Preface
Overview
Enterprise Access Management Concepts
EAM Controllers
A Multi-Domain Architecture
Interface general design
Authenticating to EAM Console and Managing Protection Modes
Searching the Directory Tree
Managing administrators
Administration Modes - Presentation
Delegating Administration Roles
Managing Administration Profiles
Transferring an Administration Role
Deleting an Administration Role
Displaying your Administration Role
Modifying the Parent Administrator
Adding/Removing Primary Administrators
Managing Security Profiles
Managing time slices
Managing directory objects
Creating/Modifying Time Slices
Configuring Time Slices
Displaying time slice usage logs
Displaying time slice event logs
Renaming representative objects
Deleting time slices
Managing Password Format Control Policies
Creating/Modifying Password Format Control Policies
Configuring Password Format Control Policy
Displaying PFCP usage logs
Displaying Password Format Control Policy Event Logs
Renaming Password Format Control Policies
Deleting Password Format Control Policies
Managing User Security Profiles
Creating/Modifying User Security Profiles
Configuring User Security Profiles
Managing Access Point Security Profiles
Authentication Tab
Security Tab
SSO and Notes Tab
Cloud Tab
Unlocking Tab (Fast User Switching - FUS)
Self Service Password Request Tab
Biometrics Tab
Session Delegation Tab
Audit Tab
OTP Tab
Mobile Device Tab
Displaying User Security Profile Usage Logs
Displaying User Security Profile Event Logs
Renaming User Security Profiles
Deleting User Security Profiles
Creating/Modifying Access Point Security Profiles
Configuring Access Point Security Profiles
Managing Application Security Profiles
Security Services Tab
Authentication Manager Tab
Enterprise SSO Tab
Multi-User Desktop Tab
Biometrics Tab
Self Service Password Request Tab
Active RFID Tab
Audit Tab
Local Administrators Tab
Displaying Access Point Security Profile Usage Logs
Displaying Access Point Security Profile Event Logs
Renaming Access Point Security Profiles
Deleting Access Point Security Profiles
Managing Password Generation Policies
Defining Security Profiles Default Values
Managing User and Access Point Security Profiles Priorities
Creating/Modifying Password Generation Policies
Configuring the Password Generation Policy
Displaying Password Generation Policy Usage Logs
Displaying Password Generation Policy Event Logs
Renaming Password Generation Policies
Deleting Password Generation Policies
Creating/Modifying Application Security Profiles
Configuring Application Security Profiles
Displaying Application Security Profile Usage Logs
Displaying Application Security Profile Event Logs
Renaming Application Security Profiles
Deleting Application Security Profiles
Managing applications
Importing/Exporting security profiles and directory objects
Managing smart cards
Creating an application
Defining the general properties of an application
Creating the account properties for an application
Defining the Single Sign-On properties of an application (SSO)
Defining external names
Defining the Provisioning Connector
Assigning users to an application
Sharing the administration of an application
Generating/Importing accounts for an application
Assigning access points to an application
Displaying accounts associated with the application
Displaying application event logs
Displaying/Modifying application information
Renaming applications
Deleting applications
Managing users
Displaying general information about the user
Defining user connection parameters
Managing access points
Suspending or limiting temporarily user access
Displaying user authentication information and administering roaming sessions
Predefining a new user's primary password
Managing user Self Service Password Request
Defining an audit identifier
Creating a welcome message
Assigning a user security profile
Declaring a user as administrator
Assigning/forbidding access points to a user
Managing user accounts
Managing the User Self Enrollment
Assigning Administration Rights
Configuring the Dedicated Organizational Units
Configuring Self Enrollment
Sending SSO account passwords to users
Sending primary password expiration notification emails to users
Defining additional security parameters for groups of users
Managing user smart cards
Managing user Mobile Devices
Displaying and deleting user biometrics data
Assigning applications to a user
Displaying delegated sessions
Managing user RFID tokens
Displaying user event logs
Deleting SSO data of disabled user accounts
Adding or removing a user from a group
Displaying general information about the access point
Defining access point configuration parameters
Managing representative objects
Assigning an access point security profile
Managing EAM controller services
Assigning a generic account to an access point
Assigning/forbidding users to an access point
Assigning/forbidding applications to an access point
Adding or removing an access point from a group
Analyzing Errors of a Remote Access Point
Displaying access point event logs
Updating manually an access point
Managing inbound representative objects
