This article describes the roles that are available in the Physical access module of Nexus Smart ID.
Specific roles for Physical access
The following roles are available in the Smart ID Physical access module:
|
Role |
Description |
Technical reference |
|---|---|---|
|
Entitlement administrator |
Imports, activates, deactivates and edits entitlements. Manages the lifecycle of entitlement approver and entitlement responsible. |
PemRoleEntitlementAdmin |
|
Entitlement requester |
Requests entitlements for employees, assigns entitlement approvers to employees, and enables/disables employees for making entitlements requests in Smart ID Self-Service. |
PemRoleEntitlementRequester |
|
Entitlement approver |
Is responsible for specific employees. Approves entitlement requests if required by the entitlement approval type (1-step or 2-step approval). |
PemRoleEntitlementApprover |
|
Entitlement responsible |
Is responsible for specific entitlements. Approves entitlement requests if required by the entitlement approval type (2-step approval). Before activating an entitlement, two entitlement responsibles must be assigned to it. |
PemRoleEntitlementProfileResponsible |
|
Entitlement requester Self-Service |
Employees who are enabled to make entitlement requests in Smart ID Self-Service. |
PemRoleEntitlementRequesterUSSP |
Bootstrap users in Physical access
In the Physical access module, the following bootstrap users are defined. These must be removed after setting up the system.
|
Demo user |
Role |
Username / Password |
|---|---|---|
|
pemrequester |
Entitlement requester |
Username: pemrequester
|
|
pemadmin |
Entitlement administrator |
Username: pemadmin
|
Standard roles in Identity Manager
The standard package of Identity Manager provides a set of predefined standard roles that can be used as is or adapted to your requirements. This table lists the standard roles and what rights they have in Identity Manager Admin and Identity Manager Operator respectively.
|
Role |
Description |
Rights |
Technical reference |
|---|---|---|---|
|
Bootstrap administrator |
Does the initial configuration of Identity Manager. |
Identity Manager Admin: All
|
BaseRoleBootstrapAdmin |
|
Policy administrator |
A user in Identity Manager. |
Identity Manager Admin: All
|
BaseRolePolicyAdmin |
|
Service administrator |
Makes configurations in Identity Manager, such as:
|
Identity Manager Admin: No
|
BaseRoleServiceAdmin |
|
Registration officer |
Manages “target” users and identities, who are targets (or objects) of credential management actions. |
Identity Manager Admin: No
|
BaseRoleRegistrationOfficer |
|
Approver |
Approves card production. |
Identity Manager Admin: No
|
BaseRoleOfficer |
|
Card production administrator |
|
Identity Manager Admin: No
|
BaseRoleProductionAdmin |
|
Issuing authority |
Activates and issues card to requester/user. |
Identity Manager Admin: No
|
BaseRoleIssuingAuthority |
|
User administrator |
|
Identity Manager Admin: Roles, User Administration
|
BaseRoleUserAdmin |
|
Helpdesk |
|
Identity Manager Admin: No
|
BaseRoleHelpdeskOfficer |
|
Self-service user |
|
Identity Manager Admin: No
|
BaseRoleSelfServiceUser |
|
Self-service visitor |
|
Identity Manager Admin: No
|
BaseRoleSelfServiceVisitor |
|
Batch sync |
A role used for automatic batch synchronization of identities with external sources such as Active Directory. This role can not be assigned to persons, but only used for this purpose. For the batch synchronization to work, the following entry must be set in the system.properties file of the Identity Manager main client: batchSync.permissionRole=BaseRoleBatchSync |
Identity Manager Admin: No
|
BaseRoleBatchSync |
|
Pre-login user |
This role has the permission to execute a process before login, for example, to reset a password. |
Identity Manager Admin: No
|
BaseRolePreloginUser |
|
Data administrator |
Creates and manages variables for two data pools in Identity Manager
|
Identity Manager Admin: No
|
BaseRoleDataAdministrator |