Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Steps to delegate roles, tasks, and functions

Steps to delegate roles, tasks, and functions

You can delegate Defender roles, tasks, or functions to specific users or groups by using the Defender Delegated Administration Wizard.

To delegate Defender roles, tasks, or functions

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate domain node, and click to select the Defender container.
  3. On the menu bar, select Defender | Delegate Control.

    Step through the wizard.

  4. In the Users and Groups step, add the user accounts or groups to which you want to delegate Defender roles, tasks, or functions. Click Next.
  5. In the Tasks to Delegate step, select the check boxes next to the Defender roles, tasks, or functions you want to delegate. Click Next.

For more information, see:

  1. Follow the steps in the wizard to complete delegating the roles, tasks, or functions.

    The wizard does not modify any standard Active Directory permissions. Rather, it modifies permissions on the Defender attributes in the Active Directory schema.

Roles

Roles

You can delegate the below-listed Defender roles to the users or groups you want. If necessary, you can delegate two or more roles to the same user.

 

Table 31:

Defender roles

Role

Description

Administrator

Members of this role can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user-based Defender items.

Members of this role can:

  • Assign and unassign tokens.
  • Set a Defender password.
  • Set a Defender PIN.
  • Modify access nodes, Defender Security Servers, Defender policies, tokens, and RADIUS payloads.
  • Manage Defender licenses.

Basic Helpdesk

Members of this role can:

  • Reset tokens.
  • Test a token via the Defender Administration Console.
  • Reset a locked token by resetting the violation count for the user to whom the token is assigned.

Provisioning

Members of this role can:

  • Assign a Defender token.
  • Program a Defender token.
  • Remove a Defender token from a user’s account.
  • Reset a Defender PIN.

Enhanced Helpdesk

Members of this role can:

  • Assign a Defender token.
  • Program a Defender token.
  • Remove a Defender token.
  • Reset a Defender token.
  • Recover a Defender token.
  • Test a Defender token.
  • Reset a locked Defender token.
  • Set a Defender PIN.
  • Set a Defender password.
  • Assign a temporary token response.

Auditor

Members of this role have read-only access to

  • All Defender objects of Users and Groups.
  • All Defender attributes of Users and Groups.

Service accounts

Service accounts

You can delegate permissions to specific user accounts so that they act as service accounts for the Defender components you want.

 

Table 32:

Options related to service accounts

Role

Description

Defender Security Server

The user account to which you assign this role gets the sufficient permissions to act as the Defender Security Server service account.

To specify the user account as the Defender Security Server service account, use the Defender Security Server Configuration tool.

For more information, see Defender Security Server Configuration tool reference.

Defender Management Portal

The user account to which you assign this role gets the sufficient permissions to act as the Defender Management Portal service account.

The user account to which you assign this role must be a member of the local Administrators group on the computer where the Defender Management Portal is installed.

After assigning this role to a user account, enter the account credentials in the Defender Management Portal. For more information, see Specifying a service account for the portal.

Advanced control

Advanced control

You can delegate permissions to perform one or several specific Defender tasks to the user accounts you want. You can delegate the following tasks:

  • Assign Defender token
  • Program Defender token
  • Recover Defender token
  • Reset Defender token
  • Set and clear Defender token’s PIN
  • Assign Defender token temporary response
  • Set Defender password
  • Test Defender token
  • Unassign Defender token
  • Reset Defender token violation Count
  • Modify Defender ID
  • Select Policy
  • Select RADIUS Payload
Documentos relacionados