Managing clusters of access points
Creating/Modifying an inbound representative object
Defining the set of users to represent
Assigning a user security profile to the inbound representative object
Selecting access points available to the representative
Managing outbound representative objects
Creating/Modifying an outbound representative object
Defining the set of access points to represent
Selecting applications available to the representative
Displaying representative event logs
Renaming representative objects
Deleting representative objects
Creating and configuring a cluster of access points
Managing user permissions on clusters
Selecting a domain controller
Authorizing users to access the workstations of the cluster
Displaying the cluster composed by authorized users
Displaying cluster event logs
Renaming clusters
Deleting cluster
Configuring smart card parameters of use
Managing SA server devices
Managing RFID tokens
Managing smart card configuration profiles
Managing smart card certificates
Assigning smart cards (except loan cards)
Creating/Modifying configuration profiles
Renaming a configuration profile
Deleting a configuration profile
Modifying authentication parameters of an assigned smart card
Managing batches of smart cards
Assigning smart cards
Assigning a smart card managed by an external CMS
Smart card self enrollment
Formatting an assigned smart card
Managing loan cards
Unlocking smart cards
Setting administrator's contact information
Unlocking to Forcing PIN
Unlocking by secret code
Unlocking by SSPR
Unlocking by extending the validity duration
Formatting a blacklisted card
Managing lost or theft smart cards
Formatting smart cards
Displaying information
Exporting Generated Reports
Assigning an RFID token
Locking and unlocking an RFID token
Managing biometrics
Locking and unlocking an RFID token from the Directory panel
Locking and unlocking an RFID token from the RFID panel
Resetting the PIN of an RFID badge
Blacklisting and deleting an RFID token
Blacklisting and deleting an RFID token from the Directory panel
Blacklisting and deleting an RFID token from the RFID panel
Modifying the detection areas and the grace period
Exporting a list of RFID tokens
Defining the biometric enrollment policy
Defining the workstation biometric parameters
Managing the user enrollment
Displaying and exporting the biometric enrollment report
Managing Mobile Devices
Enabling the public key authentication method
Configuring user and access point security profiles to support the PKA authentication method
Activating the PKA authentication method and defining the set of authorized certification authorities
Managing Emergency Accesses
Managing audit events
Activating the PKA authentication method
Configuring the set of authorized certification authorities
Configuring the automatic update of the revocation information
Displaying audit events
Defining an audit population
Managing and assigning audit filters
Interpreting audit events
Managing reports
The audit main window
The "Event details" window
Detailed information on the audit administration events
Exporting audit events
Archiving audit records
Retrieving user identifier from audit identifier
Retrieving audit events
Generating PDF reports
Generating On-screen reports
Customizing configuration files
Creating scripts
Basic syntax of regular expressions
Listing audit events and error codes
Correspondence between profiles and administration rights
Report Models and Parameters List
Custom Group Files Format
Managing user smart cards
Managing user smart cards
You can manage user's smart cards from the Directory panel, using the Smart Cards tab. It is also possible to use the Smart Cards panel. For practical reasons, the administration tasks related to smart cards are the subject of a separate section. Thus, for more information on the smart cards management, see Section Managing smart cards.
|
|
IMPORTANT: The Smart Card tab only appears if you have the "Smart card administrator" role. |
Managing user Mobile Devices
Subject
The Mobile Devices tab, directly linked to QRentry: the application for mobile devices, enables you to:
- Restrict the set of mobile devices for a particular user with the unique identifier of the mobile device.
- Force the verification of the unique identifier of a non-enrolled mobile device.
If a mobile device has been enrolled by a user, then it appears under this user. You can check the following information:
- The mobile devices enrolled for emergency access and for the local administration access (optional).
- The mobile devices not enrolled yet.
- The properties of each mobile device (name, unique identifier...).
For a complete description of QRentry, please refer to QRentry User’s Guide.
Description of the Information tabbed panel of a Mobile Device
|
|
NOTE: To display the following tabbed panel, in the tree structure of the Directory panel, select the wanted user by clicking  and select a mobile device. |
|
Item |
Description | ||
|
Details |
Displays the following information:
| ||
|
Administration Keys |
This area displays the following information:
|
Mobile device enrolled.
