Idea ID: 2800840

Granular Helpdesk Rights

Status: Accepted

Summary:
AAF offers a dedicated Helpdesk Interface to e.g. manage authenticators, sharing authenticators, searching card holder and more. Accounts that are assigned to the role Helpdesk within the AAF solution gain access to all managed accounts and enrolled tokens. The work with international customers (e.g. Schwarz IT) have shown that these access rights are not sufficient.
Customers that are present in different countries also run different local helpdesk/ops teams. This led to the situation that these teams are only allowed to manage a limited set of accounts, or may require a limitation of their abilities (e.g. only unlock user).


Solution Description
There should be an ability within AAF that allows customer to create a kind of view that limits the amount of accounts that can be seen. In addition, it seems to be useful to create additional helpdesk roles to limit the functionality. Roles and Views could then combine to define the access rights for a set of helpdesk-administrators.
This basically follows the idea that Micro Focus implements with DRA to manage Active Directory environments. DRA uses a combination of groups, views and powers to describe the access rights. A equal functionality within AAF could help to assign and manage administrative rights within the solution.
This will help customers like Schwarz IT, WACKER., Evonik and others to implement a strict access concept.

 

  • We will be scheduling this item.

  • One question is: how would AA know a help desk user has rights to view any specific group of users? Keep in mind that we support multiple repo types so this must work across all.

    In the same way as i described here: /cyberres/advancedauthentication/i/advauth/helpdesk---granular-access-rights-for-enrolladmin-to-edit-users

    If am right AAF is able to get the groups of the users. Which means that this should work. But it is importan that AAF has the ability to configure which Helpdesk-Usergroup is able to manage other user groups. Which means it is idependent when the Helpdesk-User is in another Repo than the normal User.

    A configuration can looks like this:

     

    REPO1/EnrollAdminGroup1can manage

    REPO1/Usergroup1
    REPO1/Usergroup2
    REPO2/Usergroup2

    REPO1/EnrollAdminGroup2can manage

    REPO1/Usergroup1
    REPO1/Usergroup3

    REPO2/EnrollAdminGroup1
    REPO3/EnrollAdminGroup1can manage

    REPO1/Usergroup1
    REPO2/Usergroup2
    REPO3/Usergroup4

    REPO[X]/EnrollAdminGroup[X]
    ....
    .... can manage

    REPO[X]/Usergroup[X]
    ....
    ....

  • This is being investigated.

    One question is: how would AA know a help desk user has rights to view any specific group of users?

    Keep in mind that we support multiple repo types so this must work across all.

  • That will be suits this idea request: /cyberres/advancedauthentication/i/advauth/helpdesk---granular-access-rights-for-enrolladmin-to-edit-users