Administrative privileges
Administrative privileges control the administrative operations that specific users are allowed to perform via Administration Web Interface.
Most administrative privileges rely on other privileges to work correctly. The table below lists the available privileges and the privileges set by OneSpan Authentication Server when each is assigned to a user.
| Privilege name | Depends on | Description |
|---|---|---|
| Access Data in All Domains | Administrative Logon |
With this, an administrator can view and manage data in all domains, not just their own. Only available if the user belongs to the master domain and not to an organizational unit. |
| Access Domain | Administrative Logon | When this permission is set, it allows generating reports for all org-units in the entire domain of the administrator |
| Access Private Reports |
Administrative Logon View Report Definition |
With this privilege a domain administrator can access private reports that are owned by other administrators in the same domain. |
| Administrative Logon |
This is required for all administrators. Without this privilege, users are not able to perform any administrative tasks because they will not be able to log on. It could be removed as a temporary measure without removing all privileges for this user. |
|
| Approve/Reject Pending Operation | Administrative Logon | This privilege specifies whether the user is a checker administrator. If so, the user is allowed to authorize pending operations in the context of maker–checker authorization. |
| Assign DIGIPASS |
Administrative Logon View User View DIGIPASS Set DIGIPASS Expiration View Domain View Organizational Unit |
|
| Bind DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Cancel Task |
Administrative Logon View Task |
|
| Change Report File Ownership |
Administrative Logon View User View Domain View Organizational Unit View Report File |
|
| Change Report Owner |
Administrative Logon View User View Domain View Organizational Unit View Report Definition |
|
| Create Back-End Server |
Administrative Logon View Back-End Server |
|
| Create Component |
Administrative Logon View Policy View Component |
|
| Create Domain |
Administrative Logon Access Data in All Domains View Domain |
Only available if the user belongs to the master domain and not to an organizational unit. |
| Create EMV-CAP Application |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
Allows creation of EMV-CAP authenticator records, including the BLOB. This privilege will only be available if:
|
| Create Key |
Administrative Logon View Key |
|
| Create Organizational Unit |
Administrative Logon View Domain View Organizational Unit |
|
| Create Policy |
Administrative Logon View Policy |
|
| Create Report Definition |
Administrative Logon View Report Definition |
Create report definition and report format. |
| Create User |
Administrative Logon View User Unlock User Enable User Disable User Set User Expiration Set User Password Reset User Password View Domain View Organizational Unit |
Create user and user attribute. |
| Deactivate DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
This privilege allows an administrator to deactivate an authenticator, or, in the context of multi-device licensing and Activation, to generate a deactivation message for a specific authenticator instance. |
| Decrypt DIGIPASS Information Message |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
This command allows to decrypt the body of an information message created by an MDL device. The body is encrypted with the payload key blob of the instance. The command must fail when an authenticator without payload key blob is used. |
| Delete Admin Session |
Administrative Logon View Admin Session |
With this privilege an administrator can delete any administrative session. |
| Delete Audit Information | Administrative Logon | This privilege allows an administrator to delete an audit information. |
| Delete Back-End Server |
Administrative Logon View Back-End Server |
|
| Delete Component |
Administrative Logon View Component |
|
| Delete DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
Allows an administrator to delete an authenticator from the storage: delete authenticator software parameters, authenticators, and authenticator applications. When administrating authenticator licenses and instances in the context of multi-device licensing and multi-device activation: when an authenticator license is deleted, its instances are also deleted. The license can only be deleted, if authenticator instances (active or inactive) are linked to this authenticator. This action is not reversible, i.e. the deleted instances cannot be recovered! |
| Delete Domain |
Administrative Logon Access Data in All Domains View Domain |
Only available if the user belongs to the master domain and not to an organizational unit. |
| Delete Key |
Administrative Logon View Key |
|
| Delete Organizational Unit |
Administrative Logon View Domain View Organizational Unit |
|
| Delete Pending Operation | Administrative Logon | With this privilege an administrator can delete a pending operation. |
| Delete Policy |
Administrative Logon View Policy |
|
| Delete Report Definition |
Administrative Logon View Report Definition |
Delete report definition and report format. |
| Delete Report File |
Administrative Logon View Report File |
|
| Delete Task |
Administrative Logon View Task |
|
| Delete User |
Administrative Logon View User View Domain View Organizational Unit |
Delete user and user attribute. |
| Disable Server PIN |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
