Access to People (Management Roles Reference)
This reference provides comprehensive information about Management Roles required to work with Person objects in EmpowerID. Use this guide to identify which role combinations grant specific permissions and assign appropriate roles based on users' organizational responsibilities.
Role Structure Overview
Management Roles for Person objects follow a consistent three-part structure:
UI Roles grant access to user interfaces and workflows for specific tasks. These roles control which pages and workflows users can access in EmpowerID.
VIS Roles grant visibility to see Person objects. Visibility can be scoped by relationship (self, direct reports) or organizational level (location, organization, all people).
ACT Roles grant permission to perform actions on Person objects. These roles control what users can actually do with the people they can see.
All three role types are required to work together to provide complete administrative access
Most administrative tasks require a combination of all three role types to function properly. For example, to edit profiles for people in your location, you need:
- UI role to access the profile editing interface
- VIS role to see people in your location
- ACT role to perform edit actions
Example: Managing Profiles in Your Location
This example demonstrates how the three role types work together:
| Management Role | Purpose | Role Type |
|---|---|---|
| UI-Person-Profile-Edit | Grants access to profile editing interfaces and workflows | Feature Set |
| VIS-Person-MyLocations | Grants visibility to see people in your locations | Visibility |
| ACT-Person-Profile-Edit-MyLocations | Grants permission to edit profile attributes | Activity |
All three roles are required to manage profiles. The sections below follow this same pattern for different tasks and scopes.
Using This Reference
Use Ctrl+F (or Cmd+F on Mac) to search for specific role names, or scan the section headings below to find role combinations organized by task type. Each section provides complete role information for specific administrative scenarios.
Detailed Role Information
Self-Service Profile Management
Users managing their own profile information need the following roles:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Profile-Self-Service | Grants access to user interfaces and workflows for managing own profile attributes | Feature Set |
| VIS-Person-Self | Grants visibility to see own person (granted by default to all people) | Visibility |
| ACT-Person-Profile-Self-Service | Grants ability to edit own profile attributes | Activity |
| Profile Self-Service | Role bundle containing all three roles above Use this bundle to grant complete self-service profile management | Role Bundle |
Viewing People
To view people in EmpowerID, users need one of the following visibility roles based on the required scope:
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Person-Self | Grants access to see own person (granted by default to all people) | Visibility |
| VIS-Person-MyDirectReports | Grants access to see direct reports | Visibility |
| VIS-Person-MyLocations | Grants access to see all people in the same locations | Visibility |
| VIS-Person-MyOrg | Grants access to see all people in the same organizations | Visibility |
| VIS-Person-All | Grants access to see all people in the default organization | Visibility |
Managing Profile Information
Direct Reports
Managers editing their direct reports' profile information need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-Person-MyDirectReports | Grants visibility for all direct reports | Visibility |
| ACT-Person-Profile-Edit-DirectReports | Grants ability to edit profile attributes for direct reports | Activity |
Location-Based Access
Users managing profiles for people in their locations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| ACT-Person-Profile-Edit-MyLocations | Grants ability to edit profile attributes for all people in their locations | Activity |
Organization-Based Access
Users managing profiles for people in their organizations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| ACT-Person-Profile-Edit-MyOrg | Grants ability to edit profile attributes for all people in their organizations | Activity |
Partners and Customers
Users managing profiles for partners and customers need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-People-All | Grants visibility for all people in the system | Visibility |
| ACT-Person-Profile-Edit-Customers | Grants ability to edit profile attributes for all people below the Customers location | Activity |
| ACT-Person-Profile-Edit-Partners | Grants ability to edit profile attributes for all people below the Partners location | Activity |
All People
Users managing profiles for all people need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Profile-Edit | Grants access to user interfaces and workflows for editing people's profile attributes | Feature Set |
| VIS-People-All | Grants visibility for all people in the system | Visibility |
| ACT-Person-Profile-Edit-All | Grants ability to edit profile attributes for all people in the system | Activity |
Managing Management Role Assignments
Location-Based Access
Users managing Management Role assignments for people in their locations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-Management-Role-MyLocations | Grants visibility for all Management Roles in the same locations | Visibility |
| ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for Management Roles in their locations | Activity |
Organization-Based Access
