operation the ability to view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.
    • ViewAdvancedPersonAttributes - This operation grants the actor assigned the operation the ability to view the Advanced Tab of the Resource Management Screen for a Person object.
    • ViewExtensionAtttributes - This operation grants the actor assigned the operation the ability to view the Extension Tab of the Resource Management Screen for a Person object.
    • ViewNameInformation - This operation grants the actor assigned the operation the ability to view the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
    • ViewOrganizationAttributes - This operation grants the actor assigned the operation the ability to view the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.
  • Assign and Unassign to Business Role and Location

    This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign people to and from Business Role and Locations in EmpowerID and has the following operations set to allowed.

    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a Person object to a Business Role and Location.
    • AssignPersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a Person object to a Business Role and Location.
    • Use - This operation grants the actor assigned the operation the ability to view a Business Role.
    • RemovePersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to unassign a Person object from a secondary Business Role and Location.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to set the primary Business Role and Location for a Person object.
  • Editor

    This Access Level Definition grants the actor assigned the Access Level the ability to edit Person objects in EmpowerID and has the following operations set to allowed:

    • Delete - This operation grants the actor assigned the operation the ability to delete Person objects.
    • Edit Person About Attribute - This operation grants the actor assigned the operation the ability to edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit Person Demographics - This operation grants the actor assigned the operation the ability to update demographic information for a Person object on the Edit Person Demographics screen.
    • Edit Person Name Attributes - This operation grants the actor assigned the operation the ability to edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit Person Organization Attributes - This operation grants the actor assigned the operation the ability to edit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
    • View Street Address Attribute - This operation grants the actor assigned the operation the ability to view the Address section on the Edit Person Demographics screen.
    • ViewAboutPersonAttributes - This operation grants the actor assigned the operation the ability to view the About Person section on the Person Tab of the Resource Management Screen for the Person object.
    • ViewAddressandPhoneNumbers - This operation grants the actor assigned the operation the ability to view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.
    • ViewNameInformation - This operation grants the actor assigned the operation the ability to view the Name Information section on the Person Tab of the Resource Management Screen for the Person object.
    • ViewOrganizationAttributes - This operation grants the actor assigned the operation the ability to view the Organization Information section on the Organization Tab of the Resource Management Screen for the Person object.
  • EmpowerID User

    This Access Level Definition grants the actor assigned the Access Level the ability to login to EmpowerID and has the following operations set to allowed.

    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
  • Helpdesk

    This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities for Person objects in EmpowerID and has the following operations set to allowed.

    • Disable Person - This operation grants the actor assigned the operation the ability to disable a Person object.
    • Edit Person About Attribute - This operation grants the actor assigned the operation the ability to edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit Person Demographics - This operation grants the actor assigned the operation the ability to update information on the Edit Person Demographics screen for a Person object.
    • Edit Person Expiration -
    • Edit Person Extension Attributes - This operation grants the person assigned the operation the ability to edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.
    • Edit Person Must Change Password on Next Login - This operation grants the actor assigned the operation the ability to select the Must Change Password option on the Person Edit form for a Person object.
    • Edit Person Name Attributes - This operation grants the actor assigned the operation the ability to edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit Person Organization Attributes - This operation grants the actor assigned the operation the ability to edit the Organization Information section on the Organization tab of the Resource Management Screen for a Person object.
    • Enable Person - This operation grants the actor assigned the operation the ability to enable a Person object.
    • JoinAccountToPerson - This operation grants the actor assigned the operation the ability to join an orphaned account to a Person object.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for a Person object.
    • Unenroll - This operation grants the actor assigned the operation the ability to unenroll a Person object from the Password Reset Center.
    • UnjoinAccountFromPerson - This operation grants the actor assigned the operation the ability to unjoin an account from a Person object.
    • UnlockFromResetCenter - This operation grants the actor assigned the operation the ability to unlock an account for a Person object that has been locked out of the Password Reset Center.
    • UnlockPerson - This operation grants the actor assigned the operation the ability to unlock a Person object.
    • UnlockPersonAccounts - This operation grants the actor assigned the operation the ability to unlock accounts for a Person object.
    • View Street Address Attribute - This operation grants the actor assigned the operation the ability to view the Address section on the Edit Person Demographics screen.
    • ViewAboutPersonAttributes - This operation grants the actor assigned the operation the ability to view the About Person section on the Person Tab of the Resource Management Screen for the Person object.
    • ViewAddressandPhoneNumbers - This operation grants the actor assigned the operation the ability to view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.
    • ViewAdvancedPersonAttributes - This operation grants the actor assigned the operation the ability to view the Advanced Tab of the Resource Management Screen for the Person object.
    • ViewExtensionAtttributes - This operation grants the actor assigned the operation the ability to view the Extension Tab of the Resource Management Screen for the Person object.
    • ViewNameInformation - This operation grants the actor assigned the operation the ability to view the Name Information section on the Person Tab of the Resource Management Screen for the Person object.
    • ViewOrganizationAttributes - This operation grants the actor assigned the operation the ability to view the Organization Information section on the Organization Tab of the Resource Management Screen for the Person object.
  • Password Reset and Unlock

