It is possible to configure what roles, or operations, that an operator can perform from the Options - Roles page. These operations encompass credential lifecycle operations and restricting what configurations an operator can carry out in vSEC:CMS.
The operations that an operator can perform are configurable from the Options - Roles page. The default roles that an operator can have are System Administrator, Elevated, Normal, Restricted and Key Recovery.
The operations that an operator can be restricted to are:
- Viewable+Execute: The operator can view and perform the particular operation;
- Viewable: The operator can only view the particular operation;
- Hidden: The particular operation will be hidden from the operator.
To reset the permissions to the default settings click the Reset all permissions button.
It is possible to clone an existing role by clicking the Clone button. The new cloned role can then be configured with specific permissions as required.
In this section, we will use a simple example to describe how a role could be changed. In this example, we will change the default permissions for a role of type Restricted.
1. Browse to Options - Roles page. Select the role from the Filtered by role drop-down list and click Edit.
2. By default, the role Restricted is limited to unblock operations. In this example, we will change the default role settings to allow this role to perform credential registration operations. From the top window select the Register Card action and click Delete.
The action will be moved to the bottom window.
3. Then select the Register Card and from the drop-down list select the Viewable+Execute option and click the Add button to set this permission.
Click the Save button to complete. The action will be added back into the top window with the updated operation now in place.
If you are making changes to a role it is important that there are no actions left in the bottom window of the edit dialog otherwise it will not be possible to save any changes made.
Currently it is not possible to delete an already created role.
Configure Operator Permissions on Credential Template
It may be required to set granular operator permissions on specific credential templates. For example, you may wish to restrict operators who have a role of System Administrator to be the only operators allowed to issue end user credentials.
In this section, an example of how to configure a credential template where the permissions set will restrict only operators with a role of System Administrator to be allowed to issue credentials from the Lifecycle page.
Enable Access Right
In order to configure what operator role will be allowed to perform specific lifecycle functions the setting needs to be enabled for the specific credential template.
1. Select an already created credential template from Templates - Card Templates and click the Edit link for General.
2. Enable the Access rights per individual lifecycle tasks checkbox and click Ok to save and close the dialog.
Configure Permission for Issue Card
1. Click the Edit link for Issue Card.
2. In the Permissions section click the Edit button.
3. For the Roles select System Administrator as we want to restrict operators who have a role of System Administrator to be the only operators who can perform credential issuance in this example.
4. The Permissions section will now show that only operators with System Administrator role will be able to perform this task. Click Ok to save and close the dialog.