Login
    Contenu x
    Maker–Checker Authorization
    • 29 Nov 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    Maker–Checker Authorization

    • Mis à jour le 29 Nov 2024
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    If maker–checker authorization is enabled, certain operations initiated by one administrator (maker) can only be executed after approval and authorization by another administrator (checker).

    The so-called maker–checker authorization is an optional feature that can be enabled/disabled in the OneSpan Authentication Server Administration Web Interface to provide an additional layer of authorization. By enabling this feature, the setting is replicated system-wide over all OneSpan Authentication Server instances.

    This authorization mechanism introduces a four-eyes principle, in which the authorization process requires two different individuals to complete an administrative operation, specifically:

    • Creating a user account
    • Deleting a user account
    • Assigning an authenticator
    • Unassigning an authenticator

    Things to consider when using maker–checker authorization

    Whereas unassigning an authenticator is protected by maker–checker authorization, deleting an authenticator is currently not. However, when deleting an authenticator, the respective device is implicitly unassigned before it is deleted from the data store. The unassignment operation in this case is not subject to maker–checker authorization. This special case allows bypassing maker–checker authorization.

    An administrator can circumvent maker–checker authorization for unassigning an authenticator, by just deleting the device.

    To prevent this, do not assign the Delete DIGIPASS privilege to administrators, who have also the Unassign DIGIPASS privilege assigned and are supposed to unassign authenticators in a controlled environment with maker–checker authorization enabled.

    Limitations of maker–checker authorization

    The following operations and tools are not supported when maker–checker authorization is enabled:

    • LDAP Synchronization Tool
    • Data Migration Tool (DMT)
    • Authenticator auto-assignment
    • Importing user records from a user import file
    • Importing authenticator records from a DIGIPASS import file and automatically assign them to user accounts
    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle