Users/Administrators permissions using Roles & Groups
Roles
Roles represent a set of permissions in the VeridiumID system. Permissions allow admins access to Admin console functionalities or normal users to authentication services.
Roles are managed in Settings->Group & Roles->Roles. Default roles are:
Name | Descriptions | Permissions |
|---|---|---|
admin | The Admin User Role | Cross Application Administrators |
alerts | The Alerts Role. | Alerts administrators |
analyst | The Analyst Role | Analyze data |
appadmin | The Application Admin User Role | Application Administrators |
techsupport | Role used for Customer Support | Technical Support |
active | The Active User Role that can perform authentications in the Veridium IdP | Default client access,Default user |
default | The Default User Role that can be used anonymously, mostly by devices that start the enrolment process. | Default user |
Permissions are described in detail in the “Authentication, Authorization and Audit in Veridium Manager” section from this chapter.
Groups
Groups is the union of one or more Roles. Normal users are automatically assigned the Users group after completing the enrolment, allowing them to access the IdP services.
Groups can be assigned to individual administrators manually or mapped to Directory Service group membership.
Groups can be found at Settings->Groups & Roles-> Groups
New group can be added by pressing on link Add Group Actions menu on right part of the page.
The following form will appear. Fill the following group properties:
Name
Description
Roles
Policies - Authentication policies are defined in chapter: Authentication Policies
Click Save button on top right corner to create a group.
Existing group can be modified by pressing on edit button icon
in Actions column
To map an administration group to a Directory Service group go to Settings-> Admin auth -> Group mapping
By mapping Directory Service groups to Veridium Groups, authorization can be managed in the Directory Service for Veridium as well. Custom Groups with the desired permissions mapped to an already existing administrator group takes benefit from existing configurations and offers good flexibility in defining the authorization boundaries in Veridium.
Allow user access to IdP services based on Directory Service group membership
Controlling who can enrol or what authenticators a user can enrol is easily customisable through user groups.
First Veridium needs to read user groups from the correct Directory Service attribute. To achieve this configure the ‘Groups’ attribute mapping from the LDAP connection (see Attribute name mapping for details)
When user starts the enrolment process, a validation is done to see if it is allowed to do this action. By default Veridium allows all users to enrol. To restrict enrolment to certain groups only, edit the Main enrolment step, AD Enrolment, and under Configuration tab fill in the Allowed Groups table with the names of the desired groups. The result is that only users that are members of at least one of the configured groups will be allowed to enrol.
If the Directory Service group defined in Veridium as well (use the same group name and no roles) then enrolment policies can be applied for customised enrolment. See Policy Mechanism