Search

Manage Operator Roles

Gabriela Peralta - Versasec
Gabriela Peralta - Versasec
  • Updated

Introduction

In vSEC:CMS, operators are individuals granted access with specific credentials. Their capabilities depend on the roles assigned to them, allowing them to perform configuration and operational tasks. When setting up vSEC:CMS, it's crucial to plan how operators will be deployed, managed, and what permissions they'll have.

Operators generally fall into two categories:

This article is intended for readers who have installed vSEC:CMS from version 7.0 or later. If you are running a version earlier than 7.0 or upgrading from a version earlier than 7.0, the instructions below may not fully apply.

  • Configuration Operators: These are persons who can perform configurational settings to meet the specific use-cases that you need to perform. These would normally be issued with a role System Administrator. Since this role is powerful in nature only a small number of operator's would be issued with this role. These operators should use the vSEC:CMS Admin application when performing their day-to-day activities.
  • Operational Operators: These are persons who can perform operational use-cases such as issuance on behalf of, PIN unblock, certificate reissuance and credential revocation. It is recommended to issue these operator's with a role of Helpdesk. These operators should use the vSEC:CMS Agent application when performing their day-to-day activities.

It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.

It will be necessary to have the appropriate credential drivers (minidriver) installed on your host. Please check with the credential provider that you have the correct credential drivers installed.

Assign Operator Role

An operator role(s) is assigned initially when the credential is issued. In this section we will describe how you can assign operator role(s) from within a credential template. We will break this into simple examples where a template will be configured for Configuration Operators and Operational Operators.

These examples are based on vSEC:CMS version 7.0 or later.

Example Configuration Operators Template

This template would typically be created and issued very early in the deployment. It is recommended to have at minimum 2 operators issued in the system with such a role. The role in this case that will be assigned is a System Administrator role.

The very first operator in this case would be issued by the person who has possession of the System Owner (SO) credential. Log into the Admin application console using the SO credential.

  1. From Templates > Card Templates, click the Add button.
  1. Click the Edit link beside General to configure general options.

configure_credential-w400.png

  1. Enter a template name, and click Detect. Make sure that you have attached the credential that is to be issued and the correct reader is selected. Click Ok to save and close.
  2. Enable the vSEC:CMS Operator Card check box and select Roles. Make sure that Select Operator Role manually during issuance is selected and click Ok. Additionally, in the drop down field select Authentication Only Operator Card. Leave all other settings as is and select Ok at the bottom of the dialog to save and close.

Untitled.png

Untitled.png

  1. Click the Edit link beside Issue Card to configure issuance options.

Untitled.png

  1. We will only configure the user directory that we will select the user who will be issued as the operator and leave all other settings as is in this simple example. Enable Assign user ID and select the user directory from the drop-down list. Click Ok at the bottom of the dialog to save and close the settings. Click Ok to save and close the template configuration.

Untitled.png

  1. Navigate to Lifecycle page and attach a blank operator credential. Select the Issued oval and select the template from the drop-down list and click Execute.

Untitled.png

  1. During the issuance you will be prompted to select the role that is to be applied. Select the role System Administrator to complete the issuance.

Untitled.png

  1. The credential will now be issued. The PIN by default will be blocked, therefore the person who will use the credential will need to set a PIN on the credential so they can use it. If the person is physically with you then they can set their PIN by clicking the Active oval. If not, there are many other ways that a PIN can be set as described in this article

This completes this section. The operator can now log on and perform their role.

Example Operational Operators Template

Log onto the Admin console application as a Configuration Operator who has a role that can issue credentials for operational operators.

  1. From Templates > Card Templates, click the Add button.
  2. Click the Edit link beside General to configure general options.

configure_credential-w400.png

  1. Enter a template name, and click Detect. Make sure that you have attached the credential that is to be issued and the correct reader is selected. Click Ok to save and close.
  2. Enable the vSEC:CMS Operator Card check box and select Roles. Make sure that Select Operator Role manually during issuance is selected and click Ok. Additionally, in the drop down field select Authentication Only Operator Card. Leave all other settings as is and select Ok at the bottom of the dialog to save and close.

