Administrative privileges

Administrative privileges control the administrative operations that specific users are allowed to perform via Administration Web Interface.

Most administrative privileges rely on other privileges to work correctly. The table below lists the available privileges and the privileges set by OneSpan Authentication Server when each is assigned to a user.

Table: Administrative privileges – ODBC data store
Privilege name Depends on Description
Access Data in All Domains Administrative Logon

With this, an administrator can view and manage data in all domains, not just their own.

Only available if the user belongs to the master domain and not to an organizational unit.

Access Domain Administrative Logon When this permission is set, it allows generating reports for all org-units in the entire domain of the administrator, even in AD.
Access Private Reports

Administrative Logon

View Report Definition

With this privilege a domain administrator can access private reports that are owned by other administrators in the same domain.
Administrative Logon  

This is required for all administrators.

Without this privilege, users are not able to perform any administrative tasks because they will not be able to log on.

It could be removed as a temporary measure without removing all privileges for this user.

Approve/Reject Pending Operation Administrative Logon This privilege specifies whether the user is a checker administrator. If so, the user is allowed to authorize pending operations in the context of maker–checker authorization.
Assign DIGIPASS

Administrative Logon

View User

View DIGIPASS

Set DIGIPASS Expiration

View Domain

View Organizational Unit

 
Bind DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Cancel Task

Administrative Logon

View Task

 
Change Report File Ownership

Administrative Logon

View User

View Domain

View Organizational Unit

View Report File

 
Change Report Owner

Administrative Logon

View User

View Domain

View Organizational Unit

View Report Definition

 
Create Back-End Server

Administrative Logon

View Back-End Server

 
Create Component

Administrative Logon

View Policy

View Component

 
Create Domain

Administrative Logon

Access Data in All Domains

View Domain

Only available if the user belongs to the master domain and not to an organizational unit.
Create EMV-CAP Application

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

Allows creation of EMV-CAP authenticator records, including the BLOB.

This privilege will only be available if:

  • The HSM, EMV-CAP and EMV-CAP provisioning license options are all enabled.
  • The administrator account is located in the master domain.
Create Key

Administrative Logon

View Key

 
Create Organizational Unit

Administrative Logon

View Domain

View Organizational Unit

 
Create Policy

Administrative Logon

View Policy

 
Create Report Definition

Administrative Logon

View Report Definition

Create report definition and report format.
Create User

Administrative Logon

View User

Unlock User

Enable User

Disable User

Set User Expiration

Set User Password

Reset User Password

View Domain

View Organizational Unit

Create user and user attribute.
Deactivate DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

This privilege allows an administrator to deactivate an authenticator, or, in the context of multi-device licensing and Activation, to generate a deactivation message for a specific authenticator instance.
Decrypt DIGIPASS Information Message

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

This command allows to decrypt the body of an information message created by an MDL device. The body is encrypted with the payload key blob of the instance. The command must fail when an authenticator without payload key blob is used.
Delete Admin Session

Administrative Logon

View Admin Session

With this privilege an administrator can delete any administrative session.
Delete Audit Information Administrative Logon This privilege allows an administrator to delete an audit information.
Delete Back-End Server

Administrative Logon

View Back-End Server

 
Delete Component

Administrative Logon

View Component

 
Delete DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

Allows an administrator to delete an authenticator from the storage: delete authenticator software parameters, authenticators, and authenticator applications.

When administrating authenticator licenses and instances in the context of multi-device licensing and multi-device activation: when an authenticator license is deleted, its instances are also deleted. The license can only be deleted, if authenticator instances (active or inactive) are linked to this authenticator. This action is not reversible, i.e. the deleted instances cannot be recovered!