    This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

    • Enable Person - This operation grants the actor assigned the operation the ability to enable a Person object.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for a Person object.
    • UnlockFromResetCenter - This operation grants the actor assigned the operation the ability to unlock an account for a Person object that has been locked out of the Password Reset Center.
    • Unlock Person - This operation grants the actor assigned the operation the ability to unlock a Person object.
    • UnlockPersonAccounts - This operation grants the actor assigned the operation the ability to unlock accounts for a Person object.
  • Provisioning/Deprovision and Business Role Change

    This Access Level Definition grants the actor assigned the Access Level the ability to provision, terminate, and change Business Role and Locations for Person objects in EmpowerID and has the following operations set to allowed.

    • AssignOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location as a secondary Business Role and Location.
    • AssignPersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to assign a person to a Business Role and Location.
    • Create - This operation grants the actor assigned the operation the ability to create a Person object.
    • Delete - This operation grants the actor assigned the operation the ability to delete a Person object.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • RemovePersonOrgRoleOrgZone - This operation grants the actor assigned the operation the ability to unassign a person from a Business Role and Location as a secondary Business Role and Location.
    • RestoreDeletedPerson - This operation grants the actor assigned the operation the ability to restore a deleted Person object.
    • Set Person Primary Business Role and Location - This operation grants the actor the ability to assign a primary Business Role and Location for a Person object.
    • Terminate - This operation grants the actor assigned the operation the ability to terminate a Person object.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed:

    • AddPersonToRelativeResourceRole - This operation grants the actor assigned the operation the ability to assign relative Access Levels to a Person object.
    • AddPersonToResourceRole - This operation grants the actor assigned the operation the ability to assign Access Levels directly to a Person object.
    • AddPersonToResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels scoped by location to a Person object.
    • RemovePersonFromRelativeResourceRole - This operation grants the actor assigned the operation the ability to remove relative Access Levels from a Person object.
    • RemovePersonFromResourceRole - This operation grants the actor assigned the operation the ability to remove resources directly from a Person object.
    • RemovePersonFromResourceRoleAssignmentsByLocation - This operation grants the actor assigned the operation the ability to remove Access Levels scoped by location from a Person object.
  • Self-Service Password Reset User

    This Access Level Definition grants users assigned the Access Level the ability to enroll for password self-service and reset passwords for their users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

    • Claim SSO Application Account - This operation grants the actor assigned the operation the ability to claim an account from an SSO application configured in EmpowerID, such as Google Apps. The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.
    • Enable Person - This operation grants the actor assigned the operation the ability to enable a Person object.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for a Person object.
    • UnlockFromResetCenter - This operation grants the actor assigned the operation the ability to unlock an account for a Person object that has been locked out of the Password Reset Center.
    • Unlock Person - This operation grants the actor assigned the operation the ability to unlock a Person object.
    • UnlockPersonAccounts - This operation grants the actor assigned the operation the ability to unlock accounts for a Person object.

SAML SSO Connection

  • EmpowerID Administrator

    In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

    • Add Attribute Statement - This operation grants the actor assigned the operation the ability to add an attribute statement to a SAML SSO Connection object.
    • Add Encrypting Statement - This operation grants the actor assigned the operation the ability to add an encrypting statement to a SAML SSO Connection object.
    • Add Signing Certificate - This operation grants the actor assigned the operation the ability to add a signing certificate to a SAML SSO Connection object.
    • Create - This operation grants the actor assigned the operation the ability to create a new SAML SSO Connection object.
    • Create SAML Single Sign On Audience Association - This operation grants the actor assigned the operation the ability to create a new Audience Association for a SAML SSO Connection object.
    • Create SAML Single Sign On Certificates Associations - This operation grants the actor assigned the operation the ability to add a certificate to a SAML SSO Connection object.
    • Create SAML Single Sign On Subject Confirmation Association - This operation grants the actor assigned the operation the ability to add a Subject Confirmation to a SAML SSO Connection object.
    • Create SSO Connection - This operation grants the actor assigned the operation the ability to create a new SAML SSO Connection object.
    • Delete SAML SSO Connection - This operation grants the actor assigned the operation the ability to delete a SAML SSO Connection object.
    • Edit Assertion Consumer Service URL for Partnership - This operation grants the actor assigned the operation the ability to edit the ACS URL for a SAML SSO Connection (SP) object.
    • Edit Assertion Encryption Algorithm - This operation grants the actor assigned the operation the ability to edit the Assertion Encryption Method for a SAML SSO Connection object.
    • Edit Attribute Encryption Algorithm - This operation grants the actor assigned the operation the ability to edit the Attribute Encryption Method for a SAML SSO Connection object.
    • Edit Audience Restrictions - This operation grants the actor assigned the operation the ability to edit the Audience Restriction properties for a SAML SSO Connection object.
    • Edit Connection Account Store - - This operation grants the actor assigned the operation the ability to edit the account store created for a SAML SSO Connection object.
    • Edit Connection Authentication Request - This operation grants the actor assigned the operation the ability to edit the type of authentication request for a SAML SSO Connection object.
    • Edit Connection Name Attributes - This operation grants the actor assigned the operation the ability to edit the Name and Display Names for a SAML SSO Connection object.
    • Edit IDP URL - This operation grants the actor assigned the operation the ability to edit the IDP URL for a SAML SSO Connection (IdP) object.
    • Edit Issuer Name - This operation grants the actor assigned the operation the ability to edit the Issuer field for a SAML SSO Connection object.
    • Edit Issuer Qualifier Settings - This operation grants the actor assigned the operation the ability to edit the Issuer Qualifier Settings for a SAML SSO Connection object.
    • Edit Login WF ACS URL - This operation grants the actor assigned the operation the ability to edit the Login Workflow ACS URL field for a SAML SSO Connection object.
    • Edit Logo Image - This operation grants the actor assigned the operation the ability to edit the Logo Image field for a SAML SSO Connection object.
    • Edit Name Identifier Format Type - This operation grants the actor assigned the operation the ability to edit the Name Identifier Format type for a SAML SSO Connection object.
    • Edit Name Identifier Method - This operation grants the actor assigned the operation the ability to edit the Name Identifier Method for a SAML SSO Connection object.
    • Edit Request Workflow - This operation grants the actor assigned the operation the ability to edit the Request Workflow associated with a SAML SSO Connection object, if any.
    • Edit SAML Name Qualifier For Partnership - This operation grants the actor assigned the operation the ability to edit the Name Qualifier field for a SAML SSO Connection object.
    • Edit SAML Single Sign On Domain - This operation grants the actor assigned the operation the ability to edit the domain used for a SAML SSO Connection object.
    • Edit SAML SPNameQualifier for Partnership - This operation grants the actor assigned the operation the ability to edit the SP Name Qualifier field for a SAML SSO Connection object.
    • Edit Signature Algorithm - This operation grants the actor assigned the operation the ability to edit the Signature Algorithm used with a SAML SSO Connection object.
    • Edit Single Logout Settings - This operation grants the actor assigned the operation the ability to edit the Single Logout settings for a SAML SSO Connection object.
    • Edit Target URL - This operation grants the actor assigned the operation the ability to edit the Target IDP/SP URL for a SAML SSO Connection object.
    • Remove Attribute Statement - This operation grants the actor assigned the operation the ability to remove an Attribute Statement from a SAML SSO Connection object.
    • Remove Encrypting Certificate - This operation grants the actor assigned the operation the ability to remove an Encrypting Certificate from a SAML SSO Connection object.
    • Remove Signing Certificate - This operation grants the actor assigned the operation the ability to remove a Signing Certificate from a SAML SSO Connection object.

Separation of Duties

  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Separation of Duties Resource Type.

    • Delete - This operation grants the actor assigned the operation the ability to delete a specific Separation of Duties (SoD) policy.
    • Edit - This operation grants the actor assigned the operation the ability to edit a specific SoD policy.
    • EditTag - This operation grants the actor assigned the operation the ability to edit the tag associated with a specific SoD policy.
    • Provision - This operation grants the actor assigned the operation the ability to create a new SoD policy.
    • Review - This operation grants the actor assigned the operation the ability to review violations to a SoD policy.
  • ReUse

    This Access Level grants the actor assigned the Access Level the ability to review violations to Separation of Duties policies and has the following operations allowed:

    • Use - This operation grants the actor assigned the operation the ability to see a specific Separation of Duties policy.
    • Review - This operation grants the actor assigned the operation the ability to review violations to a specific Separation of Duties policy.

Set Group

  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Set Group Resource Type.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor , giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor , removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

    • AddSetGroupToResourceRole - This operation grants the actor assigned the operation the ability to assign Access Levels directly to a Set Group.
    • AddSetGroupToResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels scoped by location to a Set Group.
    • RemoveSetGroupFromResourceRole - This operation grants the actor assigned the operation the ability to remove Access Levels directly from a Set Group.
    • RemovSetGroupFromResourceRoleAssignmentsByLocation - This operation grants the actor assigned the operation the ability to remove Access Levels scoped by location from a Set Group.

