Introduction
This article will describe the settings available when configuring a credential template from the Templates – Card Templates dialog.
From here it will be possible to add, delete, edit, view and search templates. Viewing a template gives you the complete settings configured and also this can be useful for troubleshooting if it is requested to share the configuration in order to troubleshoot any particular issue. Additionally, you configure how the templates will be presented in the drop-down list when a credential token is being issued from the Lifecycle page or from the self-service application by selecting a template and using the Up or Down buttons.
By default, when you select a template from the table it will be enabled. This means that it will be available to be used. If you require that a template is not available uncheck the Enabled button
It is possible to lock a template. This means that it will not be possible to edit the configuration of the template once it is locked. The template can only be unlocked by the operator who originally locked the template.
Configuration Options
A number of options will be available when configuring a credential template. This article will go through each configuration dialog and describe all the different options available.
General
The following can be configured from the General section.
The configuration dialog is broken into several different sections.
General Options Section
Enter an appropriate Name for the template and select the Card type. If a user credential that is to be managed by this template is attached, click the Detect button to allow the vSEC:CMS to determine what card type the user credential is. Add a descriptive Comment for the template, if required.
Features Section
Enable Offline unblock feature if it is required to allow the user credential PIN to be unblocked offline.
Enable Online unblock feature if it is required to allow the user credential PIN to be unblocked online.
If Online unblock is disabled it will only be possible to initiate (set a PIN on the credential) the users credential PIN by offline unblock or by automatically setting a PIN on the credential during the issuance process.
From the Issue multiple cards of this type to the same user drop down list 3 options are available.
- By default, a credential token can be issued only once for the particular credential template being configured. In this case select Restricted: Not allowed.
- If it is required that the credential template can be used to issue more than one credential token for a user select Unrestricted: Yes.
- If it is required to limit the total number of credentials that can be issued to a user then select Restricted: Limited to a number of same template type. Click the Configure button and enter the total number of credentials allowed to be issued for a user with this template.
If the template is to be used to issue operators then it will not be possible to issue more than one operator card. This is by design.
Enable the Self-service using the following template and select the self-service template that will be used. Click the Manage button to configure self-service templates.
For the vSEC:CMS Operator Card option it will be possible to configure operator settings for the template if the template is to be used for issuing operator credentials.
It will be necessary to be logged into the vSEC:CMS with an operator credential that has a System Administrator role to configure this feature.
There are two supported methods for configuring operators:
Option 1: It will be necessary to have a credential with the vSEC:CMS operator applet installed on it. It will be necessary to attach such a credential to the host and click the Detect button in order for the vSEC:CMS to detect that the credential is such an operator credential. This will then provide the option Full Featured Operator Card from the drop-down list. If this option is enabled it will only be possible to issue credentials that have the vSEC:CMS operator applet issued to them for this particular credential template.
Option 2: Any minidriver enabled credential can be used as an operator credential. This means that it will not be necessary to have the vSEC:CMS operator applet installed on the credential. Select the option Authentication Only Operator Card from the drop-down list to use this feature. It will be necessary to have the Operator Service Key Store feature configured to use such a credential once it is issued.
Click the Roles button if the vSEC:CMS Operator Card checkbox is enabled.
From this dialog, it is possible to configure how the operator can select the role(s) that will be applied to the issued operator credential during the issuance. If the issuing operator is to be allowed to manually select the role that is to be applied during issuance then select the option Select Operator Role manually during issuance. If it is required to automatically set the role during the issuance then select the option Automatically set selected role(s) during issuance and select the available roles from the list available that are to be set.
Enable This template is depending on and select the template in the available drop-down list that the template will be linked to for temporary credential templates. Click the Configure button to configure the setting for the linked template.
Enable the Enable user card operation notifications checkbox if it is required to send configured notifications when particular operations are performed on a managed credential. Click the Configure button to configure the particular notifications that can be sent. From the configuration dialog three options are available:
- PIN unblock – depending on what is configured either an email or sms message will be sent when an operator performs a smart card PIN unblock for a managed credential user.
