How can we help?

Using Windows Group Permissions

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

It is possible to configure vSEC:CMS such that operators and users can be managed using Active Directory (AD) Group membership.

For example, in a geographically distributed organization where there are many different office locations and each office location needs to administer their end users credentials. In this setup, it may be required to use AD Group membership, for example, each office has at least one operator that is a member of a Credential Group. Employees at that same office are also a member of the same Credential Group. Employees are traveling between offices and are then given temporary membership to the Credential Group of the office being visited. The operators of that office are then, based on the group membership, able to administer those user’s credentials.

Example Windows AD Group Permissions Configuration

Below we will describe how an example configuration could be set up in vSEC:CMS. A simple example will be used to better describe how this can be configured and used.

Windows Group Permissions

Here we will describe how the Windows Group permissions could be configured. It is expected that the reader has experience in using Windows AD and Windows Groups.

Note
Nested groups are supported. The below query is run against AD: szQueryStr.Format(_TC("(&(member:1.2.840.113556.1.4.1941:=%s)(member:1.2.840.113556.1.4.1941:=%s))"), pszUserDN1, pszUserDN2);

Therefore the limitation will be from AD with regard to the depth that the query can navigate through groups.

Example company XYZ has 2 different office locations, one office in the UK and one in the USA. It is required that vSEC:CMS operators located in the UK office can only manage users located in the UK office and similarly vSEC:CMS operators located in the USA office can only manage users located in the USA office. Additionally, end users in either location will be allowed to perform self-service operations using the vSEC:CMS User application.

In AD 2 groups are created, UKOffice and USAOffice. All vSEC:CMS operators located in the UK office will be a member of the UKOffice group and all vSEC:CMS operators located in the USA office will be a member of the USAOffice group. Let's say we have operator named Tommy Ryan who is located in USA, then it would look something like below for the AD record:

And in the UK we have operator named Mike Murphy:

Similarly, all credential users located in the UK office will be a member of the UKOffice group and all credential users located in the USA office will be a member of the USAOffice. Let’s say we have user Alice Smith located in USA office, then the AD record would look like:

And in the UK we have user named James Doe:

Configure vSEC:CMS Templates

2 templates will need to be created, one for the USAOffice and one for the UKOffice.

USAOffice Template

1. From Templates - Card Templates click the Add button.

Click the Edit link beside General. Enter a template name. Presuming that you are using one of the minidriver credentials that is supported by vSEC:CMS select Minidriver (Generic minidriver card) for Card type.

Click the Manage button beside Check external permission. Click Add and enter a template name and click Add. Select the group (USAGroup as in this sample setup) that will be used from the available list and click Ok. Click Get DN and select an operator (Tommy Ryan in this example) who is a member of the USAGroup. 

If you are going to allow self-service issuance with the template then you need to enter a valid DN into the field Operator DN for User Application. The DN entered here needs to be in the same AD group as the user who is performing self-service issuance.

Untitled.png

You can perform a test at this stage to ensure that the configuration is correct. Click the Test button and for the first Get DN button select an Operator that is a member of the USAGroup and the second Get DN button select a user that is a member of the USAGroup and click Test. If the group permissions are valid a success dialog will appear.

Untitled.png

Click Save to close and save.

Similarly do the same for the UKOffce group. Click the Manage button beside Check external permission. Click Add and enter a template name and click Add. Select the group (USAGroup as in this sample setup) that will be used from the available list and click Ok. Click Save to close and save.

Esure to enable the checkbox Check external permission and select the group permission for this card template from the drop-down list.

Click Ok to save the settings.

2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the AD connection in the drop-down list.

In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select the Windows logon certificate template created earlier and click Ok.

Leave all other settings as is. You will notice that at the bottom of the dialog in the Permissions section that the Check external permissions is enabled with the group permission selected.

Click Ok to save and close.

3. Click Ok to save and close the template.

UKOffice Template

For the UKOffice configuration it will be the same as above but in this case we will use the UKOffice Windows group.

Test Permissions

Once the templates are configured as described above log onto the vSEC:CMS console with 2 different operators. Operator1 is a member of USAGroup and Operator2 is a member of UKGroup.

Operator1 will only be able to perform lifecycle operations for users who are members of USAGroup and likewise Operator2 will only be able to perform lifecycle operations for users who are members of UKGroup.