3.4 Roles and groups
The features you can access in the MyID Operator Client depend on your role as an operator, and the roles you can have depend on which group you belong to.
To specify which roles are available to each group, you must use the
To specify which features are available to each role, you must use the Edit Roles workflow in MyID Desktop; see the Roles section in the Administration Guide for details.
The options that appear in the Edit Roles workflow in MyID Desktop map to the features in the MyID Operator client in the following way:
|
Option in Edit Roles |
MyID Operator Client features |
|---|---|
|
Add Person |
View Person Add Person View Persons Images Browse Groups Browse |
|
Cancel Request |
View Request Search Requests Browse Groups Browse |
|
Directory Sync |
Synchronize a Person with a Directory |
|
Edit Person |
View Person Search Person View Persons Images Disable Person Enable Person Browse Groups Browse Browse Directory Root Browse Directory Groups Search Person (Directory) View Person (Directory) Edit Person (Directory) View Person Search Person Edit Person View Persons Images Disable Person Enable Person Browse Groups Browse Browse Directory Root Browse Directory Groups Search Person (Directory) View Person (Directory) Edit Person (Directory) |
|
Edit PIV Applicant |
View Person Search Person View Persons Images Disable Person Enable Person Browse Groups Browse Browse Directory Root Browse Directory Groups Search Person (Directory) View Person (Directory) Edit Person (Directory) Edit PIV Applicant View Person Search Person View Persons Images Disable Person Enable Person Browse Groups Browse Browse Directory Root Browse Directory Groups Search Person (Directory) View Person (Directory) Edit Person (Directory) |
|
Identify Card |
View Device Search Device Device Requests |
|
Request Card |
View Person Search Person Devices Request Device Requests View Persons Images Persons Available Credential Profiles View Request Search Requests Browse Groups Browse Browse Directory Root Browse Directory Groups Search Person (Directory) View Person (Directory) Request Device Persons Credential Profiles (Directory) |
|
Request Replacement Card |
View Person Search Person Devices Requests View Persons Images Persons Available Credential Profiles Request Replacement Device View Request Search Requests |
|
Validate Request |
View Request Approve Request Search Requests Reject Request Jobs Available Credential Profiles Browse Groups Browse |
|
View Person |
View Person Search Person Devices Requests View Persons Images View Request Search Requests Browse Groups Browse Browse Directory Root Browse Directory Groups Search Person (Directory) View Person (Directory) |
|
View User Audit |
View Person Search Person History Browse Groups Browse |
3.4.1 Roles example
For example:
- Operator Andrea is in the HR group. This group has access to the roles Standard Operator (which has access to the View Person feature) and Data Entry (which has access to the Edit Person and Add Person features). With these two roles, Andrea can search for people, view their details, edit their details, and add new people, but cannot request devices.
- Operator Boris is in the IT group. This group has the Standard Operator role, as above, and the Device Operator role, which has access to the Request Card feature (this provides access to the Request Device option in the MyID Operator Client; the corresponding workflow in MyID Desktop is called Request Card, hence the name). Boris can search for people, view their details, and request devices for them, but cannot edit their details or add new people.
- Operator Charley is in the HR group like Andrea, but while the group has access to the Standard Operator and Data Entry roles, Charley has been assigned only the Standard Operator role. Charley can search for people and view their details, but cannot request devices, edit their details, or add new people.
3.4.2 Scope
The extent to which operators can carry out actions for people is determined by their scope. For example, if Andrea is in charge of data entry for the HR department, you may want to restrict her to viewing, editing, and adding people only in the HR group and its subgroups; in this case, you would give Andrea the Standard Operator and Data Entry roles with a scope of Division. Charley, on the other hand, has wider responsibilities, and can search for and view people throughout the system with the Standard Operator role and a scope of All.
For more information, see the Scope and security section in the Administration Guide.
3.4.3 Administrative groups
You may not want the scope of an operator to be determined by their own group. For example, Andrea is in the HR department, but may be given extra responsibility for working with people to Finance department. To manage this, instead of simply giving Andrea a scope of All, you can give Andrea one or more administrative groups. For example, you can add the Finance group as one of Andrea's administrative groups, and Andrea can work with members of the Finance group as well as her own HR group.
For more information on working with administrative groups in the MyID Operator Client, see section 4.9, Working with administrative groups.
3.4.4 Known issues
-
IKB-330 – Restricted roles displayed for selection in the MyID Operator Client
If you have the Restrict Roles on Child Groups configuration option set to Yes, the roles available for selection are limited; however, there is an issue in the MyID Operator Client where the list of roles available for selection is not restricted correctly. If you select a role that is not permitted, an error similar to the following appears when you try to save the person's record:
WS50020 – A requested role has been excluded through the application of group role restrictions