With this privilege an administrator can disable the use of a server PIN with a specific authenticator application |
| Disable Task |
Administrative Logon View Task |
|
| Disable User |
Administrative Logon View User View Domain View Organizational Unit |
|
| Download Report File |
Administrative Logon View Report File |
|
| Enable/Disable Maker–Checker |
Administrative Logon Update Back-End Settings View Back-End Settings |
With this privilege an administrator can enable or disable maker–checker authorization. |
| Enable Server PIN |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
With this privilege an administrator can enable the use of a server PIN with a specific authenticator application. |
| Enable Task |
Administrative Logon View Task |
|
| Enable User |
Administrative Logon View User View Domain View Organizational Unit |
|
| Force DIGIPASS PIN Change |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Generate DIGIPASS Activation Data |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
This administrative privilege is only valid with Mobile Authenticator Studio 4.0 |
| Generate Virtual DIGIPASS OTP |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Import DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
Create authenticator applications (you do not directly create authenticators); create and update authenticator software parameters; upload, import, query status and stop import of DPX files. |
| Import User |
Administrative Logon Assign DIGIPASS Create User Disable User Enable User Reset Last Authentication Time Reset Password Set DIGIPASS Expiration Set Password Set User Expiration Unlock User Update User View DIGIPASS View User View Domain View Organizational Unit |
|
| Link User |
Administrative Logon View User View Domain View Organizational Unit |
Link a user to another user. |
| Live Audit Connection | Administrative Logon | With this, an administrator can connect from the Audit Viewer to the authentication server to receive live audit messages. |
| Move DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
Move authenticators within the existing organizational structure (other domain, other organizational structure). |
| Move User |
Administrative Logon View User View Domain View Organizational Unit |
Rename user accounts or move them within the existing organizational structure (another domain, another organizational structure). |
| Replication Reconnect |
Administrative Logon Replication Status |
|
| Replication Status | Administrative Logon | |
| Reset DIGIPASS Activation |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
When resetting an authenticator that has been activated in multi-device activation mode, the information related to Activation Message 1 for authenticator licenses is being reset with the action corresponding to this privilege. |
| Reset authenticator application |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Reset DIGIPASS Application Lock |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Reset DIGIPASS PIN |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Reset Last Authentication Time |
Administrative Logon View User View Domain View Organizational Unit |
|
| Reset Offline Authentication Data |
Administrative Logon View User View Domain View Organizational Unit |
With this privilege, an administrator can reset the offline authentication history for a certain user or for a certain user/computer combination. |
| Reset User Password |
Administrative Logon View User View Domain View Organizational Unit |
|
| Rotate Key |
Administrative Logon View Key |
|
| Run Report |
Administrative Logon View Report Definition |
|
| Send DIGIPASS Activation Data |
Administrative Logon View Domain View DIGIPASS View Organizational Unit |
|
| Send Notification | Administrative Logon | With this privilege, an administrator can send notification messages to a specified user, e.g. for delayed or completed authenticator activation. |
| Set Administration Domains |
Set Administrative Privileges View Administrative Privileges View User View Domain View Organizational Unit Administrative Logon |
|
| Set Administrative Privileges |
Administrative Logon View User View Administrative Privileges View Domain View Organizational Unit |
|
| Set Authentication Policy Overrides | Administrative Logon |
This privilege is required to override certain user-specific policy settings for individual users (USERS > Policy Overrides tab). This privilege requires either the Create User or Update User privilege. Due to the potential security impact, the required privileges are not automatically assigned, but must be assigned explicitly in this case. |
| Set DIGIPASS Event Counter |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Set DIGIPASS Expiration |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Set DIGIPASS PIN |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Set Global Configuration Options |
Administrative Logon View Global Configuration Options |
With this privilege an administrator can update the global server configuration. This is stored in the OneSpan Authentication Server data store. |
| Set Server Configuration Options |
Administrative Logon View Server Configuration Options |
With this privilege an administrator can update the local server configuration of the OneSpan Authentication Server instance. This is stored in the XML configuration file. |
| Set User Expiration |
Administrative Logon View User View Domain View Organizational Unit |
|
| Set User Password |
Administrative Logon View User View Domain View Organizational Unit |
|
| Take Report File Ownership |
Administrative Logon View Report File |
With this privilege an administrator can take ownership of any report file. |
| Take Task Ownership |
Administrative Logon View Task |
|
| Test DIGIPASS OTP |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
With this an administrator is able to test-validate a one-time password in a Response-Only or Challenge/Response scenario. |
| Test DIGIPASS Signature |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
With this an administrator is able to test-validate a signature. It can also be used as an optional third step in the administrator-initiated multi-device activation process where a signature generated by the authenticator upon receiving Activation Message 2 is validated. |
| Unassign DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
When unassigning an authenticator license of an authenticator compliant with multi-device licensing, the corresponding authenticator instance or instances are automatically deleted. This action is not reversible, i.e. the deleted instances cannot be recovered! Also, an authenticator instance can never be separately unassigned. |
| Unbind DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Unlink User |
Administrative Logon View User View Domain View Organizational Unit |
|
| Unlock DIGIPASS |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
|
| Unlock User |
Administrative Logon View User View Domain View Organizational Unit |
|
| Update Back-End Server |
Administrative Logon View Back-End Server |
|
| Update Component |
Administrative Logon View Policy View Component |
|
| Update DIGIPASS |
Administrative Logon View DIGIPASS Set DIGIPASS Expiration View Domain View Organizational Unit |
Update authenticators and authenticator applications. |
| Update Domain |
Administrative Logon View Domain |
|
| Update Key |
Administrative Logon View Key |
|
| Update Organizational Unit |
Administrative Logon View Domain View Organizational Unit |
|
| Update Policy |
Administrative Logon View Policy |
|
| Update Report Definition |
Administrative Logon View Report Definition |
Update report definition; create, update and delete report format. |
| Update Task |
Administrative Logon View Task |
|
| Update User |
Administrative Logon Disable User Enable User Reset Last Authentication Time Reset Offline Authentication Data Set User Expiration Unlock User View Domain View Organizational Unit View User |
Update user; create, update, and delete user attributes. |
| View Admin Session | Administrative Logon | With this privilege an administrator can view active admin sessions. |
| View Administrative Privileges |
Administrative Logon View User View Domain View Organizational Unit |
This privilege allows you to view the particular administrative privileges assigned to other users. It is also required if you want to filter user search results based on whether administrative privileges are assigned or not. |
| View Audit Information | Administrative Logon | This privilege provides access to the internal Audit Viewer and allows the administrator to browse to the View Audit Message page using the audit message identifier (AMID) as input parameter. |
| View Back-End Server | Administrative Logon | |
| View Clear PAN |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
With this privilege an administrator can view the PAN in clear text rather than encrypted format. |
| View Component | Administrative Logon | |
| View DIGIPASS |
Administrative Logon View Domain View Organizational Unit |
View and query for authenticator software parameters, authenticators, and authenticator applications. Also permits the Get Info command. |
| View Domain | Administrative Logon | |
| View EMV PAN |
View Domain View Organizational Unit |
|
| View Global Configuration Options | Administrative Logon | With this privilege an administrator can view the global server configuration. This is stored in the OneSpan Authentication Server data store. |
| View Key | Administrative Logon | |
| View Organizational Unit |
Administrative Logon View Domain |
|
| View Policy | Administrative Logon | |
| View Recent DIGIPASS Activity |
Administrative Logon View DIGIPASS View Domain View Organizational Unit |
Allows to look up recent authentication, signature validation, provisioning, and administration activity of any authenticator within the allowed domain scope. This privilege affects the commands in the Dashboard tab and the Recent Activity tab as well as the respective SOAP commands when using OneSpan Authentication Server SDK. |
| View Recent User Activity |
Administrative Logon View Domain View Organizational Unit View User |
Allows to look up recent authentication, signature validation, provisioning, and administration activity of any authenticator user within the allowed domain scope. This privilege affects the commands in the Dashboard tab and the Recent Activity tabs as well as the respective SOAP commands when using OneSpan Authentication Server SDK. |
| View Report Definition | Administrative Logon | View and query for both report definition and report format. |
| View Report File | Administrative Logon | |
| View Server Configuration Options | Administrative Logon | With this privilege an administrator can view the local server configuration of the OneSpan Authentication Server instance. This is stored in the XML configuration file. |
| View Task | Administrative Logon | |
| View Usage Information | Administrative Logon | Allows an administrator to view the usage statistics on the system dashboard. |
| View User |
Administrative Logon View Domain View Organizational Unit |
View and query users and user attributes. |