Administrative privileges
Administrative permissions may be assigned based on the following:
- Type of permission (e.g. read, create)
- Type of object (e.g. authenticator, policy)
The domain and organizational unit where the administrator account is located determines the administrative scope:
- If the account belongs to an organizational unit, the administrator will be able to manage user accounts and authenticator records belonging to that organizational unit.
- If the account does not belong to an organizational unit, the administrator will be able to manage all authenticator records and user accounts belonging to that domain.
- If the account belongs to the master domain, the administrator may be able to manage all authenticator records and user accounts in the database. This depends on the Access Data in All Domains privilege, which is only available to administrators in the master domain.
For more information, see OneSpan Authentication Server administrator accounts.
You can configure a user's administrative privileges via the Administration Web Interface. Administrators can be limited to assign only privileges that they possess themselves.
For more information, refer to the OneSpan Authentication Server Administrator Reference, Section "Administration privileges".
Restrictions to user IDs with administration privileges
For security purposes, user IDs with administration privileges may be restricted from performing certain non-administrative tasks, such as authentication or signing transactions. These restrictions can be configured via the POLICIES > Users tab in the Administration Web Interface.
Users with administrative privileges can be set to do the following:
- Allow the user ID to continue into the non-administrative transaction, where the usual rules will apply to determine success or failure.
- Prevent the user ID from progressing to any non-administrative processing.
These restrictions protect user IDs with administration privileges from being locked out due to too many failed authentications.
If the privileges of an administrator are changed while that administrator is currently logged on to the Administration Web Interface, the updated privileges will only take effect on that administrator's next logon.
Copying of administrative privileges
You can copy administrative privileges from one user to any number of users in one transaction via the Copy Admin Privileges From wizard. This wizard makes the administrative privileges of two users identical. This means that if a target user account has privileges that the source user account does not have, then the target user account will lose those privileges.
Copy Admin Privileges From does not copy the domain scope along with the administrative privileges. Domain scope values must be set per administrator.