- Issuance – depending on what is configured either an email or sms message will be sent when an operator performs a credential issuance for a managed credential user.
- Certificate loading – depending on what is configured either an email or sms message will be sent when an operator performs a credential certificate issuance from Actions – Certificate(s)/key for a managed credential user.
- Revocation - depending on what is configured either an email or sms message will be sent when an operator performs a credential revocation for a managed credential user.
Enable Supports multiple role(s) feature to allow support for users who may have multiple roles.
Enable Supports multiple PINs feature to allow the management of credentials that support multiple PIN's.
Enable plugin(s) feature to enable the use of plugins in the template and click the Plugins button to configure the plugin(s).
Permissions Section
From this section, it is possible to configure permissions around how the template can be used depending on the Operator’s role.
Enable the Access rights per individual lifecycle tasks option if it is required to control what processes an operator can perform based on their role. If this is enabled you will see that Permissions in the other processes (for example Issue Card) can be configured. If this is not enabled then the default operator roles that are in the pane below (highlighted in red) will be allowed to use all the settings configured in this template.
Click the Edit button to select the operator role(s) who are allowed to use and configure this template.
Enable the Check user validity option to set a global check when performing all post issuance lifecycle tasks to ensure that the user is still a valid user in the user directory.
Enable the Validate permission option to configure and select the template that can be used if it is required to perform some validation steps before a credential token is issued to a user.
Enable the Check external permission option to configure and select the template that can be used if it is required to use AD group permissions to control what operators can manage specific user groups.
Issue Card
The following can be configured from the Issue Card section.
General Options Section
Enable the Clean card before issuance if it is required to remove any certificates that may exist on the credential before issuing the credential.
Enable the Automatically initiate cards after issuance if it is required to automatically initiate the credential after the issuance process has completed. It will be necessary to configure the vSEC:CMS to automatically set a PIN from the Initiate Card dialog if this option is enabled.
Enable Only issue cards from smart card stock if it is required to only allow credential tokens which are part of a card stock to be used.
If the self-service feature is enabled (from the General section above) to be used for a template then further options will be available. These are Issue by Operator(s), Issue by User(s) radio buttons and Virtual SC button. Enable Issue by Operator(s) if only operators are allowed to issue credential tokens for the template which has self-service capabilities enabled from the Lifecycle page. Enable Issue by User(s) if the end user is allowed to issue credential tokens for the template which has self-service capabilities enabled using the vSEC:CMS USS. Click the Virtual SC button to configure virtual credential settings for the template. Enable the Try to create a virtual smart card check box if it is required for the USS application to create a virtual credential on the device that is to be used by the USS application. Enable the Stop issuance when fail to create a virtual smart card to configure the USS application to force the creation of a virtual credential. If this is enabled the USS application will stop the issuance process if it was not possible to create the virtual credential otherwise the USS application would try to use an already created virtual credential if one was available to the client if this setting was not enabled.
User ID Options Section
Enable the Assign user ID checkbox if it is required to assign an identifier to the user credential during the issuance process and select the ID type from the drop-down selection box. Click the Manage button to configure the ID types. Click the Role(s) button, if available, to configure users who have multiple roles. The Role(s) button will only be available if this feature is enabled from the General settings described earlier.
Enable Capture photo check box if it is required to capture a photo of the user during the issuance process. Click the Configure button and for Photo Capture select either Capture always if it is required to always capture a photo of a user during the issuance process or Capture only if no photo is available if it is required to only capture a photo of a user if none exists already. Select the variable that the picture should be assigned to from the To variable drop down list. Enable the Save photo if it is required to save the picture to the database of the vSEC:CMS during the issuance process.
Enable the Update card status change to PAMS checkbox if a PAMS connection is configured and select the PAMS connector from the drop-down selection box.
