Segregation of duties

It is possible to assign a set of roles to each administrator. In the configuration of the Adminapp you can define the sets of possible roles combinations.

Example:

  • administrators with roles useradmin and helpdesk are allowed
  • administrators with roles useradmin and tokenadmin are not allowed

By whitelisting possible role combinations, segregation of duties can be implemented by assigning roles to actions accordingly.

Example

  • The following configuration excerpt states the following:
  • An administrator is required to be in role useradmin in order to be allowed to generate or order a password for a user.
    Adminapp >> Access Control >> section Password Management
    • 63972151.png
  • An administrator is required to be in role tokenadmin in order to activate or order a token list for a user.
    Adminapp >> Access Control >> section Authentication Token Management
    • 63972152.png
  • An administrator can only have role useradmin or tokenadmin but not both. This guarantees that no administrator can create or order all credentials for a user.
    Adminapp >> Administrators >> Administrators Management
    • 63972153.png