Digipass Plug-In for SBR Administrator Reference - Vasco
Digipass Plug-In for SBR Administrator Reference - Vasco
Digipass Plug-In for SBR Administrator Reference - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>SBR</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
5.2 Permissions Needed by <strong>Administrator</strong>s<br />
5.2.1 Domain <strong>Administrator</strong>s<br />
Domain <strong>Administrator</strong>s already have all required permissions within their Domain.<br />
5.2.2 Delegated <strong>Administrator</strong>s<br />
The term 'Delegated <strong>Administrator</strong>s' is used here to refer to administrators who have been<br />
delegated control over an Organizational Unit. Generally speaking, they have administrative<br />
control over the user and computer accounts within their Organizational Unit.<br />
See the <strong>Digipass</strong> Records topic in the Product Guide <strong>for</strong> more in<strong>for</strong>mation on possible<br />
approaches to delegating <strong>Digipass</strong> administration.<br />
By default, these administrators will be able to view the <strong>Digipass</strong> User Account data <strong>for</strong> their<br />
users and the <strong>Digipass</strong> that are located within their Organizational Unit. However, they will not<br />
be able to modify any of that data or assign <strong>Digipass</strong>.<br />
If you wish to delegate responsibility <strong>for</strong> all <strong>Digipass</strong>-related administration within an<br />
Organizational Unit, the following additional permissions are required by the Delegated<br />
<strong>Administrator</strong>:<br />
Within the scope of the Organizational Unit, Write permission to the new attributes that<br />
are added to the User class <strong>for</strong> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>SBR</strong> (these are in the auxiliary class<br />
vasco-UserExt) – you can add Write permissions <strong>for</strong> each individual Property Set or if<br />
appropriate, grant 'Write All Properties' permission<br />
Within the scope of the Organizational Unit, Full Control over all <strong>Digipass</strong> (vasco-<br />
DPToken) and <strong>Digipass</strong> Application (vasco-DPApplication) objects<br />
Create and Delete permission <strong>for</strong> <strong>Digipass</strong> (vasco-DPToken) objects within the<br />
Organizational Unit<br />
If the Delegated <strong>Administrator</strong> should be allowed to assign <strong>Digipass</strong> from the <strong>Digipass</strong><br />
Pool to their users, they need Delete <strong>Digipass</strong> permission in the <strong>Digipass</strong>-Pool container<br />
5.2.3 Reduced-Rights <strong>Administrator</strong>s<br />
The term 'Reduced-Rights <strong>Administrator</strong>' is used here to refer to administrators who are<br />
granted permissions to per<strong>for</strong>m only selected <strong>Digipass</strong>-related administration tasks. They may<br />
be granted these permissions within the scope of the whole Domain, or only within an<br />
Organizational Unit.<br />
An example is a Helpdesk operator who is permitted to troubleshoot <strong>Digipass</strong> operations, but<br />
not to assign/unassign <strong>Digipass</strong> to/from users.<br />
By default, all users have read access to everything in the Active Directory. The modification<br />
permissions that can be granted to this kind of administrator are:<br />
Write permission <strong>for</strong> any of three Property Sets on the <strong>Digipass</strong> User Account fields:<br />
<strong>Digipass</strong> User Account <strong>In</strong><strong>for</strong>mation – all attributes except those covered by the other two<br />
Property Sets, including Authorization Profiles/Attributes<br />
© 2006 VASCO Data Security <strong>In</strong>c. 63