Digipass Plug-In for SBR Administrator Reference - Vasco

More documents

Recommendations

Info

Digipass Plug-In for SBR Administrator Reference Set Up Active Directory Permissions 5 Set Up Active Directory Permissions 5.1 Permissions Needed by the SBR Plug-In The SBR Plug-In runs inside Steel-Belted RADIUS, which runs as a Service. The Service runs as the 'Local System' account rather than as a named user account. Therefore, when connecting to Active Directory, the SBR Plug-In connects as the computer account, not a user account. The permissions that it has within Active Directory are the permissions of the computer account. An important exception to this occurs if you install the SBR Plug-In onto a Domain Controller. Any Service running as 'Local System' on a Domain Controller has all possible permissions to that Domain. In this case, no additional setup of permissions is required. Therefore, the rest of this section applies to the case where the SBR Plug-In is not on the Domain Controller. During installation, the computer account is added to the built-in 'RAS and IAS Servers' group in the Domain, as it will require the permissions assigned by default to this group. In order to function correctly, the SBR Plug-In requires the following permissions in Active Directory, that are not granted to 'RAS and IAS Servers' by default: Read access to the Digipass Configuration Container Read access to all User accounts (or at least, all who might need to be authenticated by the SBR Plug-In) Write access to the new attributes that are added to the User class for Digipass Plug-In for SBR (these are in the auxiliary class vasco-UserExt) Full control over all Digipass (vasco-DPToken) and Digipass Application (vasco- DPApplication) objects Create and delete permission for Digipass (vasco-DPToken) objects in Organizational Units and containers (specifically the Digipass-Pool and Users containers) 5.1.1 Giving Permissions to the SBR Plug-In During installation, these additional permissions are granted to the 'RAS and IAS Servers' group automatically. There is also a manual way to grant these permissions, by running the 'setupaccess' command at the command prompt: dpadadmin.exe setupaccess -group “RAS and IAS Servers” See 2.5 DPADadmin Utility for more information on the setupaccess command. As mentioned above, this is not necessary if the SBR Plug-In is installed onto a Domain Controller. © 2006 VASCO Data Security Inc. 62
Digipass Plug-In for SBR Administrator Reference Set Up Active Directory Permissions 5.2 Permissions Needed by Administrators 5.2.1 Domain Administrators Domain Administrators already have all required permissions within their Domain. 5.2.2 Delegated Administrators The term 'Delegated Administrators' is used here to refer to administrators who have been delegated control over an Organizational Unit. Generally speaking, they have administrative control over the user and computer accounts within their Organizational Unit. See the Digipass Records topic in the Product Guide for more information on possible approaches to delegating Digipass administration. By default, these administrators will be able to view the Digipass User Account data for their users and the Digipass that are located within their Organizational Unit. However, they will not be able to modify any of that data or assign Digipass. If you wish to delegate responsibility for all Digipass-related administration within an Organizational Unit, the following additional permissions are required by the Delegated Administrator: Within the scope of the Organizational Unit, Write permission to the new attributes that are added to the User class for Digipass Plug-In for SBR (these are in the auxiliary class vasco-UserExt) – you can add Write permissions for each individual Property Set or if appropriate, grant 'Write All Properties' permission Within the scope of the Organizational Unit, Full Control over all Digipass (vasco- DPToken) and Digipass Application (vasco-DPApplication) objects Create and Delete permission for Digipass (vasco-DPToken) objects within the Organizational Unit If the Delegated Administrator should be allowed to assign Digipass from the Digipass Pool to their users, they need Delete Digipass permission in the Digipass-Pool container 5.2.3 Reduced-Rights Administrators The term 'Reduced-Rights Administrator' is used here to refer to administrators who are granted permissions to perform only selected Digipass-related administration tasks. They may be granted these permissions within the scope of the whole Domain, or only within an Organizational Unit. An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but not to assign/unassign Digipass to/from users. By default, all users have read access to everything in the Active Directory. The modification permissions that can be granted to this kind of administrator are: Write permission for any of three Property Sets on the Digipass User Account fields: Digipass User Account Information – all attributes except those covered by the other two Property Sets, including Authorization Profiles/Attributes © 2006 VASCO Data Security Inc. 63
Page 1 and 2:
Modify these field values (right-cl
Page 3 and 4:
Digipass Plug-In for SBR Administra
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12: Digipass Plug-In for SBR Administra
Page 61: Digipass Plug-In for SBR Administra
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185:
show all

Digipass Plug-In for SBR Administrator Reference - Vasco

Create successful ePaper yourself

Delete template?

Save as template?