Mobile device enrolled with local administration access.
Mobile device not enrolled yet.Displaying and deleting user biometrics data
Subject
The Biometrics tab displays information about the user biometric data enrollment, and allows you to remove enrollment biometric data from the controller.
Before starting
To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain one of the following administration right:
- Bio: Display user biometric details (self-explanatory).
- Bio: Is enable to allow biometrics pattern enrollment. This right allows you to display and remove from the controller enrolled fingerprints, and allows users to enroll their fingerprints (see Biometrics Tab).
|
|
NOTE: For more information on administration roles, see Section Managing administrators. |
Procedure
- In the tree structure of the Directory panel, select the wanted user.
- Click the Biometrics tab
- The tab appears and displays user’s biometric data, as described in the following Section Window description.
Window description
- Provider field
Name of the biometric reader provider that you want to be used.
- Clear all Patterns button
Removes enrolled biometric data from the controller.
|
|
NOTE: You must have the right Bio: Is enable to allow biometrics pattern enrolment to use this button. |
- Enrolled patterns
Displays the enrollment pattern quality for each finger.
- Last enrolment field
Date and time of the last user enrollment.
- Enrolment approved by field
Name of the user or administrator who has authenticated at enrollment time to validate the user enrolment.
Assigning applications to a user
Assigning applications to a user
Subject
To configure the SSO for a user, you must set the following links:
- Authorize the user on an access point.
- Authorize an application to run on a given access point.
- Authorize the user to access the application.
This section describes how to authorize a user to run an application from the User object.
Before starting
To perform the task described in this section, you must have at least the following administration role:
- In classic administration mode: "Security object administrator" or "Access administrator".
- In advanced administration mode, your role must contain the following administration rights: "Authorization to use application: Creation/Modification", "Authorization to use application: Deletion".
Procedure
- In the tree structure of the Directory panel, select the wanted user.
- Click the Application Access tab.
- The tab appears.
- The tab appears.
- Fill in the panel as follows:
- Select the Show inherited access check box to display all the applications inherited from the parent groups and the parent organizational units.
- Click Add to select applications to assign to the selected user, then fill in the Access properties area and click Apply.
- The application is now displayed in the access list.
|
|
NOTE: For more information on the Access properties area, see the subsection below. You can click at any time the Edit and Remove buttons to modify or delete entries in the list. |
Access properties area
|
Column |
Description |
|
Application |
Application name |
|
Account Type |
Shared, Primary, Standard or Defined on the application. For more information, refer to the sub-section hereunder. |
|
Application Profile. |
Application profile selected for the application. |
|
Role |
Default role proposed to the user. |
|
Origin |
Specifies how the user was granted access to the application. Example: if the user belongs to a group that has access to the application, then the user can also access it. |
Access properties area
The Access properties area allows you to define how the user has access to the application using the following parameters:
- Account Type: this drop-down list offers the following options:
- Shared: the account is shared between several users who belong to the same group of users.
- Primary: the primary account represents an account allowing the use of the user's connection data to produce SSO information. This account is only available if the user password is authenticated.
- Standard: the standard account is an account type that is automatically associated with the application when it is defined for the user.
- Specified on the Application: account type defined in the account base of the application (primary account or standard account).
- Format: if you have selected the primary account type, select in this drop-down list the format of the Windows user name (user name preceded by NETBIOS domain or including Windows domain for example).
- Application profile: if you have defined several application security profiles at application level, you can specify the profile you want to use for a particular access.
NOTE: To enable the Mobile E-SSO feature, you must select an Application profile that allows external accesses. For more information, see Mobile E-SSO Installation and Configuration Guide.
- Role: the Manage button enables you to define a role that will be suggested by default to the user when he creates his first account in Enterprise SSO.
- This access is for computers: the selected application can be used on workstations.
- This access if for mobile devices: the selected application can be used by QRentry on mobile devices.
NOTE:
-
If you want to manage SSO of an application on workstations and mobile devices separately, you must create two applications that share the same account base.
-
For more information, see QRentry User’s Guide.
-
- Users can create additional accounts: select this check box to authorize the user to create as many accounts as he/she wants.