Configure Extended Permission Checks

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

It is possible to use Windows built in Active Directory (AD) extended rights checks to configure operators to be able perform specific life cycle tasks in the vSEC:CMS. Life cycle tasks are the tasks that can be performed within a specific card template.

Important
It is expected that any integrator performing this task has full understanding and experience in using AD extended rights.

In order to describe how this feature can be used we will use a simple scenario to show how this can be configured.

In the example scenario, we will have 2 operators. One operator will be allowed to perform smart card issuance only for a particular user and the other operator will be able to perform online smart card PIN unblock only for a particular user.

For the example below it is presumed that connections to back end user directory and CA have been already configured in the vSEC:CMS.

Step 1 - Create Card Template

1. From Templates - Card Templates click the Add button.

2. From General click the Edit link and enter a template name and attach the smart card token that you wish to manage with this template and click the Detect button.

3. In the Permissions section enable the Access rights per individual lifecycle tasks check box and click Ok to save and close this dialog.

4. Click the Edit link for Issue Card. Under User ID Options enable the Assign user ID and select the already configured connection to your user directory from the drop-down list.

5. Enable the Validate before issuance check box and click the Manage button.

6. Click the Add button. Enter a template name. In this example, we will create a template that will be used when performing the life cycle task for smart card token issuance. In the first drop-down list select AD Extended Rights. From AD Connection select the already configured connector to your user directory. By default, the Proxy through server will be unchecked. Enable this check box if the client on which the operator is attempting to perform the life cycle task is not joined to the domain. This is a global setting for the card template. In the Extended Rights list all available Windows extended rights will be listed. Select the one which will be used, in the example we will use Change Password. It is possible to test the configuration by clicking the Operator button and selecting an available operator from the list and then clicking the Get button and selecting a user that we want to perform the check on. The user will need to have his/her permissions configured on the AD level for this to be successful. See further below for one example of how this can be achieved. Click the Check button to validate that the configuration works as expected. Click the Save button to save the template and close.

7. Click Close to close and get back to the Issue Card main dialog. Make sure that the newly created validation template is selected in the drop-down list. Scroll to the bottom of the dialog and click the Ok button to save and close this dialog.

8. From the main card template dialog scroll down to Online PIN unblock section and click the Edit link.

9. Enable the Validate before issuance check box and click the Manage button.

10. Click the Add button. Enter a template name. In this example, we will create a template that will be used when performing the life cycle task for smart card PIN unblock. In the first drop- down list select AD Extended Rights. From AD Connection select the already configured connector to your user directory. By default, the Proxy through server will be unchecked. Enable this check box if the client on which the operator is attempting to perform the life cycle task is not joined to the domain. This is a global setting for the card template. In the Extended Rights list all available Windows extended rights will be listed. Select the one which will be used, in the example we will use Reset Password. It is possible to test the configuration by clicking the Operator button and selecting an available operator from the list and then clicking the Get button and selecting a user that we want to perform the check on. The user will need to have his/her permissions configured on the AD level for this to be successful. See further below for one example of how this can be achieved. Click the Check button to validate that the configuration works as expected. Click the Save button to save the template and close.

11. Make sure to select the newly created template in the drop-down list and click Ok to save and close the dialog.

12. Click Ok to save and close the card template.

Step 2 - Configure User Permissions

For this particular scenario, we will have two operators and one user. We will issue the smart card token to the user with the operator who has permission to perform this life cycle task only and then perform PIN unblock with the other operator who is allowed to perform this life cycle task only.

We will use one user for this example. There are other ways that this can be performed using extended rights. This is just an example and should not be seen as the correct and only way to configure Windows extended rights. Extended rights should be configured by an expert in this area. Versasec only provide this as a simple example for demonstration purposes here.

1. Open Active Directory Users and Computers.

2. Make sure that under the file menu View that Advanced Features are selected. Select the user that we are going to perform the simple test on for this example scenario.

3. Right click on the user and select Properties.

4. Select the Security tab and click the Add button. Add the two operator Windows accounts that we are going to use in this example. Below the two operators are Bob A Smith and Sammy Slick. Select Bob A Smith and for Change password select Allow as he will be allowed to issue a smart card token for this user. For Reset password select Deny as he will not be allowed to perform online PIN unblock.

extended1.png

For the operator Sammy Slick perform the opposite to above as in dialog below.

extended2.png

Step 3 - Issue and Unblock Smart Card Token

Log onto the vSEC:CMS application console as operator (Bob A Smith in this example) and from the Lifecycle page attach a smart card token and issue the token with the template created above. The issuance should be successful.

Revoke - Retire - Unregister the smart card token from the Lifecycle page and close the vSEC:CMS application console. Log onto the vSEC:CMS application console as the other operator (Sammy Slick in this example) and from the Lifecycle page attach a smart card token and issue the token with the template created above. The issuance should fail in this case.

Similarly, for the successfully issued token to the user above go to the Actions - Smart Card Unblock page and attempt to unblock the smart card token when the operator (Bob A Smith in this example) who is not allowed to perform unblocks is logged into the vSEC:CMSapplication console. The unblock should fail in this case. Then attempt to perform the unblock when the other operator is logged on. This should complete successfully.