SSO Application

  • EmpowerID Administrator

    In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

    • Assign Account to SSO Application - This operation grants the actor assigned the operation the ability to register an account for a given SSO application configured in EmpowerID to a Person. This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.
    • Create - This operation grants the actor assigned the operation the ability to create a new SSO Application object.
    • Edit - This operation grants the actor assigned the operation the ability to edit an SSO Application object.
    • Delete - This operation grants the actor assigned the operation the ability to delete an SSO Application object.
    • EditTag - This operation grants the actor assigned the operation the ability to edit the tag associated with an SSO Application object.
    • Claim SSO Application Account - This operation grants the actor assigned the operation the ability to claim an account from an SSO application configured in EmpowerID, such as Google Apps. The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.
    • Unassign Account from SSO Application - This operation grants the actor assigned the operation the ability to remove from a Person an account for a given SSO application configured in EmpowerID. This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.
  • SSO Application User

    This Access Level grants the actor assigned the Access Level the ability to claim an account for an SSO Application that has been configured in EmpowerID, such as Google Apps. This Access Level has the following operations allowed.

    • LUse - This operation grants the actor assigned the operation the ability to view any SSO Account objects for which the operation is assigned.
    • Claim SSO Application Account - This operation grants the actor assigned the operation the ability to claim an account from an SSO application configured in EmpowerID, such as Google Apps. The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

SSO Application Definition

  • EmpowerID Administrator

    In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

    • Create - This operation grants the actor assigned the operation the ability to create a new SSO Application Definition object.
    • Edit - This operation grants the actor assigned the operation the ability to edit an SSO Application Definition object.
    • Delete - This operation grants the actor assigned the operation the ability to delete an SSO Application Definition object.
    • EditTag - This operation grants the actor assigned the operation the ability to edit the tag associated with an SSO Application Definition object.
    • Claim SSO Application Account - This operation grants the actor assigned the operation the ability to claim an account from an SSO application configured in EmpowerID, such as Google Apps. The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

SharePoint (Document, Folder, and List)

  • Approve

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Approve permissions for SharePoint objects managed by EmpowerID.

  • Contribute

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Design permissions for SharePoint objects managed by EmpowerID.

  • Design

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Design permissions for SharePoint objects managed by EmpowerID.

  • Full Control

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Full Control permissions for SharePoint objects managed by EmpowerID.

  • Limited Access

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Limited Access permissions for SharePoint objects managed by EmpowerID.

  • Manage Hierarchy

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Manage Hierarchy permissions for SharePoint objects managed by EmpowerID.

  • Read Only

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Read permissions for SharePoint objects managed by EmpowerID.

  • Restricted Read

    This Access Level Definition contains no EmpowerID Operations. It is used to grant native Restricted Read permissions for SharePoint objects managed by EmpowerID.

User Account

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the User Account Resource Type.

    • AddToManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to add another EmpowerID Actor type to a Management Role as an actor , giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
    • Allow Login - This operation grants the actor assigned the operation the ability to select the Allow Login option on the Advanced Tab of the Account Details Screen .
    • ChangePassword - This operation grants the actor assigned the operation the ability to change the password of a user account.
    • ClaimAccount - This operation grants the actor assigned the operation the ability to claim an orphaned account.
    • Create User Home Folder - This operation grants the actor assigned the operation the ability to create a home folder.
    • Disable User - This operation grants the actor assigned the operation the ability to disable a user account from the Password Options section of the Account Tab on the Account Details Screen.
    • Edit Terminal Services Access - This operation grants the actor assigned the operation the ability to select or deselect the Allow this user permissions to log on to Terminal Services option from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
    • Edit Terminal Services Profile - This operation grants the actor assigned the operation the ability to edit the Profile Path for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
    • Edit User Account Home Folder - This operation grants the actor assigned the operation the ability to edit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
    • Edit User Account Profile - This operation grants the actor assigned the operation the ability to edit the Profile settings for an account from the Profile Tab of the Account Details Screen.
    • Edit User Advanced Settings - This operation grants the actor assigned the operation the ability to edit the settings applied to the Prevent Deletion in EmpowerID and Hide in EmpowerID settings for accounts from the Advanced Tab of the Account Details Screen.
    • Edit User Expiration - This operation grants the actor assigned the operation the ability to set the expiration date for an account in Active Directory.
    • Edit User Extension Attributes - This operation grants the actor assigned the operation the ability to edit the user extension attributes from the Extension Tab of the Account Details Screen.
    • Edit User Name Attributes - This operation grants the actor assigned the operation the ability to edit the user name attributes from the Account Name Information section of the Account Tab on the Account Details Screen.
    • Edit User Organization Attributes - This operation grants the actor assigned the operation the ability to edit the Organization Information section for an account from the Organization Tab of the Account Details Screen.
    • Edit User Password Options - This operation grants the actor assigned the operation the ability to edit the Password Options settings for an account from the Account Tab of the Account Details Screen.
    • Edit User Terminal Services Environment - This operation grants the actor assigned the operation the ability to edit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.
    • Edit User Terminal Services Home Drive - This operation grants the actor assigned the operation the ability to edit the Terminal Services Home Drive setting for an account from the Profile section of the Remote DesktopTab on the Account Details Screen.
    • Edit User Terminal Services Remote Control - This operation grants the actor assigned the operation the ability to edit the Terminal Services Remote Control settings for an account from Remote Control section of the Remote Desktop Tab on the Account Details Screen.
    • Edit User Terminal Services Session - This operation grants the actor assigned the operation the ability to edit the Terminal Services Session settings for an account from Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.
    • Enable Require SmartCard Logon - This operation grants the actor assigned the operation the ability to set the Require SmartCard Logon option for an account from the Password Options section of the Account Tab on the Account Details Screen.
    • Enable User - This operation grants the actor assigned the operation the ability to enable a disabled account from the Password Options section of the Account Tab on the Account Details Screen.
    • JoinAccountToPerson - This operation grants the actor assigned the operation the ability to join an orphaned account to a Person object.
    • MailDisable - This operation grants the actor assigned the operation the ability to remove the Mail-enabled flag from an account.
    • MailDisableAccount - This operation grants the actor assigned the operation the ability to remove the Mail-enabled flag from an account.
    • MailEnable - This operation grants the actor assigned the operation the ability to set an account as mail-enabled, making it available in the Exchange GAL.
    • MailEnableAccount - This operation grants the actor assigned the operation the ability to set an account as mail-enabled, making it available in the Exchange GAL.
    • MoveAccount - This operation grants the actor assigned the operation the ability to move an account from one location to another.
    • RemoveFromManagementRole - This is an RBAC Assignment operation that grants the actor assigned the operation the ability to remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for an account.
    • RestoreDeletedAccount - This operation grants the actor assigned the operation the ability to restore a deleted account.
    • RestoreDeletedMailbox - This operation grants the actor assigned the operation the ability to restore a mailbox that has been deleted from an account.
    • Set Account Manager - This operation grants the actor assigned the operation the ability to select the AD line manager for an account.
    • SetAllowDialIn - This operation grants the actor assigned the operation the ability to set the Allow Dialin option for an account from the Password Options section on the Account Tab of the Account Details Screen.
    • UnlockUser - This operation grants the actor assigned the operation the ability to unlock an account that is locked in Active Directory.
    • UnlockPersonAccounts - This operation grants the actor assigned the operation the ability to unlock accounts for a Person object.
    • ViewAccountNameInformationAttributes - This operation grants the actor assigned the operation the ability to view the Account Name Information section on the Account Tab of the Account Details Screen.
    • ViewAddressandPhoneNumberAttributes - This operation grants the actor assigned the operation the ability to view the Address and Phone Numbers section on the Organization Tab of the Account Details Screen .
    • ViewAdvancedAttributeInformation - This operation grants the actor assigned the operation the ability to view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
    • ViewExtensionAtttributes - This operation grants the actor assigned the operation the ability to view the Extension Attributes section on the Extension Tab of the Account Details Screen.
    • ViewOrganizationInformationAttributes - This operation grants the actor assigned the operation the ability to view the Organization Information section on the Organization Tab of the Account Details Screen.
    • ViewPasswordOptionAttributes - This operation grants the actor assigned the operation the ability to view the Password Options section on the Account Tab of the Account Details Screen.
    • ViewProfileOptionAttributes - This operation grants the actor assigned the operation the ability to view the Profile Options section on the Profile Tab of the Account Details Screen.
    • ViewRemoteDesktopAttributes - This operation grants the actor assigned the operation the ability to view the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopEnvironmentAttributes - This operation grants the actor assigned the operation the ability to view the Environment section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopProfileAttributes - This operation grants the actor assigned the operation the ability to view the Profile section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopRemoteControlAttributes - This operation grants the actor assigned the operation the ability to view the Environment section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopSessionandTimeOutSettings - This operation grants the actor assigned the operation the ability to view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.
  • EmpowerID Administrator

    In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the User Account Resource Types.

