Setting up maker–checker authorization

Before you can use maker–checker authorization, you need to prepare your OneSpan Authentication Server environment to ensure correct operation.

This includes the following:

• Setting up at least one maker administrator and one checker administrator.
  • Creating/configuring the administrator accounts.
  • Configuring the user email settings.
  • Assigning the required privileges.
• Setting up maker–checker authorization notifications.
  • Configuring the notification templates.
  • Configuring the mail server.
  • Setting up Message Delivery Component (MDC).
• Enabling maker–checker authorization.

Before you begin

• Ensure that you have administrative access to the OneSpan Authentication Server Administration Web Interface.
• Ensure that you have the Update User, the Set Administrative Privileges, the Set Global Configuration Options, and the Enable/Disable Maker–Checker privileges assigned. Furthermore, ensure that any privilege you want to assign to a possible maker administrator or checker administrator is already assigned to you.

Setting up the user accounts for maker–checker authorization

The maker–checker authorization process requires at least two different administrative user accounts, i.e. one maker administrator and one checker administrator.

To configure the user account for the maker administrator

1. Log on to the Administration Web Interface.
2. If required, create a user account for the maker administrator (see Creating a user account).
3. Switch to the USERS tab.
4. Select the maker administrator.

5. Configure the user email settings:

   1. Switch to the User Account tab.

   2. Click EDIT.

   3. Specify the email address of the maker administrator in the Email Address box.

      If you do not configure an email address for the maker administrator, the maker administrator will not receive any notifications when pending operations are approved or rejected by a checker administrator.

   4. Click OK.

6. Configure the administrative privileges:

   1. Switch to the Admin Privileges tab.

   2. Verify the administrative privileges of the maker administrator.

      Assign all privileges required by the maker administrator to perform the respective administrative operations, e.g. Create User. Optionally, assign the Delete Pending Operation privilege to allow the maker administrator to delete pending operations (regardless of their state) created by other maker administrators. Maker administrators can always delete their own pending operations.

      An administrator can circumvent maker–checker authorization for unassigning an authenticator, by just deleting the device.

      To prevent this, do not assign the Delete DIGIPASS privilege to administrators, who have also the Unassign DIGIPASS privilege assigned and are supposed to unassign authenticators in a controlled environment with maker–checker authorization enabled.

   3. Click SAVE.

To configure the user account for the checker administrator

1. Log on to the Administration Web Interface.

2. If required, create a user account for the checker administrator (see Creating a user account).

   In general, the administrative scope spans from the level of the respective administrator account down the organizational hierarchy, i.e. it includes the same level as the administrator account and all the organizational entities below. In contrast to this, you can only select administrator accounts as checker administrators for maker–checker authorization that are higher up the organizational hierarchy than the maker administrator.

3. Switch to the USERS tab.
4. Select the checker administrator.

5. Configure the user email settings:

   1. Switch to the User Account tab.

   2. Click EDIT.

   3. Specify the email address of the checker administrator in the Email Address box.

      If you do not configure an email address for the checker administrator, the checker administrator will not receive any notifications when new pending operations await approval.

   4. Click OK.

6. Configure the administrative privileges:

   1. Switch to the Admin Privileges tab.

   2. Verify the administrative privileges of the checker administrator.

      A checker administrator requires at least the Administrative Logon and the Approve/Reject Pending Operation privileges. Optionally, assign the Delete Pending Operation privilege to allow the checker administrator to delete pending operations (regardless of their state).

   3. Click SAVE.

Setting up maker–checker authorization notifications

During the maker–checker authorization process different notifications are sent to the respective users involved.

Currently, maker–checker authorization notifications can only be sent via email.

To configure the notification templates for maker–checker authorization

1. Log on to the Administration Web Interface.
2. Select SERVERS > Global Configuration.
3. Switch to the Maker-Checker tab.
4. Click EDIT.

5. Configure the notification templates in the Email Notification section according to your requirements.

   For more information about the particular settings, refer to the OneSpan Authentication Server Administrator Reference.

6. Click SAVE.

Setting up the mail server

Setting up Message Delivery Component (MDC)

Message Delivery Component (MDC) is included in the OneSpan Authentication Server setup and can be installed during the installation of OneSpan Authentication Server.

To send maker–checker authorization notifications, you need to install and set up MDC for email delivery (see Configuring email delivery).

Enabling maker–checker authorization

When you have set up and prepared all pre-requisites to use maker–checker authorization, you can enable it (see Enabling and disabling maker–checker authorization).