Introduction
It is expected that you have already gone through the guide Manage Operator Roles before going through this guide.
It is possible to configure what operations can be assigned to a particular role from the Options - Roles page. Configuring operator role permissions are typically limited to the vSEC:CMS Admin application but could be used to limit what an operator can perform from the vSEC:CMS Agent application as well.
From version 7.0, out of the box, there are 2 roles by default: System Administrator and Helpdesk.
This article will describe the different roles available and what they mean.
Role Description
Roles are broken into 3 different types:
- Menu: These are the menu items available from the Admin application only.
- Process: These are the actual lifecycle operations that an operator can perform from the Admin and Agent application.
- Tasks: These are the actual operations that an operator can perform from the Admin application only.
The particular items within each type can be either Viewable+Execute, Viewable or Hidden. These types mean:
- Viewable+Execute: the item in question can be fully operated on;
- Viewable: the item in question can only be viewed and not actually performed;
- Hidden: the item is hidden and cannot be performed.
The System Administrator will have Viewable+Execute for all items and it is recommended to not change these. For Helpdesk you will see different settings for these items.
Menu
Items of menu type are only applicable to the Admin application.
|
Action |
Description |
|
Home |
The home page for the Admin application. |
|
Lifecycle |
The lifecycle page for the Admin application. |
|
Actions - Credential Unblock - Online |
From Actions - Credential Unblock if the managed credential is attached. |
| Actions - Credential Unblock - Offline |
From Actions - Credential Unblock if the managed credential is not attached and the operator has searched for the user from the repository. |
| Actions - Credential Unblock - Self-service |
From Actions - Credential Unblock if the managed credential is configured for self-service additional operations can be performed. |
| Actions - Temporary Credential |
From Actions - Temporary Credential if this is configured for a managed credential. |
| Actions - FIDO2 |
From Actions - FIDO2 FIDO2 related operations can be performed. |
| Actions - PIN Policies |
From Actions - PIN Polices PIN policy related operations can be performed. |
| Actions - BIO Policies |
From Actions - BIO Polices BIO policy related operations can be performed. |
| Actions - Certificates/Keys |
From Actions - Certificate/keys certificate related operations can be performed. |
| Actions - Custom Data on Credential |
From Actions - Custom Data custom data related operations can be performed. |
| Actions - Print Credential |
From Actions - Print Credential a test print on a smart Credential can be performed. |
| Actions - Update Credential |
From Actions - Update Credential pending updates can be performed on a credential. |
| Actions - Clean Credential |
From Actions - Clean Credential a reset can be performed. |
| Actions - Request Certificates |
From Actions - Request Certificates certificate requests can be made. |
| Actions - Virtual Credential |
From Actions - Virtual Credential virtual smart Credentials can be created. |
| Actions - Credential Information |
From Actions - Credential Information specific credential information can be seen. |
| Repository - Credentials |
From Repository - Credentials all managed smart Credentials can be viewed. |
| Repository - Transaction Log |
From Repository - Transaction Log all transaction log history can be viewed. |
| Repository - Master Keys |
From Repository - Master Keys all master key(s) created and used can be viewed. |
| Repository - Archived Keys |
From Repository - Archived Keys all archived keys in they system can be viewed. |
| Repository - Messages |
Repository - Messages - This is an old legacy repository that is no longer used. |
| Repository - Tokens Repository |
Repository - Tokens Repository - This is an old legacy repository that is no longer used. |
| Repository - Credential Transfer |
From Repository - Credential Transfer options for migrating from other credential management systems is available. |
| Repository - Batch Processes |
From Repository - Batch Processes all batch processes that have been performed can be viewed. |
| Repository - Reports |
From Repository - Reports all configured reporting can be viewed. |
| Repository - Managed Certificates - Certificates |
From Repository - Managed Certificates - Certificates all managed certificates can be viewed. |
| Repository - Managed Certificates - Certificates Logs |
From Repository - Managed Certificates - Certificates Logs all logs around certificate lifecycle management can be viewed. |
| Repository - System Logs |
From Repository - System Logs all logs for general system activities can be viewed. |
