Skip to main content

Add IAM Shop Assignees for Requesting Access

Adding IAM Shop assignees controls who can request specific IAM Shop Permission Levels for computers through the IAM Shop. By configuring assignees, you determine which users or groups are eligible to request elevated permissions during PSM sessions.

What IAM Shop Assignees Control

IAM Shop assignees define:

  • Which users can see specific permission levels in the IAM Shop
  • Which permission levels are available when users request computer access
  • How eligibility requirements are enforced for permission requests

By default, permission levels include Local Admin and Domain Admin, but administrators can create custom levels to meet organizational requirements.

Prerequisites

Before adding assignees:

  • IAM Shop Permission Levels must be assigned to the computer
  • You need appropriate permissions to modify computer RBAC settings

Add Assignees for a Permission Level

  1. On the navbar, expand Privileged Access and select Computers.

  2. Search for and select the target computer.

  3. Click the Display Name link to open the View One page. Computer search results showing Display Name link The View One page opens. Computer View One page with RBAC and other configuration tabs

  4. Click the RBAC subtab.

  5. Expand the IAM Shop Assignees for Requesting Access accordion.

  6. Click the Add New button. Add New button in the IAM Shop Assignees for Requesting Access section

  7. Under General, select the IAM Shop Permission Level from the dropdown. IAM Shop Permission Level dropdown selection under General settings

  8. Under Assignee Granting the Permission Level, configure:

    • Which Type of Assignee For This Policy – Select the assignee type (Person, Group, Business Role, Location, etc.)
    • Select <Assignee> To Receive Policy – Search for and select the specific assignee Assignee type and policy selection dropdowns under Assignee Granting the Permission Level
    note

    The assignee you select determines who can request this permission level. For example, if you select a specific group, only members of that group will see this permission level as an option in the IAM Shop.

  9. Click Save. Configuration screen after clicking Save showing the saved assignee settings

  10. Repeat steps 6-9 to add additional assignees.

  11. Click Submit to complete the configuration. Confirmation screen after clicking Submit completing the assignee configuration

Results

After submitting:

  • The selected assignees can see the specified permission level when requesting access to the computer in the IAM Shop
  • Users not configured as assignees will not see the permission level as an available option
  • Eligibility enforcement (if configured) restricts which users can view and select the permission level
  • The assignee configuration appears in the IAM Shop Assignees for Requesting Access accordion

IAM Shop showing the configured permission level available for computer access request

Relationship to Eligibility Enforcement

If Enforce Assignee Eligibility in IAM Shop is enabled on the IAM Shop Permission Level assignment:

  • Users must meet eligibility requirements for the assignee to see the permission level
  • For example, if the assignee is a group and eligibility enforcement is enabled, only users eligible for that group membership will see the permission level
  • Without eligibility enforcement, all configured assignees see the permission level regardless of their eligibility status