Primary Card PIN Options Section
Enable the Apply PIN Policy to set PIN policy that will be set during the issuance process and select the policy template from the drop-down selection box. Click the Manage button to configure the PIN policy templates.
BIO Options Section
Enable the Apply BIO Policy to set BIO policy that will be set during the issuance process and select the policy template from the drop-down selection box. Click the Manage button to configure the BIO policy template.
Enroll Certificate Options Section
Enable the Enroll Certificate(s) option if the vSEC:CMS is configured to connect to a CA and it is required to issue certificates to the user credential during the issuance process. Click the Default button to set the selected certificate template as the default certificate during the issuance process. An asterisk will appear beside the certificate that is set as default. Click the Add button to add certificate templates that will be issued to the credential token during the issuance process. Click the Delete button to remove a CA template and click the Edit button to edit the selected CA template. Enable the Import Root/SubCA certificate(s) to smart card if it is required to write the root and the sub CA certificates to the user smart card during the issuance.
When the Add button is clicked a new dialog will appear. Enable Generate new key radio button and select the CA from the drop-down list. Enable Restore key from archive radio button and select the template that the key will be recovered from the Key to restore drop-down list. From version 5.5.1.0 Key Archival Settings will be available. From here it is possible to configure the number of key(s)/certificate(s) that you want restored in the Restore last field.
Check the Archive key check box if vSEC:CMS is to archive the key. Enable the Restore if already archived if it is required that during the issuance vSEC:CMS will check the key archive repository to determine if an archived key already exists for the user. If an archived key already exists for this user in this case the vSEC:CMS will use this key when generating the certificate. Also, if there is more than one archived key for the user the vSEC:CMS will automatically select the most recently archived key in this case.
From version 5.5.1.0 the previous paragraph will not be valid as more options will be available from this version. Under the Key Archival Settings, you can configure the settings that will be used if it is required to archive the key/certificate during the issuance process. Enable the Archive Key check box if the key and certificate should be archived. Enable the Restore if already archived checkbox if it is required to restore the key/certificate for the user if one is archived already during the issuance process. If a key/certificate is not available for the user in this case then it will generate a new key/certificate for the user. Enable Generate new key, which will only be available if the Restore if already archived checkbox is not set, if it is required to generate a new key/certificate during issuance and a number of key(s)/certificate(s) are configured in the Restore last to be restored during issuance. If Generate new key is not enabled and a number of key(s)/certificate(s) are configured in the Restore last to be restored during issuance then only these key(s)/certificate(s) will be restored if there are any already archived for the user. The Restore last field will restore the most recent key(s)/certificate(s) up to a maximum number of 50.
Under the General Settings enable the Update {altSecurityIdentities} if this AD attribute is to be written to during the issuance (see the article Alt-Security-Identities Management for more details). Enable Generate new key when reissue if it is required to generate a new key when reissuing a certificate through the vSEC:CMS. Enable Keep old key/certificate on card if it is required to keep the old key/certificate on the credential that is being reissued.
If Keep old key/certificate on card is enabled then this certificate will not be automatically revoked on the CA. The old certificate will be revoked on the CA when the credential is deleted through the vSEC:CMS. Additionally, this setting will not be supported for PIV support tokens and ID Prime MD 840/940 tokens as it is not possible to re-define key containers for this type of tokens.
If Multiple role(s) is configured then the options for key archival / key recovery will not be available from this dialog.
Select the required certificate template and click Ok to add.
If Multiple PINs are enabled then further options will be available from this dialog. See the article on Multiple PINs for further details on this.
If Multiple Role(s) are enabled then further options will be available from this dialog. See the article on Multiple Role Support for further details on this.
Printing Options Section
Enable the Print smart card check box and select the card layout template that is to be used. Click the Manage button to configure the card layout template that is to be used. Enable the Preview before printing if it is required to preview the card print job before actually printing on the card.
Contactless Section
Enable the Encode RFID check box and select the RFID template that is to be used. Click the Manage button to configure the RIFD template that is to be used.