Users managing Management Role assignments for people in their organizations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| VIS-Management-Role-MyOrg | Grants visibility for all Management Roles in the same organizations | Visibility |
| ACT-Management-Role-Membership-Management-MyOrg | Grants access to manage membership for Management Roles in their organization | Activity |
Partners
Users managing Management Role assignments for partners need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-All | Grants visibility for all people | Visibility |
| VIS-Management-Role-All | Grants visibility for all Management Roles | Visibility |
| ACT-Management-Role-Membership-Management-Partners | Grants access to manage membership for Management Roles in or below the Partners location | Activity |
All People
Users managing Management Role assignments for all people need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Management-Role-Membership-Management | Grants access to user interfaces and workflows for managing Management Role membership | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-Management-Role-All | Grants visibility for all Management Roles | Visibility |
| ACT-Management-Role-Membership-Management-All | Grants access to manage membership for all Management Roles | Activity |
Managing Business Role Assignments
Location-Based Access
Users managing Business Role assignments for people in their locations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Role-Assignment | Grants access to user interfaces and workflows for managing assignments of people to roles | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-BusinessRole-MyLocations | Grants visibility for Business Roles in the same locations (required to see Business Roles in trees) | Visibility |
| VIS-Location-MyLocationsAndBelow | Grants visibility for the person's locations and below (required to see Locations in trees) | Visibility |
| ACT-Business-Role-Assignment-MyLocations | Grants access to manage assignments of people to Business Roles in their locations and below | Activity |
Organization-Based Access
Users managing Business Role assignments for people in their organizations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Role-Assignment | Grants access to user interfaces and workflows for managing assignments of people to roles | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| VIS-BusinessRole-MyOrg | Grants visibility for Business Roles in the same organizations | Visibility |
| VIS-Location-All-Business-Locations | Grants visibility for all locations under All Business Locations | Visibility |
| VIS-Location-MyLocationsAndAbove | Grants visibility for the person's locations and above | Visibility |
| ACT-Business-Role-Assignment-MyOrg | Grants access to manage assignments of people to Business Roles in their organizations | Activity |
All People
Users managing all Business Role assignments need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Role-Assignment | Grants access to user interfaces and workflows for managing assignments of people to roles | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-BusinessRole-All | Grants visibility for all Business Roles | Visibility |
| VIS-Location-All | Grants visibility for all locations in the system | Visibility |
| ACT-Business-Role-Assignment-All | Grants access to manage assignments of people to any Business Role | Activity |
Managing Group Membership
Location-Based Access
Users managing group membership for people in their locations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Group-Membership-Management | Grants access to user interfaces and workflows for group membership management | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-Groups-Security-MyLocation | Grants visibility for all Security groups in the same locations | Visibility |
| VIS-Groups-Distribution-MyLocation | Grants visibility for all Distribution groups in the same locations | Visibility |
| VIS-Groups-Generic-MyLocation | Grants visibility for all Generic groups in the same locations | Visibility |
| ACT-Group-Membership-Management-Distribution-MyLocations | Grants access to manage membership for all distribution groups in their locations | Activity |
| ACT-Group-Membership-Management-Generic-MyLocations | Grants access to manage membership for all generic groups in their locations | Activity |
| ACT-Group-Membership-Management-Security-MyLocations | Grants access to manage membership for all security groups in their locations | Activity |
Organization-Based Access
Users managing group membership for people in their organizations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Group-Membership-Management | Grants access to user interfaces and workflows for group membership management | Feature Set |
| VIS-Person-MyOrg | Grants visibility for people in the same organizations | Visibility |
| VIS-Groups-Security-MyOrg | Grants visibility for all Security groups in the same organizations | Visibility |
| VIS-Groups-Distribution-MyOrg | Grants visibility for all Distribution groups in the same organizations | Visibility |
| VIS-Groups-Generic-MyOrg | Grants visibility for all Generic groups in the same organizations | Visibility |
| ACT-Group-Membership-Management-Security-MyOrganizations | Grants access to manage membership for all security groups in their organizations | Activity |
| ACT-Group-Membership-Management-Distribution-MyOrganizations | Grants access to manage membership for all distribution groups in their organizations | Activity |
| ACT-Group-Membership-Management-Generic-MyOrganizations | Grants access to manage membership for all generic groups in their organizations | Activity |
All People