    • UnjoinAccountFromPerson - This operation grants the actor assigned the operation the ability to unlink an account from the EmpowerID Person to which it is linked.
    • ViewEmployeeIDs - This operation grants the actor assigned the operation the ability to view the EmployeeID attribute for an EmpowerID Person's AD user account.
  • Co-Owner

    This Access Level Definition grants owner status for an account and has the following operations set to allowed.

    • Use - This operation grants the actor assigned the operation the ability to view an account.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign any EmpowerID Access Levels for an account, such as the Use Access Level for a specific computer object, to any other EmpowerID Actor type. This operation is needed to grant or revoke direct assignments of Access Levels for a particular resource object to users.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for an account. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location , meaning the actor needs to have this operation allowed at or below the location for which they are making a by locationAccess Level assignment; otherwise the operation will route for approval.
  • Editor

    This Access Level Definition grants the actor assigned the Access Level the ability to edit an account in EmpowerID and has the following operations set to allowed.

    • Edit User Demographics - This operation grants the actor assigned the operation the ability to update demographic information for the EmpowerID Person linked to an account.
    • Edit User Name Attributes - This operation grants the actor assigned the operation the ability to edit the user attributes on the Account Name Information section on the Account Tab of the Account Details Screen .
    • Edit User Organization Attributes - This operation grants the actor assigned the operation the ability to edit the user attributes on the Organization Information and Address and Phone Numbers section on the Organization Tab of the Account Details Screen.
    • Use - This operation grants the actor assigned the operation the ability to view an account.
    • Set Account Manager - This operation grants the actor assigned the operation the ability to select the AD line manager for an account.
    • ViewAccountNameInformationAttributes - This operation grants the actor assigned the operation the ability to view the Account Name Information section on the Account Tab of the Account Details Screen.
    • ViewAddressandPhoneNumberAttributes - This operation grants the actor assigned the operation the ability to view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
    • ViewAdvancedAttributeInformation - This operation grants the actor assigned the operation the ability to view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
    • ViewEmployeeIDs - This operation grants the actor assigned the operation the ability to view the EmployeeID attribute for an EmpowerID Person's AD user account.
    • ViewExtensionAtttributes - This operation grants the actor assigned the operation the ability to view the Extension Attributes section on the Extension Tab of the Account Details Screen.
    • ViewOrganizationInformationAttributes - This operation grants the actor assigned the operation the ability to view the Organization Information section on the Organization Tab of the Account Details Screen.
    • ViewPasswordOptionAttributes - This operation grants the actor assigned the operation the ability to view the Password Options section on the Account Tab of the Account Details Screen.
    • ViewProfileOptionAttributes - This operation grants the actor assigned the operation the ability to view the Profile Options section on the Profile Tab of the Account Details Screen.
    • ViewRemoteDesktopAttributes - This operation grants the actor assigned the operation the ability to view the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopEnvironmentAttributes - This operation grants the actor assigned the operation the ability to view the Environment section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopProfileAttributes - This operation grants the actor assigned the operation the ability to view the Profile section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopRemoteControlAttributes - This operation grants the actor assigned the operation the ability to view the Environment section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopSessionandTimeOutSettings - This operation grants the actor assigned the operation the ability to view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.
  • Helpdesk

    This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities in EmpowerID and has the following operations set to allowed.