Delete Domain

Administrative Logon

Access Data in All Domains

View Domain

Only available if the user belongs to the master domain and not to an organizational unit.
Delete Key

Administrative Logon

View Key

 
Delete Organizational Unit

Administrative Logon

View Domain

View Organizational Unit

 
Delete Pending Operation Administrative Logon With this privilege an administrator can delete a pending operation.
Delete Policy

Administrative Logon

View Policy

 
Delete Report Definition

Administrative Logon

View Report Definition

Delete report definition and report format.
Delete Report File

Administrative Logon

View Report File

 
Delete Task

Administrative Logon

View Task

 
Delete User

Administrative Logon

View User

View Domain

View Organizational Unit

Delete user and user attribute.
Disable Server PIN

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

With this privilege an administrator can disable the use of a server PIN with a specific authenticator application
Disable Task

Administrative Logon

View Task

 
Disable User

Administrative Logon

View User

View Domain

View Organizational Unit

 
Download Report File

Administrative Logon

View Report File

 
Enable/Disable Maker–Checker

Administrative Logon

Update Back-End Settings

View Back-End Settings

With this privilege an administrator can enable or disable maker–checker authorization.
Enable Server PIN

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

With this privilege an administrator can enable the use of a server PIN with a specific authenticator application.
Enable Task

Administrative Logon

View Task

 
Enable User

Administrative Logon

View User

View Domain

View Organizational Unit

 
Force DIGIPASS PIN Change

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Generate DIGIPASS Activation Data

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

This administrative privilege is only valid with Mobile Authenticator Studio 4.0
Generate Virtual DIGIPASS OTP

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Import DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

Create authenticator applications (you do not directly create authenticators); create and update authenticator software parameters; upload, import, query status and stop import of DPX files.
Import User

Administrative Logon

Assign DIGIPASS

Create User

Disable User

Enable User

Reset Last Authentication Time

Reset Password

Set DIGIPASS Expiration

Set Password

Set User Expiration

Unlock User

Update User

View DIGIPASS

View User

View Domain

View Organizational Unit

 
Link User

Administrative Logon

View User

View Domain

View Organizational Unit

Link a user to another user.
Live Audit Connection Administrative Logon With this, an administrator can connect from the Audit Viewer to the authentication server to receive live audit messages.
Move DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

Move authenticators within the existing organizational structure (other domain, other organizational structure).
Move User

Administrative Logon

View User

View Domain

View Organizational Unit

Rename user accounts or move them within the existing organizational structure (another domain, another organizational structure).
Replication Reconnect

Administrative Logon

Replication Status

 
Replication Status Administrative Logon  
Reset DIGIPASS Activation

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

When resetting an authenticator that has been activated in multi-device activation mode, the information related to Activation Message 1 for authenticator licenses is being reset with the action corresponding to this privilege.
Reset authenticator application

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Reset DIGIPASS Application Lock

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Reset DIGIPASS PIN

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Reset Last Authentication Time

Administrative Logon

View User

View Domain

View Organizational Unit

 
Reset Offline Authentication Data

Administrative Logon

View User

View Domain

View Organizational Unit

With this privilege, an administrator can reset the offline authentication history for a certain user or for a certain user/computer combination.
Reset User Password

Administrative Logon

View User

View Domain

View Organizational Unit

 
Rotate Key

Administrative Logon

View Key

 
Run Report

Administrative Logon

View Report Definition

 
Send DIGIPASS Activation Data

Administrative Logon

View Domain

View DIGIPASS

View Organizational Unit

 
Send Notification Administrative Logon With this privilege, an administrator can send notification messages to a specified user, e.g. for delayed or completed authenticator activation.
Set Administration Domains

Set Administrative Privileges

View Administrative Privileges

View User

View Domain

View Organizational Unit

Administrative Logon

 
Set Administrative Privileges

Administrative Logon

View User

View Administrative Privileges

View Domain

View Organizational Unit

 
Set Authentication Policy Overrides Administrative Logon

This privilege is required to override certain user-specific policy settings for individual users (USERS > Policy Overrides tab).

This privilege requires either the Create User or Update User privilege. Due to the potential security impact, the required privileges are not automatically assigned, but must be assigned explicitly in this case.

Set DIGIPASS Event Counter

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Set DIGIPASS Expiration

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Set DIGIPASS PIN

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Set Global Configuration Options

Administrative Logon

View Global Configuration Options

With this privilege an administrator can update the global server configuration. This is stored in the OneSpan Authentication Server data store.
Set Server Configuration Options

Administrative Logon

View Server Configuration Options

With this privilege an administrator can update the local server configuration of the OneSpan Authentication Server instance. This is stored in the XML configuration file.
Set User Expiration

Administrative Logon

View User

View Domain

View Organizational Unit

 
Set User Password

Administrative Logon

View User

View Domain

View Organizational Unit

 
Take Report File Ownership

Administrative Logon

View Report File

With this privilege an administrator can take ownership of any report file.
Take Task Ownership