| Repository - Device Management - Managed Devices |
From Repository - Device Management - Managed Devices all managed devices where Virtual Credentials are managed can be viewed. |
| Repository - Device Management - Logs |
From Repository - Device Management - Logs all logs for managed devices where Virtual Credentials are managed can be viewed. |
| Repository - Device Management - Events |
From Repository - Device Management - Events all events for managed devices where Virtual Credentials are managed can be viewed. |
| Repository - Device Management - Software Version |
From Repository - Device Management - Software Version all client side software installed on managed devices where Virtual Credentials are managed can be viewed. |
| Repository - Batch Stations - Stations |
From Repository - Batch Stations - Stations all batch stations configured can be viewed. |
| Repository - Batch Stations - Input queue |
From Repository - Batch Stations - Input queue all batch stations in the input queue can be viewed. |
| Repository - Batch Stations - Tasks processing |
From Repository - Batch Stations - Tasks processing all batch stations that have tasks processing can be viewed. |
| Repository - Batch Stations - Tasks success |
From Repository - Batch Stations - Tasks success all batch stations that have successfully performed tasks can be viewed. |
| Repository - Batch Stations - Tasks failing |
From Repository - Batch Stations - Tasks failing all batch stations that have failed tasks can be viewed. |
| Repository - Batch Stations - Batch Logs |
From Repository - Batch Stations - Batch Logs all batch station logs can be viewed. |
| Repository - ACME - Account |
From Repository - ACME - Account all ACMS accounts can be viewed. |
| Repository - ACME - Order |
From Repository - ACME - Order all ACME orders can be viewed. |
| Repository - ACME - Logs |
From Repository - ACME - Logs all ACME logs can be viewed. |
| Repository - Credential Stock |
From Repository - Credential Stock all credentials in stock can be viewed. |
| Repository - Credential Stock Logs |
From Repository - Credential Stock Logs all activities performed around credential stocks can be viewed. |
| Repository - AD Password Reset |
From Repository - AD Password Reset all activities around AD password resets can be viewed. |
| Repository - Pending Tasks |
From Repository - Pending Tasks all pending tasks around virtual credentials can be viewed. |
| Templates - Credential Templates |
From Templates - Credential Templates the credential profiles can be managed. |
| Templates - Certificate Management Templates |
From Templates - Certificate Management Templates the certificate management templates can be managed. |
| Templates - BIO Policies |
From Templates - BIO Policies the credential BIO policies can be managed. |
| Templates - Credential Layouts |
From Templates - Credential Layouts the credential printing layouts can be managed. |
| Templates - FIDO2 - FIDO2 Templates |
From Templates - FIDO2 - FIDO2 Templates the FIDO2 templates can be managed. |
| Templates - FIDO2 - FIDO2 Passkey Templates |
From Templates - FIDO2 - FIDO2 Passkey Templates the FIDO2 passkeys can be managed. |
| Templates - FIDO2 - FIDO2 Enterprise Templates |
From Templates - FIDO2 - FIDO2 Enterprise Templates the FIDO2 enterprise templates can be managed. |
| Options - Security |
From Options - Security security related settings can be configured. |
| Options - Settings |
From Options - Settings all general settings can be configured. |
| Options - Credentials |
From Options - Credentials all credentials managed in the system can be configured. |
| Options - PIV |
From Options - PIV all PIV specific settings can be configured. |
| Options - Device Management |
From Options - Device Management all settings specific to device management when virtual smart Credentials are managed can be configured. |
| Options - Master Key |
From Options - Master Key new master keys can be generated. |
| Options - Connections |
From Options - Connections all connection settings can be configured. |
| Options - Schedulers |
From Options - Schedulers all scheduled tasks can be configured. |
| Options - Variables |
From Options - Variables all system variables can be created. |
| Options - Operators |
From Options - Operators all operators in the system can be viewed and edited. |
| Options - Roles |
From Options - Roles all operator roles can be configured. |
| Options - Tenants |
Options - Tenants is reserved for future use. |
| Options - Repository |
From Options - Repository specific repository data can be configured for export. |
| Options - Virtual Credential |
From Options - Virtual Credential specific configurations for virtual credentials can be configured. |
| Options - License |
From Options - License license specific tasks can be performed. |
Process
All lifecycle activities that can be performed by an operator are described in this section.
