Skip to main content
Skip table of contents

Roles in Digital ID

This article describes the roles that are available in the Digital ID module of Nexus Smart ID

Specific roles for Digital ID

The following roles are available in the Smart ID Digital ID module:

RoleDescriptionTechnical reference

Mobile ID user

Self-service role for persons to activate their own mobile IDs.

PcmRolePersonalMobileUser

Mobile ID administrator

Enables users for self-service and locks profiles.PcmRolePersonalMobileOfficer

Software token administrator

Enables self-service role for employees, and starts software token requests.

PstmRoleRegistrationOfficer
Software token userSelf-service role for persons to request, recover and revoke their own software tokens.PstmRoleSelfServiceUser
Virtual smart card userSelf-service role for persons to request, provision certificates, reset PIN and lock their own virtual smart cards.PcmRoleVSCEntitledUser
Server certificate approverApproves server and server certificates requests.ScmRoleApproverOfficer
Server administrator

Manages server and server certificates

  • Server registration
  • Server certificate requests
ScmRoleServerAdministrator
Server certificate registration officer

Manages server certificates

ScmRoleServerRegistrationOfficer



Standard roles in Identity Manager

The standard package of Identity Manager provides a set of predefined standard roles that can be used as is or adapted to your requirements. This table lists the standard roles and what rights they have in Identity Manager Admin and Identity Manager Operator respectively. 

RoleDescriptionRightsTechnical reference
Bootstrap administratorDoes the initial configuration of Identity Manager.

Identity Manager Admin: All
Identity Manager: Admin

BaseRoleBootstrapAdmin
Policy administratorA user in Identity Manager.

Identity Manager Admin: All
Identity Manager: No

BaseRolePolicyAdmin
Service administrator

Makes configurations in Identity Manager, such as:

  • Start, restart and stop services
  • Create tenant
  • Configure connector
  • Audit the system log and the process lists
  • Kill processes

Identity Manager Admin: No
Identity Manager: Admin

BaseRoleServiceAdmin
Registration officerManages “target” users and identities, who are targets (or objects) of credential management actions.

Identity Manager Admin: No
Identity Manager: All

BaseRoleRegistrationOfficer
ApproverApproves card production.

Identity Manager Admin: No
Identity Manager: Open Tasks

BaseRoleOfficer
Card production administrator
  • Produces cards
  • Repeats production

Identity Manager Admin: No
Identity Manager: Search, Batch Orders

BaseRoleProductionAdmin
Issuing authorityActivates and issues card to requester/user.

Identity Manager Admin: No
Identity Manager: Search

BaseRoleIssuingAuthority
User administrator
  • Manages users and identities
  • Assigns and de-assigns roles to users

Identity Manager Admin: Roles, User Administration
Identity Manager: Search

BaseRoleUserAdmin
Helpdesk
  • Resets passwords
  • Activates and reactivates Identity Manager users

Identity Manager Admin: No
Identity Manager: Search, Open Tasks

BaseRoleHelpdeskOfficer
Self-service user
  • Registers and deregisters herself in the system
  • Registers security password
  • Resets her own password
  • Changes pin
  • Unblocks pin
  • Renews her own card
  • Locks her own card

Identity Manager Admin: No
Identity Manager: No

BaseRoleSelfServiceUser

Self-service visitor

  • Accepts or denies meeting invitation
  • Invites further participant to an existing meeting
Identity Manager Admin: No
Identity Manager: No

BaseRoleSelfServiceVisitor

Batch sync

A role used for automatic batch synchronization of identities with external sources such as Active Directory. This role can not be assigned to persons, but only used for this purpose.

For the batch synchronization to work, the following entry must be set in the system.properties file of the Identity Manager main client: 

batchSync.permissionRole=BaseRoleBatchSync
Identity Manager Admin: No
Identity Manager: No
BaseRoleBatchSync
Pre-login user

This role has the permission to execute a process before login, for example, to reset a password.

Identity Manager Admin: No
Identity Manager: No
BaseRolePreloginUser
Data administrator

Creates and manages variables for two data pools in Identity Manager

  • Identifier: to set identifiers like “driving license”.
  • Reasons: to set reasons for use cases like “lock a card object”, “replace card object”.
Identity Manager Admin: No
Identity Manager: No
BaseRoleDataAdministrator


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.