Data Export Section
Click the Configure button to configure what data export operation(s) that can be performed as part of the issue process. Select an already configured data export template from the drop-down list and click the Add button to add the data export operation to the template.
General Card Properties Section
The Block PIN(s) check box is enabled and cannot be disabled as after all successful credential issuances the user credential will be blocked. Enable the Make card read only to configure the vSEC:CMS to set the user credential as read only, thereby not allowing writes to the user credential. Enable the Cert enrollment/renewal enabled for user to allow the user of the credential to enroll or renew a certificate. Enable the User can import certificate(s) to allow the user of the credential to import a certificate to the credential.
Permissions Section
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template then from the Permissions section it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Revoke Card
If a MS CA is used, any Operator who is attempting to revoke a managed user's smart card that contains certificate(s) using the vSEC:CMS console will need to have Issue and Manage Certificates permission on the CA to perform this operation. That means the Windows account that the Operator logged on with will need to have these permissions enabled on the CA. Otherwise the certificate revocation will be put in a queue on the vSEC:CMS and will only be revoked when an Operator who does have these permissions logs on and revokes the certificate(s).
Options For Revoke Card
By default, the Revoke certificates at CA are permanently enabled meaning that the vSEC:CMS will always attempt to revoke the certificate(s) on the CA when performing a revocation. It is not possible to disable this setting. Enable the Force certificate revocation at CA (Fail to revoke smart card if CA is not reachable) if it is required to force revocation at CA, i.e., if the CA is unreachable the user credential certificate will not be revoked and the process will be aborted. If this option is not enabled then the revocation request will be cached by the vSEC:CMS, if the CA is unreachable at the time that the user credential is being revoked.
Enable the Update (altSecurityIdentities) at AD check box if Windows Alt-Security-Identities management is used and required to be updated when revoking the certificate(s) for the credential token.
The Disable smart card in PAMS will disable the user credential in the PAMS system if one is configured and the Delete smart card in PAMS will delete the user smart card from the PAMS system if one is configured.
The Allow automatically revocation when issuing card in self-service can be used when it is required to issue an already managed token to another user from the USS application. This will result in the current credentials issued to the token being revoked and the token then would be issued to the new user. The token that is being used in this scenario needs to be issued originally with the same card template.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Enable Skip permission validation and checks if user does not exist in the user directory if you want to skip the check for external permissions when a user does not exist anymore in the user directory.
Retire Card
Options For Retire Card
The Card can be reused option will allow for the retired user credential to be reused by the vSEC:CMS. The Clean card option will remove the card template set during the issuance process.
The Disable smart card in PAMS will disable the user credential in the PAMS system if one is configured and Delete smart card in PAMS will delete the user credential from the PAMS system if one is configured.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Enable Skip permission validation and checks if user does not exist in the user directory if you want to skip the check for external permissions when a user does not exist anymore in the user directory.
Initiate Card
Options For Initiate Card
Enable the System set user PIN option and click the Configure button to set the specific PIN configuration that will be set when the credential is initiated.
Enable the Update (altSecurityIdentities) at AD check box if Windows Alt-Security-Identities management is used and required to be updated when performing this operation.
The Disable smart card in PAMS will disable the user credential in the PAMS system if one is configured and Delete smart card in PAMS will delete the user credential from the PAMS system if one is configured.
On clicking the Configure button the following options are available.
From the Initiate PINs section, it is possible to configure what PIN value can be set to the credential when it is initiated. Select the Apply to all PINs option if it is required that the PINs set will be applied to all PINs on the credential. This will only occur with credential that support multiple PINs and which are configured on the system. In such a scenario and where the Apply to all PINs option is not checked, then the PIN will only be set on the primary credential PIN. All other PINs will remain blocked.
