Configuring Operator Permissions

By default, the HID CMS Operator Portal is accessible for a limited set of predefined roles. You can create roles that have access to this portal and define their permissions.

Scope of Permissions

There are currently two scopes available: Device Management and Help Desk.

Device Management provides access to all the steps needed to issue a device (user search, display user details, add a device, display device details, and recycle a device).

Help Desk provides access to all the steps needed to manage a user's devices (user search, display user details, display device details, terminate a device, and recycle a device).

Default Configuration

Operators who have the predefined Issuance role (in the ActivID CMS Operator Portal) inherit the Device Management scope in the HID CMS Operator Portal. An operator with this role can do anything except terminate a device.

Operators who have the predefined Help Desk role (in the ActivID CMS Operator Portal) inherit the Help Desk scope in the HID CMS Operator Portal. An operator with this role can do anything except issue a device.

Operators who have the predefined Administration role (in the ActivID CMS Operator Portal) inherit both the Device Management and Help Desk scopes in the HID CMS Operator Portal. An operator with this role can do everything, including issuing and terminating devices.

Warning!
If you have modified the predefined roles in the ActivID CMS Operator Portal, these changes are Not taken into account by the inherited scopes in the HID CMS Operator Portal. In this case, it is strongly recommended to review the customization of scopes for roles (see details below).

Customizing Scopes for Roles

In the HID CMS Operator Portal, the mapping between roles and scopes is defined in a configuration file: %PROGRAMDATA%\HID Global\Credential Management System\Shared Files\scopeAssignment.properties. You can modify this file in order to change existing roles or add new ones.

Note: You must restart the CMS Server for any changes to be taken into account.

Each role in the scopeAssignment.properties file is defined using the following attributes:

  • roleWithScope.name.{id}: matches the name of an existing role

  • roleWithScope.scopes.{id}: configures the list of predefined scopes assigned to the role

Note: {id} is a numerical ID to distinguish between the different roles.

For example, the Help Desk role is included by default as shown here:

Copy
roleWithScope.name.2=Help Desk
roleWithScope.scopes.2=Scope.helpdesk
Note: By default, the scopeAssignment.properties file contains the three roles described above (Administration, Help Desk, Issuance).

You can create new roles in the ActivID CMS Operator Portal and assign them to an operator, but you must add these roles to the scopeAssignment.properties file (using the same format shown in the example above) and assign one or more of the predefined scopes to each role.

For example, if you create a role "Full Help Desk" in ActivID CMS and assign it to an operator, you can add this role to the scopeAssignment.properties file as shown below, and assign both predefined scopes to it. This gives full access to the HID CMS Operator Portal for any operators assigned the Full Help Desk role:

Copy
roleWithScope.name.4=Full Help Desk
roleWithScope.scopes.4=Scope.helpdesk,Scope.device_management

It is also possible to modify the default roles present by adding or removing one or more of the predefined scopes, but it is recommended to leave the default configuration.

Note: An operator with a role that does not have any of the predefined scopes assigned to it only has access to the Welcome page.
Important: If you create a role that is set to "Operator Dependent" in ActivID CMS and assign it to a specific group of users, this limitation is taken into account in the HID CMS Operator Portal, provided that you have added this role in the scopeAssignment.properties file.