Administrative Logon

View Task

 
Test DIGIPASS OTP

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

With this an administrator is able to test-validate a one-time password in a Response-Only or Challenge/Response scenario.
Test DIGIPASS Signature

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

With this an administrator is able to test-validate a signature. It can also be used as an optional third step in the administrator-initiated multi-device activation process where a signature generated by the authenticator upon receiving Activation Message 2 is validated.
Unassign DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

When unassigning an authenticator license of an authenticator compliant with multi-device licensing, the corresponding authenticator instance or instances are automatically deleted. This action is not reversible, i.e. the deleted instances cannot be recovered! Also, an authenticator instance can never be separately unassigned.

Unbind DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Unlink User

Administrative Logon

View User

View Domain

View Organizational Unit

 
Unlock DIGIPASS

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

 
Unlock User

Administrative Logon

View User

View Domain

View Organizational Unit

 
Update Back-End Server

Administrative Logon

View Back-End Server

 
Update Component

Administrative Logon

View Policy

View Component

 
Update DIGIPASS

Administrative Logon

View DIGIPASS

Set DIGIPASS Expiration

View Domain

View Organizational Unit

Update authenticators and authenticator applications.
Update Domain

Administrative Logon

View Domain

 
Update Key

Administrative Logon

View Key

 
Update Organizational Unit

Administrative Logon

View Domain

View Organizational Unit

 
Update Policy

Administrative Logon

View Policy

 
Update Report Definition

Administrative Logon

View Report Definition

Update report definition; create, update and delete report format.
Update Task

Administrative Logon

View Task

 
Update User

Administrative Logon

Disable User

Enable User

Reset Last Authentication Time

Reset Offline Authentication Data

Set User Expiration

Unlock User

View Domain

View Organizational Unit

View User

Update user; create, update, and delete user attributes.
View Admin Session Administrative Logon With this privilege an administrator can view active admin sessions.
View Administrative Privileges

Administrative Logon

View User

View Domain

View Organizational Unit

This privilege allows you to view the particular administrative privileges assigned to other users. It is also required if you want to filter user search results based on whether administrative privileges are assigned or not.
View Audit Information Administrative Logon This privilege provides access to the internal Audit Viewer and allows the administrator to browse to the View Audit Message page using the audit message identifier (AMID) as input parameter.
View Back-End Server Administrative Logon  
View Clear PAN

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

With this privilege an administrator can view the PAN in clear text rather than encrypted format.
View Component Administrative Logon  
View DIGIPASS

Administrative Logon

View Domain

View Organizational Unit

View and query for authenticator software parameters, authenticators, and authenticator applications. Also permits the Get Info command.
View Domain Administrative Logon  
View EMV PAN

View Domain

View Organizational Unit

 
View Global Configuration Options Administrative Logon With this privilege an administrator can view the global server configuration. This is stored in the OneSpan Authentication Server data store.
View Key Administrative Logon  
View Organizational Unit

Administrative Logon

View Domain

 
View Policy Administrative Logon  
View Recent DIGIPASS Activity

Administrative Logon

View DIGIPASS

View Domain

View Organizational Unit

Allows to look up recent authentication, signature validation, provisioning, and administration activity of any authenticator within the allowed domain scope.

This privilege affects the commands in the Dashboard tab and the Recent Activity tab as well as the respective SOAP commands when using OneSpan Authentication Server SDK.

View Recent User Activity

Administrative Logon

View Domain

View Organizational Unit

View User

Allows to look up recent authentication, signature validation, provisioning, and administration activity of any authenticator user within the allowed domain scope.

This privilege affects the commands in the Dashboard tab and the Recent Activity tabs as well as the respective SOAP commands when using OneSpan Authentication Server SDK.

View Report Definition Administrative Logon View and query for both report definition and report format.
View Report File Administrative Logon  
View Server Configuration Options Administrative Logon With this privilege an administrator can view the local server configuration of the OneSpan Authentication Server instance. This is stored in the XML configuration file.
View Task Administrative Logon  
View Usage Information Administrative Logon Allows an administrator to view the usage statistics on the system dashboard.
View User

Administrative Logon

View Domain

View Organizational Unit

View and query users and user attributes.