Untitled.png

Untitled.png

  1. Click the Edit link beside Issue Card to configure issuance options.

Untitled.png

  1. We will only configure the user directory that we will select the user who will be issued as the operator and leave all other settings as is in this simple example. Enable Assign user ID and select the user directory from the drop-down list. Click Ok at the bottom of the dialog to save and close the settings. Click Ok to save and close the template configuration.

Untitled.png

  1. Navigate to Lifecycle page and attach a blank operator credential. Select the Issued oval and select the template from the drop-down list and click Execute.

Untitled.png

  1. During the issuance you will be prompted to select the role that is to be applied. Select the role Helpdesk to complete the issuance.

Untitled.png

  1. The credential will now be issued. The PIN by default will be blocked, therefore the person who will use the credential will need to set a PIN on the credential so they can use it. If the person is physically with you then they can set their PIN by clicking the Active oval. If not, there are many other ways that a PIN can be set as described in this article

This completes this section. The operator can now log on and perform their role.

Remove Operator Credential

It may be required to remove a credential that was issued as an operator. This section will describe how you can perform this.

Depending on whether you have the operator credential in your possession or not different flows can be performed to remove the credential.

You Have Possession of Credential

In this case log into the Agent or Admin application and from the Lifecycle page Revoke - Retire - Unregister the credential.

You Don't Have Possession of Credential

In the case where the credential is not available then from the Lifecycle page search for the operator and then perform Deleted to remove the credential.

Customize Role

It maybe required to create operator roles that can provide a more granular level of operations that can be preformed. This can be the case if the default system roles (System Administrator and Helpdesk) are too restrictive in scope. For example, it maybe the case that you want a role where an operator can only perform credential PIN unblocks/resets, then in that case you would need to create a role and define the permissions within it.

Log into the Admin console application as a Configuration Operator. Navigate to Options - Roles.  Select System Administrator role and click the Clone button.

Untitled.png

Enter a name for the role and click Ok.

You can then configure/edit what operations an operator can perform by selecting the role in the drop-down field and clicking the Edit button. For example, say you want to make the Lifecycle page only viewable for a particular role then select the entry and select Viewable in the drop-down menu and click Change. Then Save to update the role.

Untitled.pngff

######

Configure Operator Permissions on Credential Template

It may be required to set granular operator permissions on specific credential templates. For example, you may wish to restrict operators who have a role of Helpdesk to be the only operators allowed to issue end user credentials.

In this section, an example of how to configure a credential template where the permissions set will restrict only operators with a role of Helpdesk to be allowed to issue credentials.

Enable Access Right

In order to configure what operator role will be allowed to perform specific lifecycle functions the setting needs to be enabled for the specific credential template.

1. Select an already created credential template from Templates - Credential Templates and click the Edit link for General.

2. Enable the Access rights per individual lifecycle tasks checkbox and click Ok to save and close the dialog.

Configure Permission for Issue Credential

1. Click the Edit link for Issue Credential.

2. In the Permissions section click the Edit button.

3. For the Roles select Helpdesk as we want to restrict operators who have a role of  Helpdesk to be the only operators who can perform credential issuance in this example.

Untitled.png

4. The Permissions section will now show that only operators with Helpdesk role will be able to perform this task. Click Ok to save and close the dialog.

Delete Operator Role

It may be required to delete an operator role, for example, an operator role was created for testing purposes and now it is no longer used and therefore needs to be deleted. From version 6.12 it is possible to delete a role. Follow the instructions below to delete a role.

From Options - Operators select the role you wish to delete. Then click the Delete button to remove this from the system.

Untitled.png

It will not be possible to delete a role if the role is assigned in a credential template. You will need to remove the role from any credential template that it is assigned to before the delete can be performed.

Update New Permissions in Role

Over time new role permissions are added to the system. vSEC:CMS will only update the original default roles when new permissions are added. From version 6.12 it is possible to add any newer permissions to roles that were created as custom operator roles. Follow the instructions below on how to perform this task.

From Options - Operators select the role you wish to update and click Edit.

Untitled.png

Enter the keyword Not into the Search field to filter all permissions that you have not yet configured and add them as per your requirements for the role and Save to update and complete.

Untitled.png