Roles in Physical access

This article describes the roles that are available in the Physical access module of Nexus Smart ID.

Specific roles for Physical access

The following roles are available in the Smart ID Physical access module:

Role	Description	Technical reference
Entitlement administrator	Imports, activates, deactivates and edits entitlements. Manages the lifecycle of entitlement approver and entitlement responsible.	PemRoleEntitlementAdmin
Entitlement requester	Requests entitlements for employees, assigns entitlement approvers to employees, and enables/disables employees for making entitlements requests in Smart ID Self-Service.	PemRoleEntitlementRequester
Entitlement approver	Is responsible for specific employees. Approves entitlement requests if required by the entitlement approval type (1-step or 2-step approval).	PemRoleEntitlementApprover
Entitlement responsible	Is responsible for specific entitlements. Approves entitlement requests if required by the entitlement approval type (2-step approval). Before activating an entitlement, two entitlement responsibles must be assigned to it.	PemRoleEntitlementProfileResponsible
Entitlement requester Self-Service	Employees who are enabled to make entitlement requests in Smart ID Self-Service.	PemRoleEntitlementRequesterUSSP

Bootstrap users in Physical access

In the Physical access module, the following bootstrap users are defined. These must be removed after setting up the system.

Demo user	Role	Username / Password
pemrequester	Entitlement requester	Username: pemrequester Password: pemrequester
pemadmin	Entitlement administrator	Username: pemadmin Password: pemadmin

Standard roles in Identity Manager

The standard package of Identity Manager provides a set of predefined standard roles that can be used as is or adapted to your requirements. This table lists the standard roles and what rights they have in Identity Manager Admin and Identity Manager Operator respectively.

Role	Description	Rights	Technical reference
Bootstrap administrator	Does the initial configuration of Identity Manager.	Identity Manager Admin: All Identity Manager: Admin	BaseRoleBootstrapAdmin
Policy administrator	A user in Identity Manager.	Identity Manager Admin: All Identity Manager: No	BaseRolePolicyAdmin
Service administrator	Makes configurations in Identity Manager, such as: Start, restart and stop services Create tenant Configure connector Audit the system log and the process lists Kill processes	Identity Manager Admin: No Identity Manager: Admin	BaseRoleServiceAdmin
Registration officer	Manages “target” users and identities, who are targets (or objects) of credential management actions.	Identity Manager Admin: No Identity Manager: All	BaseRoleRegistrationOfficer
Approver	Approves card production.	Identity Manager Admin: No Identity Manager: Open Tasks	BaseRoleOfficer
Card production administrator	Produces cards Repeats production	Identity Manager Admin: No Identity Manager: Search, Batch Orders	BaseRoleProductionAdmin
Issuing authority	Activates and issues card to requester/user.	Identity Manager Admin: No Identity Manager: Search	BaseRoleIssuingAuthority
User administrator	Manages users and identities Assigns and de-assigns roles to users	Identity Manager Admin: Roles, User Administration Identity Manager: Search	BaseRoleUserAdmin
Helpdesk	Resets passwords Activates and reactivates Identity Manager users	Identity Manager Admin: No Identity Manager: Search, Open Tasks	BaseRoleHelpdeskOfficer
Self-service user	Registers and deregisters herself in the system Registers security password Resets her own password Changes pin Unblocks pin Renews her own card Locks her own card	Identity Manager Admin: No Identity Manager: No	BaseRoleSelfServiceUser
Self-service visitor	Accepts or denies meeting invitation Invites further participant to an existing meeting	Identity Manager Admin: No Identity Manager: No	BaseRoleSelfServiceVisitor
Batch sync	A role used for automatic batch synchronization of identities with external sources such as Active Directory. This role can not be assigned to persons, but only used for this purpose. For the batch synchronization to work, the following entry must be set in the system.properties file of the Identity Manager main client: batchSync.permissionRole=BaseRoleBatchSync	Identity Manager Admin: No Identity Manager: No	BaseRoleBatchSync
Pre-login user	This role has the permission to execute a process before login, for example, to reset a password.	Identity Manager Admin: No Identity Manager: No	BaseRolePreloginUser
Data administrator	Creates and manages variables for two data pools in Identity Manager Identifier: to set identifiers like “driving license”. Reasons: to set reasons for use cases like “lock a card object”, “replace card object”.	Identity Manager Admin: No Identity Manager: No	BaseRoleDataAdministrator