18.13.2. Segregation of duties

It is possible to assign a set of roles to each administrator. In the configuration of the Adminapp you can define the sets of possible roles combinations.

Example:

  • administrators with roles useradmin and helpdesk are allowed
  • administrators with roles useradmin and tokenadmin are not allowed

By whitelisting possible role combinations, segregation of duties can be implemented by assigning roles to actions accordingly.

Example:

The following configuration excerpt states the following:

  • An administrator is required to be in role useradmin in order to be allowed to generate or order a password for a user. 
  • 63972151.png
  • An administrator is required to be in role tokenadmin in order to activate or order a token list for a user.
  • 63972152.png
  • An administrator can only have role useradmin or tokenadmin but not both. This guarantees that no administrator can create or order all credentials for a user.
  • 63972153.png