    • ChangePassword - This operation grants the actor assigned the operation the ability to change the password of a user account.
    • Create User Home Folder - This operation grants the actor assigned the operation the ability to create a home folder.
    • Disable User - This operation grants the actor assigned the operation the ability to disable a Person object.
    • Edit Terminal Services Access - This operation grants the actor assigned the operation the ability to the access for Terminal Services for an account.
    • Edit Terminal Services Profile - This operation grants the actor assigned the operation the ability to edit the Terminal Services profile for an account.
    • Edit User Account Home Folder - This operation grants the actor assigned the operation the ability to edit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
    • Edit User User Expiration - This operation grants the actor assigned the operation the ability to set the expiration date for an account in Active Directory.
    • Edit User Extension Attributes - This operation grants the actor assigned the operation the ability to edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.
    • Edit User Name Attributes - This operation grants the actor assigned the operation the ability to edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
    • Edit User Organization Attributes - This operation grants the actor assigned the operation the ability to edit the Organization Information section on the Organization Tab of the Account Details Screen.
    • Edit User Password Options - This operation grants the actor assigned the operation the ability to edit the Password Options settings for an account from the Account Tab of the Account Details Screen.
    • Edit User Terminal Services Environment - This operation grants the actor assigned the operation the ability to edit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.
    • Edit User Terminal Services Home Drive - This operation grants the actor assigned the operation the ability to edit the Terminal Services Home Drive setting for an account from the Profiles section of the Remote Desktop Tab on the Account Details Screen.
    • Edit User Terminal Services Remote Control - This operation grants the actor assigned the operation the ability to edit the Terminal Services Remote Control settings for an account from the Remote Control section of the Remote Desktop Tab on the Account Details Screen.
    • Edit User Terminal Services Session - This operation grants the actor assigned the operation the ability to edit the Terminal Services Session settings for an account from the Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • MailDisable - This operation grants the actor assigned the operation the ability to remove the Mail-enabled flag from an account.
    • MailDisableAccount - This operation grants the actor assigned the operation the ability to remove the Mail-enabled flag from an account.
    • MailEnable - This operation grants the actor assigned the operation the ability to set an account as mail-enabled, making it available in the Exchange GAL.
    • MailEnableAccount - This operation grants the actor assigned the operation the ability to set an account as mail-enabled, making it available in the Exchange GAL.
    • MoveAccount -This operation grants the actor assigned the operation the ability to move an account from one location to another.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for an account.
    • RestoreDeletedAccount - This operation grants the actor assigned the operation the ability to restore a deleted account.
    • RestoreDeletedMailbox - This operation grants the actor assigned the operation the ability to restore a mailbox that has been deleted from an account.
    • Set Account Manager - This operation grants the actor assigned the operation the ability to select the AD line manager for an account.
    • Unlock User - This operation grants the actor assigned the operation the ability to unlock an account that is locked in Active Directory.
    • ViewAccountNameInformationAttributes - This operation grants the actor assigned the operation the ability to view the Account Name Information section on the Account Tab of the Account Details Screen.
    • ViewAddressandPhoneNumberAttributes - This operation grants the actor assigned the operation the ability to view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
    • ViewAdvancedAttributeInformation - This operation grants the actor assigned the operation the ability to view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
    • ViewExtensionAtttributes - This operation grants the actor assigned the operation the ability to view the Extension Attributes section on the Extension Tab of the Account Details Screen.
    • ViewOrganizationInformationAttributes - This operation grants the actor assigned the operation the ability to view the Organization Information section on the Organization Tab of the Account Details Screen.
    • ViewPasswordOptionAttributes - This operation grants the actor assigned the operation the ability to view the Password Options section on the Account Tab of the Account Details Screen.
    • ViewProfileOptionAttributes - This operation grants the actor assigned the operation the ability to view the Profile Options section on the Profile Tab of the Account Details Screen.
    • ViewRemoteDesktopAttributes - This operation grants the actor assigned the operation the ability to view the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopEnvironmentAttributes - This operation grants the actor assigned the operation the ability to view the Environment section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopProfileAttributes - This operation grants the actor assigned the operation the ability to view the Profile section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopRemoteControlAttributes - This operation grants the actor assigned the operation the ability to view the Environment section on the Remote Desktop Tab of the Account Details Screen.
    • ViewRemoteDesktopSessionandTimeOutSettings - This operation grants the actor assigned the operation the ability to view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.
  • Password Manager

    This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

    • ChangePassword - This operation grants the actor assigned the operation the ability to change the password for an account.
    • Edit User Password Options - This operation grants the actor assigned the operation the ability to edit the Password Options section of the Account Tab of the Account Details Screen.
    • Use - This operation grants the actor assigned the operation the ability to view a Person object.
    • Login - This operation grants the actor assigned the operation the ability to login to EmpowerID.
    • ResetPassword - This operation grants the actor assigned the operation the ability to reset a password for an account.
    • Unlock User - This operation grants the actor assigned the operation the ability to unlock an account associated with an EmpowerID Person.
    • ViewAccountNameInformationAttributes - This operation grants the actor assigned the operation the ability to view the Account Name Information section on the Account Tab of the Account Details Screen.
    • ViewPasswordOptionAttributes - This operation grants the actor assigned the operation the ability to view the Password Options section on the Account Tab of the Account Details Screen.
  • Access Level Assigner

    Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

    • AddAccountToResourceRole - This operation grants the actor assigned the operation the ability to assign Access Levels directly to an account.
    • RemoveAccountFromResourceRole - This operation grants the actor assigned the operation the ability to remove resources directly from an account.

Windows Shared Folder

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Windows Shared Folder Resource Type.

    • RegisterExistingShare - This operation grants the actor assigned the operation the ability to register a share in EmpowerID that exists on a computer managed by EmpowerID.
  • Co-Owner

    This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.

    • Use - This operation grants the actor assigned the operation the ability to view an account.
    • ManageAnyResourceRole - This operation grants the actor assigned the operation the ability to assign or unassign Access Levels for an account.
    • ManageAnyResourceRoleAssignmentByLocation - This operation grants the actor assigned the operation the ability to assign Access Levels by location for an account.
  • Deny All

    This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders.