|
Action |
Description |
|
Register Credential |
This is where an operator can register a credential as part of lifecycle management. |
|
Unregister Credential |
This is where an operator can unregister a credential as part of lifecycle management. |
|
Issue Credential |
This is where an operator can issue a credential as part of lifecycle management. |
| Initiate Credential |
This is where an operator can initiate a credential as part of lifecycle management. |
| Delete Credential |
This is where an operator can delete a credential as part of lifecycle management. |
| Revoke Credential |
This is where an operator can revoke a credential as part of lifecycle management. |
| Retire Credential |
This is where an operator can retire a credential as part of lifecycle management. |
| Inactivate Credential |
This is where an operator can inactivate a credential as part of lifecycle management. |
| Activate Credential |
This is where an operator can activate a credential as part of lifecycle management. |
| Lock Credential |
This is where an operator can lock a credential as part of lifecycle management. |
| Unlock Credential |
This is where an operator can unlock a credential as part of lifecycle management. |
| Update Credential |
This is where an operator can update a credential as part of lifecycle management. |
| Clean Credential |
This is where an operator can clean a credential as part of lifecycle management. |
| Perform Batch Process |
This is where an operator can perform batch processes on credentials as part of lifecycle management. |
| Create Virtual Credential |
This is where an operator can create a virtual credential as part of lifecycle management. |
| Destroy Virtual Credential |
This is where an operator can destroy a virtual credential as part of lifecycle management. |
| Change Credential Template |
This is where an operator can change a credential template. |
Tasks
These are the actual operations that an operator can perform from the Admin application. We will show which tasks these settings relate to using screenshots from the actual Admin application so it is easier to understand what each task refers to.
Lifecycle - Selected Credential Info - Configure
Actions - Credential Information - Custom Data on Credential - Show Details
Actions - Custom Data on Credential - Edit Online
Actions - Custom Data on Credential - Edit Offline
Actions - Request Certificates - Request
Actions - Request Certificates - Manage
Actions - Request Certificates - Add
Actions - Request Certificates - Delete
Repository - Archived Keys - Import
Repository - Device Management - Managed Devices - Execute
Repository - Device Management - Managed Devices - Delete
Repository - Device Management - Managed Devices - Issue
Repository - Device Management - Managed Devices - Retire
Repository - Device Management - Managed Devices - Synchronize
Repository - Device Management - Managed Devices - Edit Flags
Repository - Device Management - Managed Devices - View TPM Info
Repository - Device Management - Managed Devices - View Windows Hello For Business Info
Repository - Device Management - Events - Delete
Repository - Device Management - Enrollment Configuration - Edit
Repository - Device Management - Software Version - Edit
Repository - Certificates - Delete
Repository - Certificates - Revoke
Options - Variables - Edit
Options - Schedulers - Configure
Credential Templates - View - Export
Credential Templates - View - Save
Options - Credential - SM keys
File - Server Certificates
File - Program Setting
User Credential certificates - Issue - Choose ID
For manual issuance when multi role is configured.
Credential Templates - Modify
This task is to control what an operator can perform on templates from Templates - Credential Templates. This means you can control all aspects as highlighted below.
Modify Connector Settings
Modify Repository Settings
Configure Repository Columns
Key archival - Recovery
Key archival - Delete archived key
Options - Operators - Update keys
Options - Operators - Add
Options - Operators - Edit
User Credential certificates - Delete
User Credential certificates - Issue
User Credential certificates - Reissue
User Credential certificates - Import
User Credential certificates - PIN
This is for tasks where a managed credential supports multiple PINs. A PIN button option will be available from Actions - Certificates/Keys for a credential that is issued with this multi PIN feature configured.
User Credential certificates - Default
User Credential certificates - Recover
Actions - FIDO2 - Delete
From Actions - FIDO2 you can control what tasks an operator can perform.
PIN Policies - Set
BIO Policies - Set
BIO Policies - Enroll Finger Print
Repository - Copy Clipboard
Repository - Credential Transfer - Import
Repository - Credential Transfer - Proceed
Repository - Credential Transfer - Pre-Issuance
File - Program Settings Check for updates now
File - Program Settings - Credential Stock Management
File - Program Settings - Message Dialog Management
File - Program Settings - Linked Custom Data in Credentials Table
Data export
From Options - Connections control what tasks an operator can perform for any pending data export records.
Save diagnostic trace
Perform SQL database schema upgrade
You can control what operator role is allowed to perform database schema updates when a product version update is applied.
Self-service access - Generate unblock codes
Self-service access - Reset user passphrases
Self-service access - Request Entra ID TAP code
Pending tasks - Delete entry
Pending tasks - Execute - Revoke/Delete
Self-service access - Generate domain account password reset code
Repository - AD Password Reset Tasks - Add
Repository - AD Password Reset Tasks - Delete
Repository - AD Password Reset Tasks - Deactivate