Select the Force change at first use option if it is required to force the user to change their PIN on first use of the credential. Select the Random PIN option if it is required that the PIN will be randomly generated by the vSEC:CMS application. Enter the length of the PIN that should be created into the PIN length field. If the Random PIN option is not selected it will be necessary to enter a static PIN value that will be set to the credential into the PIN value field.
Select the Characters button if it is required to exclude specific characters that should not be included in the auto generated PIN.
From the available drop-down list in Send PINs to section select the export destination that the vSEC:CMS application will send the configured data to when the credential is initiated.
The PIN values configured from here need to meet the PIN policy as set on the credential otherwise errors will occur when trying to set a PIN value that does not meet the PIN policy on the credential.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Activate Card
Options For Activate Card
Enable the Update certificate status at CA if it is required to inform the CA to un-revoke the user certificate. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the unrevoked request of the user certificate, i.e., if the CA is unreachable the user credential certificate will not be unrevoked and the process will be aborted.
Enable the Update (altSecurityIdentities) at AD check box if Windows Alt-Security-Identities management is used and required to be updated when performing this operation.
The Disable smart card in PAMS will disable the user credential in the PAMS system if one is configured.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Inactivate Card
Options For Inactivate Card
Enable the Update certificate status at CA if it is required to inform the CA to suspend (temporarily revoke) the user certificate. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the revoke request of the user certificate, i.e., if the CA is unreachable the user credential certificate will not be revoked and the process will be aborted.
Enable the Update (altSecurityIdentities) at AD check box if Windows Alt-Security-Identities management is used and required to be updated when performing this operation.
The Disable smart card in PAMS will disable the user credential in the PAMS system if one is configured.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Lock Card
Options For Lock Card
Enable the Update certificate status at CA if it is required to inform the CA to suspend (temporarily revoke) the user certificate. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the revoke request of the user certificate, i.e., if the CA is unreachable the user credential certificate will not be revoked and the process will be aborted.
Enable the Update (altSecurityIdentities) at AD check box if Windows Alt-Security-Identities management is used and required to be updated when performing this operation.
The Disable smart card in PAMS will disable the user credential in the PAMS system if one is configured.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Unlock Card
Options For Unlock Card
Enable the Update certificate status at CA if it is required to inform the CA to un-revoke the user certificate. Enable the Force certificate status update at CA (Fail to revoke smart card if CA is not reachable) if it is required to force the CA to be informed about the unrevoked request of the user certificate, i.e., if the CA is unreachable the user credential certificate will not be unrevoked and the process will be aborted.
Enable the Update (altSecurityIdentities) at AD check box if Windows Alt-Security-Identities management is used and required to be updated when performing this operation.
The Disable smart card in PAMS will disable the user smart card in the PAMS system if one is configured.
Enable the Automatically initiate cards after unlock to automatically set a PIN code on the credential if this feature is enabled in Initiate Card.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
If Active Directory group membership is to be used then enable the Check external permission check box and select the template from the available drop-down list that is to be used.
Delete Card
A card should only be deleted if it is reported as lost and/or damaged. Once a card is deleted it will never be possible to get this card back into a working state, i.e. deleting a card is final and non-reversible.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
Update Card
Options For Card Update
Enable the Update when smart card expires in check box if it is required for the vSEC:CMS to check if the user certificate on the credential needs to be updated. Enter the number of days before the certificate is due to expire for which the vSEC:CMS will activate the notification. In this example, we set this value to 60 days which means that the notifications will begin to occur, depending on what is configured for the notifications (see below), 60 days before the certificate on the credential expires.
Click the Configure button to configure the notification message(s) that can be sent to the credential user when their certificate is due to expire.
In order to view credential(s) that have updates pending, the credential needs to be:
- In the possession of the operator. In this case, the operator can determine if the credential needs to be updated from the Actions - Update Smart Card page.
- The operator can filter for credentials that are due for updates from the Repository - Smart Cards page and the operator selects the Status: update needed filter from the Filtered by drop-down list.
Click Add to create a new notification template.
Additional notification templates can be created that can be sent if it is required to have different notification messages sent as the period before the certificate expiration is reached.