  • Full control

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

    • AppendData
    • ChangePermissions
    • Delete
    • DeleteSubdirectoriesAndFiles
    • ExecuteFile
    • ReadAttributes
    • ReadData
    • ReadExtendedAttributes
    • ReadPermissions
    • Synchronize
    • TakeOwnership
    • WriteAttributes
    • WriteData
    • WriteExtendedAttributes
  • MOdify

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

    • ReadAttributes
    • ReadData
    • ReadExtendedAttributes
    • ReadPermissions
    • WriteAttributes
    • WriteData
    • WriteExtendedAttributes
  • Read Only

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

    • ReadAttributes
    • ReadData
    • ReadExtendedAttributes
    • ReadPermissions

Windows Shared Printer

  • EmpowerID Administrator

    In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Windows Shared Folder Resource Type.

    • RevokeResourceOrgZone - This operation grants the person assigned the operation the ability to remove a printer from a location.
  • Manage Documents

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

    • Delete
  • Manage Documents and Print

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

    • ReadAttributes
    • ReadData
    • ReadExtendedAttributes
    • Synchronize
    • TakeOwnership
    • WriteAttributes
  • Manage Documents and Printers

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

    • ReadExtendedAttributes
    • ReadPermissions
    • TakeOwnership
  • Manage Printers

    This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

    • AppendData
    • ReadAttributes
    • ReadData
    • ReadExtendedAttributes
    • WriteAttributes
  • Print

    Print - This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

    • WriteData

Workflow

  • Administrator and EmpowerID Administrator

    In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Workflow Resource Type.

    • EditRequestWorkflow - This operation grants the actor assigned the operation the ability to edit a workflow when running the Right-Click Edit workflow.
    • Initiate - This operation grants the actor assigned the operation the ability to initiate a workflow.
  • Initiator

    This Access Level Definition grants the actor assigned the Access Level the ability to see and initiate workflows in EmpowerID and has the following operations set to allowed.

    • Initiate - This operation grants the actor assigned the operation the ability to initiate a workflow.
    • Use - This operation grants the actor assigned the operation the ability to view the resource in EmpowerID.

WS-Federation SSO Connection

  • EmpowerID Administrator

    In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

    • Create SSO Connection - This operation grants the actor assigned the operation the ability to create a new WS-Federation SSO Connection object.
    • Create WS Federation Single Sign On Connection Operation: This operation grants the actor assigned the operation the ability to create a new operation for a WS-Federation Single Sign On Connection object.
    • Delete WS Federation Single Sign On Connection - This operation grants the actor assigned the operation the ability to delete a WS-Federation SSO Connection object.
    • Delete WS Federation Single Sign On Connection Operation - This operation grants the actor assigned the operation the ability to delete an operation from a WS-Federation Single Sign On Connection object.
    • Edit Account Store - This operation grants the actor assigned the operation the ability to edit the account store that is associated with a WS-Federation SSO Connection object.
    • Edit Assertion Consumer Service URL for Partnership - This operation grants the actor assigned the operation the ability to edit the ACS URL for a WS-Federation SSO Connection (SP) object.
    • Edit Certificates for Partnership - This operation grants the actor assigned the operation the ability to change the edit the certificates for a WS-Federation SSO Connection object.
    • Edit Description - This operation grants the actor assigned the operation the ability to edit the Description field for a WS-Federation SSO Connection object.
    • Edit Encryption Certificate - This operation grants the actor assigned the operation the ability to edit the encryption certificate used for a WS-Federation SSO Connection object.
    • Edit Encryption Enabled - This operation grants the actor assigned the operation the ability to select or deselect encryption for a WS-Federation SSO Connection object.
    • Edit Home Realm - This operation grants the actor assigned the operation the ability to change the edit the certificates for a WS-Federation SSO Connection object.
    • Edit Logo Image - This operation grants the actor assigned the operation the ability to edit the Logo Image field for a WS-Federation SSO Connection object.
    • Edit Map to Account Claim Type - This operation grants the actor assigned the operation the ability to edit the Map to Account Claim Type field for a WS-Federation SSO Connection object.
    • Edit Name Qualifier for Partnership - This operation grants the actor assigned the operation the ability to edit the Name Qualifier field for a WS-Federation SSO Connection object.
    • Edit Organization - This operation grants the actor assigned the operation the ability to edit the Organization for a WS-Federation SSO Connection object.
    • Edit Signing Certificate - This operation grants the actor assigned the operation the ability to edit the Signing Certificate used with a WS-Federation SSO Connection object.
    • Edit URL for Partnership - This operation grants the actor assigned the operation the ability to edit the URL for a WS-Federation SSO Connection object.