Chat now with support
Chat with Support

Defender 6.4 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Roles

You can delegate the below-listed Defender roles to the users or groups you want. If necessary, you can delegate two or more roles to the same user.

 

Table 31:

Defender roles

Role

Description

Administrator

Members of this role can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user-based Defender items.

Members of this role can:

  • Assign and unassign tokens.
  • Set a Defender password.
  • Set a Defender PIN.
  • Modify access nodes, Defender Security Servers, Defender policies, tokens, and RADIUS payloads.
  • Manage Defender licenses.

Basic Helpdesk

Members of this role can:

  • Reset tokens.
  • Test a token via the Defender Administration Console.
  • Reset a locked token by resetting the violation count for the user to whom the token is assigned.

Provisioning

Members of this role can:

  • Assign a Defender token.
  • Program a Defender token.
  • Remove a Defender token from a user’s account.
  • Reset a Defender PIN.

Enhanced Helpdesk

Members of this role can:

  • Assign a Defender token.
  • Program a Defender token.
  • Remove a Defender token.
  • Reset a Defender token.
  • Recover a Defender token.
  • Test a Defender token.
  • Reset a locked Defender token.
  • Set a Defender PIN.
  • Set a Defender password.
  • Assign a temporary token response.

Auditor

Members of this role have read-only access to

  • All Defender objects of Users and Groups.
  • All Defender attributes of Users and Groups.

Service accounts

You can delegate permissions to specific user accounts so that they act as service accounts for the Defender components you want.

 

Table 32:

Options related to service accounts

Role

Description

Defender Security Server

The user account to which you assign this role gets the sufficient permissions to act as the Defender Security Server service account.

To specify the user account as the Defender Security Server service account, use the Defender Security Server Configuration tool.

For more information, see Defender Security Server Configuration tool reference.

Defender Management Portal

The user account to which you assign this role gets the sufficient permissions to act as the Defender Management Portal service account.

The user account to which you assign this role must be a member of the local Administrators group on the computer where the Defender Management Portal is installed.

After assigning this role to a user account, enter the account credentials in the Defender Management Portal. For more information, see Specifying a service account for the portal.

Advanced control

You can delegate permissions to perform one or several specific Defender tasks to the user accounts you want. You can delegate the following tasks:

  • Assign Defender token
  • Program Defender token
  • Recover Defender token
  • Reset Defender token
  • Set and clear Defender token’s PIN
  • Assign Defender token temporary response
  • Set Defender password
  • Test Defender token
  • Unassign Defender token
  • Reset Defender token violation Count
  • Modify Defender ID
  • Select Policy
  • Select RADIUS Payload

Full control

You can delegate permissions to manage specific Defender objects, including the permissions to view or modify any of the object properties and the permissions to create, delete, rename or move objects on a user or group.

The available options are:

  • Defender access node full control
  • Defender Security Server full control
  • Defender License full control
  • Defender Security Policy full control
  • Defender RADIUS Payload full control
  • Defender Token full Control
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating