Configuring and Administering Session Delegation
For a general overview of the session delegation mechanism, see Session Delegation - Mechanism.
For more details on the conditions under which a user can delegate a session, see Managing Session Delegation.
Authorizing Users to Delegate Their Windows Session
To authorize users to delegate their Windows session, you can:
Authorizing Users to Delegate Their Session to other Users
The Session delegation tab of a user security profile allows you to authorize users to delegate their Windows session to another user.
- In the tree structure of the Directory panel, click the user security profile that applies to users for which you want to authorize session delegation.
- Click the Session Delegation tab.
The tab appears.
- In the Session delegation type field, select Temporary and define the delegation parameters for temporary delegation as described in the following "Session delegation" Tab Description.
- In the Session delegation type field, select Permanent and define the delegation parameters for permanent delegation as described in the following "Session delegation" Tab Description.
- Click Apply.
"Session delegation" Tab Description
Figure 6: Session Delegation tab
- Session delegation type
The user can decide to delegate his/her session temporarily or permanently. Both options are available to the user, so you must configure each of them.
- Temporary: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
- Permanent: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Manage Session Delegation menu in Authentication Manager.
- Re-authentication is needed check box
This check-box allows you to define whether users must re-authenticate when they want to access the Cluster wizard (from which they can delegate their session) or the Set temporary session delegation shortcut command. See Managing a Cluster from your Workstation for more details on how users can access these tools. For Session delegation outside a cluster, this check box must be selected.
- Check box selected: when the user launches one of the delegation tool, an authentication window appears on his/her workstation.
- Check box cleared: the user does not need to authenticate again on his/her workstation when he/she launches one of the delegation tool.
- Temporary delegation needs an approval check box
This check box is only available if the Temporary session delegation type is selected.
- Check box selected: a user who wants to delegate his/her session needs the approval of the delegate.
In this case, when a user selects a user to whom he/she wants to delegate his/her session, a delegation proposal window appears on the delegate’s workstation. The delegate can accept or reject the proposal. The asking user window is frozen until all selected users have given an answer.
Delegate has x seconds to accept/decline the delegation demand
Period of time during which the delegation proposal window appears on the delegate’s workstation. If no answer is given during this period of time, the delegation demand is either sent to the Backup delegate (if any), or declined.
- Check box cleared: a user can delegate his/her session to another user without collecting his/her approval. An information window appears on the delegate’s workstation to inform him/her that a delegation has been set.
For Session delegation, one of the following check boxes must be selected:
Authorizing Users of the same Group to Delegate Their Session toMembers of their Group
Authorizing Users of the same Group to Delegate Their Session to
Members of their Group
You can define additional security policy parameters on groups of users. These parameters are added to the user security profiles applied to the members of the group.
The Policies tab (only available from a group object) is dedicated to Cluster users and allows you to authorize members of the group to delegate their Windows session to another member of the group.
- This section only applies to groups of users who use cluster of access points.
- To perform the task described in this section, you must have at least the following administration role:
- In classic administration mode: "Security object administrator".
- In advanced administration mode: your role must contain the following right: "Group policy: Modification".
NOTE: For more information on administration roles, see One Identity EAM Console Administrator's Guide.
- In the tree structure of the Directory panel, select the wanted group of users.
- Click the Policies tab:
Figure 7: Policies tab
- Select the Define additional Security Policies for members of this group check box.
- In the Windows Session Delegation Policy area, select the check box corresponding to the type of delegation you want to authorize to members of the group:
- Allow permanent delegation: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Cluster wizard.
- Allow temporary delegation: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
- Click Apply.