Skip to main content
Skip table of contents

Users/Administrators permissions using Roles & Groups


Roles represent a set of permissions in the VeridiumID system. Permissions allow admins access to Admin console functionalities or normal users to authentication services.
Roles are managed in Settings->Group & Roles->Roles. Default roles are:





The Admin User Role

Cross Application Administrators


The Alerts Role.

Alerts administrators


The Analyst Role

Analyze data


The Application Admin User Role

Application Administrators


Role used for Customer Support

Technical Support


The Active User Role that can perform authentications in the Veridium IdP

Default client access,Default user


The Default User Role that can be used anonymously, mostly by devices that start the enrolment process.

Default user

Permissions are described in detail in the “Authentication, Authorization and Audit in Veridium Manager” section from this chapter.


Groups is the union of one or more Roles. Normal users are automatically assigned the Users group after completing the enrolment, allowing them to access the IdP services.
Groups can be assigned to individual administrators manually or mapped to Directory Service group membership.
Groups can be found at Settings->Groups & Roles-> Groups

New group can be added by pressing on link Add Group Actions menu on right part of the page.

The following form will appear. Fill the following group properties:

Click Save button on top right corner to create a group.

Existing group can be modified by pressing on edit button icon

in Actions column

To map an administration group to a Directory Service group go to Settings-> Admin auth -> Group mapping

Screenshot 2024-01-22 at 22.20.54.png

By mapping Directory Service groups to Veridium Groups, authorization can be managed in the Directory Service for Veridium as well. Custom Groups with the desired permissions mapped to an already existing administrator group takes benefit from existing configurations and offers good flexibility in defining the authorization boundaries in Veridium.

Allow user access to IdP services based on Directory Service group membership

Controlling who can enrol or what authenticators a user can enrol is easily customisable through user groups.

First Veridium needs to read user groups from the correct Directory Service attribute. To achieve this configure the ‘Groups’ attribute mapping from the LDAP connection (see Attribute name mapping for details)

When user starts the enrolment process, a validation is done to see if it is allowed to do this action. By default Veridium allows all users to enrol. To restrict enrolment to certain groups only, edit the Main enrolment step, AD Enrolment, and under Configuration tab fill in the Allowed Groups table with the names of the desired groups. The result is that only users that are members of at least one of the configured groups will be allowed to enrol.

If the Directory Service group defined in Veridium as well (use the same group name and no roles) then enrolment policies can be applied for customised enrolment. See Policy Mechanism

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.