Users managing all group memberships need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Group-Membership-Management | Grants access to user interfaces and workflows for group membership management | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-Groups-All | Grants visibility for all groups | Visibility |
| ACT-Group-Membership-Management-All-Groups | Grants access to manage membership for all groups | Activity |
System-Specific Group Management
Additional roles for managing groups in specific systems:
| Management Role | Purpose | Role Type |
|---|---|---|
| VIS-Groups-All-AD | Grants visibility for all Active Directory groups | Visibility |
| VIS-Groups-All-AWS | Grants visibility for all AWS groups | Visibility |
| VIS-Groups-All-Azure | Grants visibility for all Azure groups in any tenant | Visibility |
| VIS-Groups-All-IT-Systems | Grants visibility for all groups under All IT Systems | Visibility |
| VIS-Groups-All-O365 | Grants visibility for all Office 365 groups | Visibility |
| VIS-Groups-All-SAP | Grants visibility for all SAP Roles and Profiles | Visibility |
| ACT-Group-Membership-Management-All-AD-Groups | Grants access to manage membership for all Active Directory groups | Activity |
| ACT-Group-Membership-Management-All-AWS-Groups | Grants access to manage membership for all AWS groups | Activity |
| ACT-Group-Membership-Management-All-IT-Systems | Grants access to manage membership for all groups under All IT Systems | Activity |
| ACT-Group-Membership-Management-All-O365-Groups | Grants access to manage membership for all Office 365 groups | Activity |
| ACT-Group-Membership-Management-All-SAP-Groups | Grants access to manage membership for all SAP Roles and Profiles | Activity |
Creating Person Objects
Location-Based Access
Users creating new people in their locations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Object-Create | Grants access to user interfaces and workflows to create Person objects | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| VIS-BusinessRole-MyLocations | Grants visibility for Business Roles in the same locations (all people require a Business Role) | Visibility |
| VIS-Location-MyLocationsAndBelow | Grants visibility for the person's locations and below (all people require a location) | Visibility |
| ACT-Business-Role-Assignment-MyLocations | Grants access to assign people to Business Roles in their locations and below | Activity |
Additionally, if assigning Management Roles during creation:
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Management-Role-MyLocations | Grants visibility for Management Roles in the same locations | Visibility |
| ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for Management Roles in the same locations | Activity |
All Locations
Users creating new people in any location need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Object-Create | Grants access to user interfaces and workflows to create Person objects | Feature Set |
| VIS-Person-All | Grants visibility for all people in the system | Visibility |
| VIS-BusinessRole-All | Grants visibility for all Business Roles | Visibility |
| VIS-Location-All | Grants visibility for all locations in the system | Visibility |
| ACT-Business-Role-Assignment-All | Grants access to assign people to any Business Role | Activity |
Additionally, if assigning Management Roles during creation:
| Management Role | Access Granted | Role Type |
|---|---|---|
| VIS-Management-Role-All | Grants visibility for all Management Roles | Visibility |
| ACT-Management-Role-Membership-Management-All | Grants access to manage membership for all Management Roles | Activity |
Person Administration (Full Access)
Person administration roles provide comprehensive access to create, update, delete, and restore Person objects.
Location-Based Access
Users administering people in their locations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-MyLocations | Grants visibility for all people in the same locations | Visibility |
| ACT-Person-Object-Administration-MyLocations | Grants access to create, update, and delete people in the same locations | Activity |
Organization-Based Access
Users administering people in their organizations need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-MyOrg | Grants visibility for all people in the same organizations | Visibility |
| ACT-Person-Object-Administration-MyOrg | Grants access to create, update, and delete people in the same organizations | Activity |
Partners and Customers
Users administering partners and customers need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-All | Grants visibility for all people | Visibility |
| ACT-Person-Object-Administration-Partners | Grants access to create, update, and delete all people below the Partners location | Activity |
| ACT-Person-Object-Administration-Customers | Grants access to create, update, and delete all people below the Customers location | Activity |
All People
Users administering all people need:
| Management Role | Access Granted | Role Type |
|---|---|---|
| UI-Person-Object-Administration | Grants access to user interfaces and workflows for comprehensive person object management | Feature Set |
| VIS-Person-All | Grants visibility for all people | Visibility |
| ACT-Person-Object-Administration-All | Grants access to create, update, and delete all people | Activity |
Most Comprehensive Access
The UI-Person-Object-Administration role provides the most comprehensive access for person management tasks, including access to all person-related workflows, page controls, and web service operations.
Related Topics
- Understanding Delegated Administration – Learn how Management Roles enable delegated administration
- Understanding People – Conceptual information about Person objects in EmpowerID