Using the Authorization Manager (AzMan)

The DigitalPersona LDS role-based permissions, tasks and operations are managed through the DigitalPersona Authorization Store and the Windows Authorization Manager (AzMan).

The Microsoft Authorization Manager (AzMan) creates and manages an Authorization Store, which serves as a repository for DigitalPersona LDS authorization policies and defines a namespace for DigitalPersona LDS roles, tasks, and operations.

For instructions on opening the DigitalPersona Authorization Store, see Define the Authorization Store Name.

Note: Installation and administration of the Microsoft Authorization Manager Tool should be by a member of the computer's Local Administrators group.

Although the group names, roles and tasks defined by DigitalPersona LDS can be customized, the operations that make up a task cannot be modified. You can change which operations may be performed as part of a given task, but removing a critical operation from a task may result in the failure of the task.

Those roles, tasks and operations defined by default during installation are described below.

The following terms are applied to the Authorization Manager:

Term Definition
Operations A set of permissions that are associated with system-level or API-level security procedures such as WriteAttributes or ReadAttributes. Operations are building blocks for tasks.
Tasks A collection of operations and sometimes other tasks. Well-designed tasks represent recognizable work items (for example, "submit purchase order" or "submit expense").
Groups

There are two types of AzMan groups used by DigitalPersona LDS:

  • Windows Groups - standard Windows Groups of any scope like Local, Global or Universal Groups supported by Windows OS and Active Directory itself.

  • AzMan Groups - the only AzMan group used by DigitalPersona LDS is the LDAP Query Group. In AzMan, you can use LDAP queries to find objects in the DigitalPersona AD LDS or Active Directory databases. You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

LDAP Query Groups

The following LDAP Query Groups are predefined by DigitalPersona LDS:

Group name LDAP Query Group description

DigitalPersona AD Users

"(&(objectCategory=userProxy)(objectClass=userProxy))"

All user accounts in DigitalPersona AD LDS database which also exist in the Active Directory database. Active Directory users are automatically added to this group upon enrollment.

Altus Users

"(&(objectCategory=person)(objectClass=user)(dpAccountName=*))"

All user accounts in DigitalPersona AD LDS database which do not exist in the Active Directory database. Users are automatically added to this group upon enrollment if they are not in Active Directory.

To add an additional application group, right click the Group node and selected New Application Group.

Definitions

The Definition node contains two types of definitions - Role Definitions and Tasks Definitions.

Role Definitions

Each AzMan Role has the following properties.

  • Role Name

  • List of Users and Groups belonging to the Role

  • List of AzMan Tasks assigned to this Role

The following DigitalPersona LDS AzMan roles are predefined:

Role name Group Default tasks Role description

DigitalPersona AD Users

Altus AD Users

(AzMan Group)

Manage Self

All Active Directory users have this Role assigned. It allows reading and writing public LDAP attributes from/to the DigitalPersona AD LDS database.

Altus Users

Altus Users

(AzMan Group)

Manage Self

All DigitalPersona LDS users who do not exist in the Active Directory database have this Role assigned. It allows reading and writing public LDAP attributes from/to the DigitalPersona AD LDS database.

Security Officers

Administrators

(Windows Local Group)

Query Users

Enroll Users

By default only Windows users which belong to the Local Administrators group on a machine where DigitalPersona LDS Server is installed have this Role assigned. It allows enrolling credentials for any type of user in the DigitalPersona AD LDS database. Domain Administrators are assigned this role automatically during setup.

Administrators

Administrators

(Windows Local Group)

Query Users

Manage Users

Enroll Users

Manage Licenses

Manage Policies

 

By default only Windows users which belong to the Local Administrators group on a machine where DigitalPersona LDS Server is installed have this Role assigned. Local administrators are assigned this role automatically during setup. It allows practically any operation on DigitalPersona LDS users.

Tasks Definitions

The following authorization tasks are predefined:

Task Description
Enroll Customers User can enroll other customers (non Active Directory users). Default operations included are: Create User, Enroll Customer, Modify User Info and Set User Account Control.
Enroll Employees User can enroll other employees (Active Directory users). Default operations included are: Create User, Enroll Employee, Modify User Info and Set User Account Control.
Enroll Self User can enroll their own credentials. Default operations included are: Self Create User and Self Enroll Credentials.
Enroll Users User can enroll other DigitalPersona users. Default operations included are: Create User, Enroll Credentials and Modify User Info and Set User Account Control.
Manage Licenses User can activate DigitalPersona LDS licenses and import OTP hardware seed files. Default operations included are: Activate Licenses.
Manage Policies User can create and manage DigitalPersona LDS policies. Default operations included are: Assign Policies, Create Policies and Delete Policies.
Manage Self User can manage their own DigitalPersona account. Default operations included are: Get Own Info and Modify Own Info.
Manage Users User can manage other DigitalPersona users and their accounts. Default operations included are: Create User, Delete User, Enroll Credentials, Modify User Info, Recover User, Set User Account Control and Unlock User Account.
Query Self User can query the DigitalPersona LDS database for their own information. Default operations included are: Get Own Info.
Query Users User can query the DigitalPersona LDS database for user information. Default operations included are: Get User Info.

Authorization Operations

The following authorization operations are predefined:

Operation Description
Activate License Activates a product license. 
Assign Policies Assigns a policy to a DigitalPersona LDS group.
Create Policies Create DigitalPersona LDS policy.
Create User Create DigitalPersona LDS Non AD user record.
Delete Policies Delete DigitalPersona LDS policies.
Delete User Delete DigitalPersona LDS Non AD user.
Enroll Credentials Enroll DigitalPersona LDS Non AD user credentials.
Enroll Customer Credentials Enroll customer (DigitalPersona LDS Non AD user) credentials.
Enroll Employee Credentials Enroll employee (AD user) credentials.
Get Own Info Query DigitalPersona LDS database for own user information (attributes).
Get User Info Query DigitalPersona LDS database for user information (attributes).
Modify Own Info Change user’s own DigitalPersona LDS user information.
Modify User Info Change DigitalPersona LDS user information.
Recover User Perform user recovery. (This feature is not implemented in the current version. The operation is reserved for future use.)
Self Create User Create DigitalPersona LDS record. Must be a Windows AD user.
Self Enroll Credentials Enroll own user credentials without needing Security Officer role.
Set User Account Control Set User Account control bits.
Unlock User Account Remove lock from user account.

Enabling Self-Enrollment

You can enable DigitalPersona (AD/Employee and LDS/Customer) users to enroll and manage their own DigitalPersona LDS credentials by Adding the Enroll Self task to the predefined DigitalPersona AD Users or Altus Users role or to another role that you create.

Important: If you are using DigitalPersona Attended Enrollment to enroll users, self-enrollment should not be enabled for the same group of users.

For non-AD users, the administrator needs to first create those users before they can proceed with self-enrollment via Web Enrollment. Additionally, the administrator must enable Enroll Self and Manage Self in the Users Definition Properties dialog.