OneSpan Authentication Server Administrator Accounts

OneSpan Authentication Server offers a number of different administrative user accounts:

• First administrator

• Global administrator

• Delegated administrator

• Organizational unit administrator

• Upgrade administrator

• Service user

Administrative scope

The administrative scope determines the organizational entities (domains, organizational units) an administrator can operate on. The administrative privileges assigned determines the particular objects and records the administrator can create, view, edit, and update. This includes, but is not limited to:

• Where a new user account can be created, edited, deleted, or moved between.
• Where new authenticators can be imported to.
• Which authenticators can be selected for manual assignment.
• Which users, authenticators, organizational units, and domains are included when creating a report.

In general, the administrative scope spans from the level of the respective administrator account down the organizational hierarchy, i.e. it includes the same level as the administrator account and all the organizational entities below. In contrast to this, you can only select administrator accounts as checker administrators for maker–checker authorization that are higher up the organizational hierarchy than the maker administrator.

The administrative scope of an administrator can include:

• The master domain
• All domains including the master domain
• Multiple domains excluding the master domain
• Single domain
• Organizational units

First administrator

The administrative account created during the initial installation of OneSpan Authentication Server Appliance is called first administrator, also known as master domain administrator. It has the full set of administrative privileges and full administrative scope. It can access all objects in all domains and organizational units.

Global administrator

After OneSpan Authentication Server Appliance has been installed, the first administrator can assign privileges to global administrators. Global administrators are not restricted to a domain, and can read and/or write data regardless of the domain to which they belong. Global administrator accounts are created in the master domain, but the administrative privileges assigned to them apply throughout all domains. Global administrators cannot be located in an organizational unit.

Figure: Administrative scope – Global administrators

Global administrators can:

• Create and delete domains.
• Assign any domain to another delegated administrator.
• Create and delete organizational units.

A global administrator must have the Access Data in All Domains privilege to be able to access data for all domains. Global administrators who do not have this privilege can only access objects and administrative operations in the master domain.

Delegated administrator

A delegated administrator is an administrator account that is created in any domain other than master. Their administration privileges only extend to their respective administrative (domain) scopes. Delegated administrators cannot be located in an organizational unit. The administrative scope of a delegated administrator is usually limited to a single domain and its organizational units, but can be extended to multiple domains excluding the master domain. The administrative scope (domains) can be extended via the Administration Web Interface when assigning administrative privileges. This can be done by either global administrators (including the first administrator) or delegated administrators.

Figure: Administrative scope – Delegated administrator in domain A

Figure: Administrative scope – Delegated administrator in domain A with access to domain B

Delegated administrators:

• Cannot create or delete domains.
• Cannot edit their own administrative (domain) scope.
• Can only assign domains within their own administrative scope to another delegated administrator. A global administrator (including the first administrator), on the other hand, can assign any domain to another delegated administrator.
• Can create and delete organizational units.

Only the administrative scope of delegated administrators can be edited.

Organizational unit administrator

An organizational unit administrator is an administrator account that is created in an organizational unit. Their administration privileges only extend to their respective organizational unit and sub-organizational units.

Figure: Administrative scope – Organizational unit administrator in OU A1

Organizational unit administrators:

• Cannot create or delete domains.
• Cannot edit domain scopes.
• Can create and delete organizational units.

Upgrade administrator

During a product upgrade, the upgrade administrator is the administrative account selected to obtain all new administrative privileges that were introduced with the new version. This administrator can be the first administrator or any other administrator in the master domain.

To avoid complications, we recommend that you select the first administrator to be the upgrade administrator when upgrading from an earlier version. For OneSpan Authentication Server to function properly, the first administrator's credentials must be provided. If another account is provided, the initial administrative privileges maybe lost, and a Rescue of OneSpan Authentication Server first administrator account operation may be necessary.

Administrator level

The administrator level is an optional value that can be used to create an administrator account hierarchy. This hierarchy controls which other administrator accounts any given administrator user can see and interact with.

Non-administrator user accounts can be assigned an administrator level, but it will have no influence or affect.

An account’s administrator level can be found in the OneSpan Authentication Server Administration Web Interface, and is an integer value ranging between 0–255. Administrator accounts can see, edit, or delete any other account that:

• Has a level number equal to or less than their own.
• Exists within the same administrator scope.

By default, a new administrator account is created at the same administrator level as the account that created it. The only exception to this is when the system is upgraded from version 3.20 or earlier to version 3.21 or later, in which case all administrator accounts are assigned level 255, meaning that every administrator account can see and interact with every other administrator account.

If you use the Rescue Administrator function to perform an administrator account rescue, the newly recovered account will be created with an administrator level of 255 (100 on OneSpan Authentication Server Appliance).

OneSpan Authentication Server Appliance only allows and uses a value range of 0–100, and the system accounts are all set to 100 by default.

Figure: Example of an administrator level hierarchy

It is not possible for an administrator account to change its own administrator level.

Service user

Service users are a set of specific users required in the context of automated OneSpan Authentication Server administration workflows.

Service users require administrative privileges, just like human or interactive users. In contrast to human or interactive users, however, certain limitations apply:

• A service user cannot log on interactively to components such as the Administration Web Interface.
• Password policies do not apply and service user passwords do not expire.
• Service users authorize each administrative operation individually via the API key that is generated by OneSpan Authentication Server.

  This key is displayed, when the relevant user account is edited. Once the changes are saved, the API key is set as the user password.

The Service User option is only available for existing users and cannot be set when creating a user account.

To convert a user into a service user, in the Administration Web Interface select the relevant user and navigate to the User Account page. Click Edit. The Service User options are now available.

Service user authorization

Service users can be authorized by providing credentials within the sessionID SOAP field or the HTTP header as one of the following:

• As sessionID in the corresponding SOAP field with the key word as part of the API key, e.g. Apikey serviceUserId:1234567890abcdef.

• As HTTP key in the HTTP authorization header, e.g. Authorization: Apikey serviceUserId:1234567890abcdef.

Authorization via HTTP header takes precedence over authorization via session ID!

The logon operation via API key authorization is not audited. If a wrong API key is detected, the user lock count is increased. Administrative users who can log on to OneSpan Authentication Server interactively cannot authorize via API key.

Service user sessions and performance

Service users and interactive users use separate session stores and configuration settings for session handling, such as the maximum number of concurrent sessions and maximum session length. By default, service users and interactive users have the same initial session configuration settings, except that services users are not stored in the persistent cache. You can configure and tweak the settings for both separately via the vdsConfiguration table in the database, depending on your environment and use cases.

You can configure the settings for interactive administrative sessions in the global configuration settings (via the Administration Web Interface).