From this dialog, you configure the period when the notification will be sent. Enter a template name for the Title. For the Period Configuration, in the From field enter the number of days before the certificate expires that this notification will be sent. In the To field enter the number of days that this notification will be sent for. For this particular example, a value of 20 is entered into the From field and 10 into the To field. Therefore, the notification will be sent between the 40th and 50th day.
Enable the Enable Notification check box and in the Notify every field enter the frequency (in days) that the notification will be sent. In this example enter a value of 1 into the Notify every field. This would result in a notification being sent once a day between the 40th and 50th day. Click the Configure Notification button to configure the actual notification message that is to be sent.
Click Add button to add either an email or SMS notification message that will be sent. In this example, we will configure an email notification.
Enter a template name and select email from the drop-down list. Select the email server configured that is to be used from the Outgoing Email Server drop-down list.
Click the Edit email template button to configure the actual content of the email that will be sent to the credential user. The message content can be either in MHTML or plain text.
If an MHTML file is used for the email content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. It is possible to place vSEC:CMS variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application.
If plain text is used for the email content it will be necessary to select the Text radio button. Enter the email address that the email will be sent from into the From field. The To field should contain the variable for the user email address. In order to place the variable into the field, select the variable from the Variables drop-down list and select Copy. A short description will appear below the drop-down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message, enter an appropriate message with variables to be replaced with specific data from the system. If the variable cannot be resolved when exporting the data, the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}. Click Ok to save the template.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
Online PIN Unblock
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
Offline PIN Unblock
Enable Operator can send cryptogram to the user if it is required to send the unblock cryptogram to the end user when an offline PIN unblock is being performed.
Click the Configure button to configure the mechanism that can be used to send the unblock, either email or SMS are supported. Click Add to create a new notification template.
Click Add button to add either an email or SMS message that will be sent. In this example, we will configure an email message.
Enter a template name and select email from the drop-down list. Select the email server configured that is to be used from the Outgoing Email Server drop-down list.
Click the Edit email template button to configure the actual content of the email that will be sent to the credential user. The message content can be either in MHTML or plain text.
If an MHTML file is used for the email content it will be necessary to select the Html radio button and click the Import button to select and import the MHTML file into the application. It is possible to place vSEC:CMS variables into the MHTML page which will be used as placeholders to be replaced by actual data that can be retrieved by the application.
If plain text is used for the email content it will be necessary to select the Text radio button. Enter the email address that the email will be sent from into the From field. The To field should contain the variable for the user email address. In order to place the variable into the field, select the variable from the Variables drop-down list and select Copy. A short description will appear below the drop-down list providing a brief description of the variable. Right click the field and select paste. A CC and BCC can be provided if required. Enter an appropriate subject into the Subject field. For the message, enter an appropriate message with variables to be replaced with specific data from the system. If the variable cannot be resolved when exporting the data, the variable name will be used instead, for example, if the variable ${UserPin} is used and for some reason the user PIN cannot be retrieved from the application then the value exported will be the variable name, i.e. ${UserPin}.
In the email body it is important to include the variable ${PinUnblockCryptogram} as this will be the actual unblock code sent to the user.
Click Ok to save the template.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
The Test button can be used to test the actual email delivery if required. The user selected, if this option is performed, needs to have a valid email address in their AD attribute (mail).
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
Self-Service PIN Unblock Code
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.
Self-Service reset Passphrase
Permissions
If the Access rights per individual lifecycle tasks option is enabled in the General settings for the template, then the following options are available.
From the Permissions section, it is possible to configure the operator roles who will be allowed to perform this particular lifecycle process. Click the Edit button to configure the operator role(s) that is allowed to perform this particular lifecycle process.
Enable the Check user validity option which will result in a check being performed to ensure that the user is a valid user in the user directory.
Enable the Validate Permission option to configure and select the template that can be used if it is required to perform some validation steps before this operation is performed.