Segregation of duties
It is possible to assign a set of roles to each administrator. In the configuration of the Adminapp you can define the sets of possible roles combinations.
Example:
- administrators with roles useradmin and helpdesk are allowed
- administrators with roles useradmin and tokenadmin are not allowed
By whitelisting possible role combinations, segregation of duties can be implemented by assigning roles to actions accordingly.
Example
The following configuration excerpt states the following:
- An administrator is required to be in role useradmin in order to be allowed to generate or order a password for a user.
Adminapp >> Access Control >> section Password Management - An administrator is required to be in role tokenadmin in order to activate or order a token list for a user.
Adminapp >> Access Control >> section Authentication Token Management - An administrator can only have role useradmin or tokenadmin but not both. This guarantees that no administrator can create or order all credentials for a user.
Adminapp >> Administrators >> Administrators Management
