| Role | Description | Rights | Technical reference |
|---|
| Bootstrap administrator | Does the initial configuration of Identity Manager. | Identity Manager Admin: All
Identity Manager: Admin | BaseRoleBootstrapAdmin |
| Policy administrator | A user in Identity Manager. | Identity Manager Admin: All
Identity Manager: No | BaseRolePolicyAdmin |
| Service administrator | Makes configurations in Identity Manager, such as: - Start, restart and stop services
- Create tenant
- Configure connector
- Audit the system log and the process lists
- Kill processes
| Identity Manager Admin: No
Identity Manager: Admin | BaseRoleServiceAdmin |
| Registration officer | Manages “target” users and identities, who are targets (or objects) of credential management actions. | Identity Manager Admin: No
Identity Manager: All | BaseRoleRegistrationOfficer |
| Approver | Approves card production. | Identity Manager Admin: No
Identity Manager: Open Tasks | BaseRoleOfficer |
| Card production administrator | - Produces cards
- Repeats production
| Identity Manager Admin: No
Identity Manager: Extended Search, Batch Orders | BaseRoleProductionAdmin |
| Issuing authority | Activates and issues card to requester/user. | Identity Manager Admin: No
Identity Manager: Extended Search | BaseRoleIssuingAuthority |
| User administrator | - Manages users and identities
- Assigns and de-assigns roles to users
| Identity Manager Admin: Roles, User Administration
Identity Manager: Extended Search | BaseRoleUserAdmin |
| Helpdesk | - Resets passwords
- Activates and reactivates Identity Manager users
| Identity Manager Admin: No
Identity Manager: Extended Search, Open Tasks | BaseRoleHelpdeskOfficer |
| Self-service user | - Registers and deregisters herself in the system
- Registers security password
- Resets her own password
- Changes pin
- Unblocks pin
- Renews her own card
- Locks her own card
| Identity Manager Admin: No
Identity Manager: No | BaseRoleSelfServiceUser |
Self-service visitor | - Accepts or denies meeting invitation
- Invites further participant to an existing meeting
| Identity Manager Admin: No
Identity Manager: No | BaseRoleSelfServiceVisitor |
| Batch sync | A role used for automatic batch synchronization of identities with external sources such as Active Directory. This role can not be assigned to persons, but only used for this purpose. For the batch synchronization to work, the following entry must be set in the system.properties file of the Identity Manager main client: batchSync.permissionRole=BaseRoleBatchSync | Identity Manager Admin: No
Identity Manager: No | BaseRoleBatchSync |
| Pre-login user | This role has the permission to execute a process before login, for example, to reset a password. | Identity Manager Admin: No
Identity Manager: No | BaseRolePreloginUser |
| Data administrator | Creates and manages variables for two data pools in Identity Manager - Identifier: to set identifiers like “driving license”.
- Reasons: to set reasons for use cases like “lock a card object”, “replace card object”.
| Identity Manager Admin: No
Identity Manager: No | BaseRoleDataAdministrator |