OneSpan Authentication Server Administrator Accounts

OneSpan Authentication Server offers a number of different administrative user accounts:

• First administrator

  The administrative account created during the initial installation of OneSpan Authentication Server Appliance is called first administrator, also known as master domain administrator. It has the full set of administrative privileges and full administrative scope. It can access all objects in all domains and organizational units.

• Global administrator

  Global administrators are not restricted to a domain, and can read and/or write data regardless of the domain to which they belong. Global administrator accounts are created in the master domain, but the administrative privileges assigned to them apply throughout all domains. Global administrators cannot be located in an organizational unit.

• Delegated administrator

  A delegated administrator is an administrator account that is created in any domain other than master. Their administration privileges only extend to their respective administrative (domain) scopes. Delegated administrators cannot be located in an organizational unit.

• Organizational unit administrator

  An organizational unit administrator is an administrator account that is created in an organizational unit. Their administration privileges only extend to their respective organizational unit and sub-organizational units.

• Upgrade administrator

  During a product upgrade, the upgrade administrator is the administrative account selected to obtain all new administrative privileges that were introduced with the new version.

• Service user

  Service users are a set of specific users required in the context of automated OneSpan Authentication Server administration workflows.

Administrative scope

The administrative scope determines the organizational entities (domains, organizational units) an administrator can operate on. The administrative privileges assigned determines the particular objects and records the administrator can create, view, edit, and update. This includes, but is not limited to:

• Where a new user account can be created, edited, deleted, or moved between.
• Where new authenticators can be imported to.
• Which authenticators can be selected for manual assignment.
• Which users, authenticators, organizational units, and domains are included when creating a report.

In general, the administrative scope spans from the level of the respective administrator account down the organizational hierarchy, i.e. it includes the same level as the administrator account and all the organizational entities below. In contrast to this, you can only select administrator accounts as checker administrators for maker–checker authorization that are higher up the organizational hierarchy than the maker administrator.

The administrative scope of an administrator can include:

• The master domain
• All domains including the master domain
• Multiple domains excluding the master domain
• Single domain
• Organizational units

Administrator level

The administrator level is an optional value that can be used to create an administrator account hierarchy. This hierarchy controls which other administrator accounts any given administrator user can see and interact with.

Non-administrator user accounts can be assigned an administrator level, but it will have no influence or affect.

An account’s administrator level can be found in the OneSpan Authentication Server Administration Web Interface, and is an integer value ranging between 0–255. Administrator accounts can see, edit, or delete any other account that:

• Has a level number equal to or less than their own.
• Exists within the same administrator scope.

By default, a new administrator account is created at the same administrator level as the account that created it. The only exception to this is when the system is upgraded from version 3.20 or earlier to version 3.21 or later, in which case all administrator accounts are assigned level 255, meaning that every administrator account can see and interact with every other administrator account.

If you use the Rescue Administrator function to perform an administrator account rescue, the newly recovered account will be created with an administrator level of 255 (100 on OneSpan Authentication Server Appliance).

OneSpan Authentication Server Appliance only allows and uses a value range of 0–100, and the system accounts are all set to 100 by default.

Figure: Example of an administrator level hierarchy

It is not possible for an administrator account to change its own administrator level.

Service users can be authorized by providing credentials within the sessionID SOAP field or the HTTP header as one of the following:

• As sessionID in the corresponding SOAP field with the key word as part of the API key, e.g. Apikey serviceUserId:1234567890abcdef.

• As HTTP key in the HTTP authorization header, e.g. Authorization: Apikey serviceUserId:1234567890abcdef.

Authorization via HTTP header takes precedence over authorization via session ID!

The logon operation via API key authorization is not audited. If a wrong API key is detected, the user lock count is increased. Administrative users who can log on to OneSpan Authentication Server interactively cannot authorize via API key.