Session Delegation - Mechanism
Definitions
Subject
If for any reason a user has to leave his/her cluster, he/she can delegate his/her Windows session to one or more delegate(s) to monitor or intervene in any of his/her ongoing operations.
Delegation Types
The session delegation can be temporary or permanent:
- Temporary Session Delegation
To setup a temporary delegation, a user defines a Primary delegate and (if any) a Backup who can access one or several of his/her Windows sessions when he/she is away.
The delegation ends when the user authenticates again.
The following figure illustrates the temporary delegation:
Figure 2: Temporary Session Delegation
In a temporary delegation, there are two delegates:
- Permanent Session Delegation
To setup a permanent delegation, a user defines one delegate who can access one or several of his/her Windows sessions when he/she is away.
The delegation does not end when the user authenticates again. He/she must explicitly remove it to cancel it.
Behavior of Delegated Workstations
A delegated workstation is not entirely included in the cluster of the delegate, but the operations performed on the cluster have consequences on the delegated workstation. If the delegate:
- Locks his/her cluster, the delegated workstation locks.
- Closes his/her cluster, the delegated workstation locks.
- Locks or closes the delegated workstation, theses operations are not propagated to his/her cluster.
Required EAM Modules
To use the Cluster function, the following EAM modules must be installed :
- EAM Console: mandatory.
- Authentication Manager: mandatory.
- Enterprise SSO: optional.
For more information on installation of EAM (Enterprise Access Management) modules, see One Identity EAM Installation Guide.
Administering Clusters From EAM Console
EAM Console allows you to create and configure clusters of access points, and to authorize users to manage their own cluster.