USERSPolicy Overrides (tab)

The USERS > Policy Overrides tab contains information about user-specific settings that override settings of the client policy effective for this specific user.

Note that the following fields will only be available if you have the Set Authentication Policy Override privilege set.

Table: USERS - Policy Overrides tab
Field name Description
Local Authentication

Specifies whether authentication requests for the user account will be handled by OneSpan Authentication Server by using local authentication. For more information about local authentication and back-end authentication, refer to the OneSpan Authentication Server Product Guide, Section "Authenticating users".

Normally, this field will be set to Default, meaning that the policy applicable to the authentication request determines the setting. This field in the user account is used to override the policy setting for special cases.

When local authentication is used, there are two factors that determine whether authentication using an authenticator is used – any policy restrictions on authenticator types and/or applications that can be used and whether the user account has any assigned authenticators that meet the restrictions. For example, if the policy requires a Digipass 300, but the user has a Digipass 700, the user cannot use the authenticator for authentication under that policy.

This setting also affects the provisioning registration process. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Software authenticator provisioning".

Possible values:

  • Default. Use the setting of the parent policy.
  • NoneOneSpan Authentication Server will not use local authentication under this policy. The authentications may be handled using back-end authentication or not handled at all by OneSpan Authentication Server.
  • DIGIPASS OnlyOneSpan Authentication Server will always use local authentication under this policy, using authentication with authenticator. If authentication with authenticator is not possible, the user cannot log in. Back-end authentication may also be used.
  • DIGIPASS/Password During Grace PeriodOneSpan Authentication Server will always use local authentication under this policy, possibly using Digipass Authentication for Windows Logon, if applicable. The static password can only be used within a (configurable) grace period until an authenticator is used the first time. Back-end authentication may also be used.
  • DIGIPASS or Password. This authentication mode allows users to permanently use their static password or their authenticator. This is possible even after the grace period has expired and/or they have previously already used their authenticator for authentication. The grace period also expires after a successful MDL activation, either using an OTP or a signature validation. In the context of the authentication scenario, use of this authentication mode is subject to licensing. For provisioning, this authentication mode is license-free.
Back-End Authentication

Specifies whether authentication requests for the user account will be handled by OneSpan Authentication Server by using back-end authentication. For more information about local authentication and back-end authentication, refer to the OneSpan Authentication Server Product Guide, Section "Authenticating users".

Normally, this field will be set to Default, meaning that the policy applicable to the authentication request determines the setting (see Table: POLICIES – Policy tab). This field in the user account is used to override the policy setting for special cases.

This setting also affects the provisioning registration process. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Software authenticator provisioning".

Possible values:

  • Default. Use the setting of the parent policy.
  • None. Back-end authentication will not be used.

  • If Needed. OneSpan Authentication Server will use back-end authentication, but only in certain cases:

    • Dynamic User Registration (DUR)
    • Self-assignment
    • Password autolearn
    • Requesting a challenge or Virtual Mobile Authenticator OTP values, when the request method includes a password.
    • Static password authentication, when verifying a Virtual Mobile Authenticator password-OTP combination during the grace period, or if the local authentication mode is set to DIGIPASS or Password.
    • Provisioning registration

  • Always. OneSpan Authentication Server will use back-end authentication for every authentication and provisioning registration request.

    This setting is required, if you want to use offline authentication for Digipass Authentication for Windows Logon (DAWL).

    To enforce static password verification during offline authentications via Digipass Authentication for Windows Logon, you need to disable Stored Password Proxy and set Back-End Authentication to Always.
Offline Authentication

Indicates whether offline authentication has been enabled for this user for Digipass Authentication for Windows Logon (DAWL). When offline authentication is disabled for a user, be aware of the following:

  • Disabling offline authentication for a user means that OneSpan Authentication Server will not send any new encrypted offline authentication data to the client workstation.
  • Disabling offline authentication for a user means that the user will still be able to use offline authentication from the time that it is disabled until the encrypted offline authentication data has expired or until the user performs an online authentication.

Possible values:

  • Default. Use the setting of the parent policy.
  • No. Offline authentication is disabled.
  • Yes. Offline authentication is enabled.

This function is only available if DAWL is enabled on your system.
Max Days Between Authentications With this option, the policy setting for the maximum number of days between authentications after which a user will be suspended can be changed for this user. A value of 0 effectively disables this feature. By default, a user account expires when no operations have been performed during the last 90 days, and the user policy override will not override the policy setting.
Virtual DIGIPASS
The following settings override the Virtual Mobile Authenticator settings of the effective policy for this specific user.
Virtual DIGIPASS Delivery Method

The method used to deliver the Virtual Mobile Authenticator to the selected user.

  • Default. Use the setting of the parent policy.
  • Email. Deliver the OTP via email. The user account must have a configured email address.
  • SMS. Deliver the OTP via SMS. The user account must have a configured mobile phone number.
  • Voice. Deliver the OTP via voice channel (i.e. dictated over a phone line). The user account must have a configured mobile phone number.

This field also allows you to specify one of the following combinations of delivery methods:

  • Email and SMS
  • SMS and Voice
  • Email and Voice
Virtual DIGIPASS MDC Profile

The MDC profile to use for this delivery method. It defines a specific group of settings for a particular delivery method. If no MDC profile is specified in this field, the highest-ranked, enabled, and available MDC profile for the specified delivery method/s will be used.

The MDC profile name should not be confused with the profile's display name. The display name is simply an ad-hoc field used primarily to describe and further identify the profile. The MDC profile name is the name that appears in the Profile column of the MDC Configuration Utility.

The MDC profile name is not unique, therefore, more than one MDC profile with the same name may exist for this delivery method. In that case, the highest-ranked, enabled, and available MDC profile with the specified name will be used.

Virtual Signature

The following settings override the virtual signature settings of the effective policy for this specific user.
Virtual Signature Delivery Method

The method used to deliver the virtual signature to the selected user.

  • Default. Use the setting of the parent policy.
  • Email. Deliver the OTP via email. The user account must have a configured email address.
  • SMS. Deliver the OTP via SMS. The user account must have a configured mobile phone number.
  • Voice. Deliver the OTP via voice channel (i.e. dictated over a phone line). The user account must have a configured mobile phone number.

This field also allows you to specify one of the following combinations of delivery methods:

  • Email and SMS
  • SMS and Voice
  • Email and Voice
Virtual Signature MDC Profile

The MDC profile to use for this delivery method. It defines a specific group of settings for a particular delivery method. If no MDC profile is specified in this field, the highest-ranked, enabled, and available MDC profile for the specified delivery method/s will be used.

The MDC profile name should not be confused with the profile's display name. The display name is simply an ad-hoc field used primarily to describe and further identify the profile. The MDC profile name is the name that appears in the Profile column of the MDC Configuration Utility.

The MDC profile name is not unique, therefore, more than one MDC profile with the same name may exist for this delivery method. In that case, the highest-ranked, enabled, and available MDC profile with the specified name will be used.