Using the Authorization Manager (AzMan)

The DigitalPersona LDS role-based permissions, tasks and operations are managed through the DigitalPersona Authorization Store and the Windows Authorization Manager (AzMan).

The Microsoft Authorization Manager (AzMan) creates and manages an Authorization Store, which serves as a repository for DigitalPersona LDS authorization policies and defines a namespace for DigitalPersona LDS roles, tasks, and operations.

For instructions on opening the DigitalPersona Authorization Store, see Define the Authorization Store Name.

Note: Installation and administration of the Microsoft Authorization Manager Tool should be by a member of the computer's Local Administrators group.

Although the group names, roles and tasks defined by DigitalPersona LDS can be customized, the operations that make up a task cannot be modified. You can change which operations may be performed as part of a given task, but removing a critical operation from a task may result in the failure of the task.

Those roles, tasks and operations defined by default during installation are described below.

The following terms are applied to the Authorization Manager:

Term	Definition
Operations	A set of permissions that are associated with system-level or API-level security procedures such as WriteAttributes or ReadAttributes. Operations are building blocks for tasks.
Tasks	A collection of operations and sometimes other tasks. Well-designed tasks represent recognizable work items (for example, "submit purchase order" or "submit expense").
Groups	There are two types of AzMan groups used by DigitalPersona LDS: Windows Groups - standard Windows Groups of any scope like Local, Global or Universal Groups supported by Windows OS and Active Directory itself. AzMan Groups - the only AzMan group used by DigitalPersona LDS is the LDAP Query Group. In AzMan, you can use LDAP queries to find objects in the DigitalPersona AD LDS or Active Directory databases. You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

Term

Definition

Operations

A set of permissions that are associated with system-level or API-level security procedures such as WriteAttributes or ReadAttributes. Operations are building blocks for tasks.

Tasks

A collection of operations and sometimes other tasks. Well-designed tasks represent recognizable work items (for example, "submit purchase order" or "submit expense").

Groups

There are two types of AzMan groups used by DigitalPersona LDS:

Windows Groups - standard Windows Groups of any scope like Local, Global or Universal Groups supported by Windows OS and Active Directory itself.
AzMan Groups - the only AzMan group used by DigitalPersona LDS is the LDAP Query Group. In AzMan, you can use LDAP queries to find objects in the DigitalPersona AD LDS or Active Directory databases. You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

LDAP Query Groups

The following LDAP Query Groups are predefined by DigitalPersona LDS:

Group name	LDAP Query	Group description
DigitalPersona AD Users	"(&(objectCategory=userProxy)(objectClass=userProxy))"	All user accounts in DigitalPersona AD LDS database which also exist in the Active Directory database. Active Directory users are automatically added to this group upon enrollment.
Altus Users	"(&(objectCategory=person)(objectClass=user)(dpAccountName=*))"	All user accounts in DigitalPersona AD LDS database which do not exist in the Active Directory database. Users are automatically added to this group upon enrollment if they are not in Active Directory.

To add an additional application group, right click the Group node and selected New Application Group.

Definitions

The Definition node contains two types of definitions - Role Definitions and Tasks Definitions.

Role Definitions

Each AzMan Role has the following properties.

Role Name
List of Users and Groups belonging to the Role
List of AzMan Tasks assigned to this Role

The following DigitalPersona LDS AzMan roles are predefined:

Role name	Group	Default tasks	Role description
DigitalPersona AD Users	Altus AD Users (AzMan Group)	Manage Self	All Active Directory users have this Role assigned. It allows reading and writing public LDAP attributes from/to the DigitalPersona AD LDS database.
Altus Users	Altus Users (AzMan Group)	Manage Self	All DigitalPersona LDS users who do not exist in the Active Directory database have this Role assigned. It allows reading and writing public LDAP attributes from/to the DigitalPersona AD LDS database.
Security Officers	Administrators (Windows Local Group)	Query Users Enroll Users	By default only Windows users which belong to the Local Administrators group on a machine where DigitalPersona LDS Server is installed have this Role assigned. It allows enrolling credentials for any type of user in the DigitalPersona AD LDS database. Domain Administrators are assigned this role automatically during setup.
Administrators	Administrators (Windows Local Group)	Query Users Manage Users Enroll Users Manage Licenses Manage Policies	By default only Windows users which belong to the Local Administrators group on a machine where DigitalPersona LDS Server is installed have this Role assigned. Local administrators are assigned this role automatically during setup. It allows practically any operation on DigitalPersona LDS users.

Tasks Definitions

The following authorization tasks are predefined:

Task	Description
Enroll Customers	User can enroll other customers (non Active Directory users). Default operations included are: Create User, Enroll Customer, Modify User Info and Set User Account Control.
Enroll Employees	User can enroll other employees (Active Directory users). Default operations included are: Create User, Enroll Employee, Modify User Info and Set User Account Control.
Enroll Self	User can enroll their own credentials. Default operations included are: Self Create User and Self Enroll Credentials.
Enroll Users	User can enroll other DigitalPersona users. Default operations included are: Create User, Enroll Credentials and Modify User Info and Set User Account Control.
Manage Licenses	User can activate DigitalPersona LDS licenses and import OTP hardware seed files. Default operations included are: Activate Licenses.
Manage Policies	User can create and manage DigitalPersona LDS policies. Default operations included are: Assign Policies, Create Policies and Delete Policies.
Manage Self	User can manage their own DigitalPersona account. Default operations included are: Get Own Info and Modify Own Info.
Manage Users	User can manage other DigitalPersona users and their accounts. Default operations included are: Create User, Delete User, Enroll Credentials, Modify User Info, Recover User, Set User Account Control and Unlock User Account.
Query Self	User can query the DigitalPersona LDS database for their own information. Default operations included are: Get Own Info.
Query Users	User can query the DigitalPersona LDS database for user information. Default operations included are: Get User Info.

Authorization Operations

The following authorization operations are predefined:

Operation	Description
Activate License	Activates a product license.
Assign Policies	Assigns a policy to a DigitalPersona LDS group.
Create Policies	Create DigitalPersona LDS policy.
Create User	Create DigitalPersona LDS Non AD user record.
Delete Policies	Delete DigitalPersona LDS policies.
Delete User	Delete DigitalPersona LDS Non AD user.
Enroll Credentials	Enroll DigitalPersona LDS Non AD user credentials.
Enroll Customer Credentials	Enroll customer (DigitalPersona LDS Non AD user) credentials.
Enroll Employee Credentials	Enroll employee (AD user) credentials.
Get Own Info	Query DigitalPersona LDS database for own user information (attributes).
Get User Info	Query DigitalPersona LDS database for user information (attributes).
Modify Own Info	Change user’s own DigitalPersona LDS user information.
Modify User Info	Change DigitalPersona LDS user information.
Recover User	Perform user recovery. (This feature is not implemented in the current version. The operation is reserved for future use.)
Self Create User	Create DigitalPersona LDS record. Must be a Windows AD user.
Self Enroll Credentials	Enroll own user credentials without needing Security Officer role.
Set User Account Control	Set User Account control bits.
Unlock User Account	Remove lock from user account.

Enabling Self-Enrollment

You can enable DigitalPersona (AD/Employee and LDS/Customer) users to enroll and manage their own DigitalPersona LDS credentials by Adding the Enroll Self task to the predefined DigitalPersona AD Users or Altus Users role or to another role that you create.

Important: If you are using DigitalPersona Attended Enrollment to enroll users, self-enrollment should not be enabled for the same group of users.

For non-AD users, the administrator needs to first create those users before they can proceed with self-enrollment via Web Enrollment. Additionally, the administrator must enable Enroll Self and Manage Self in the Users Definition Properties dialog.