4.5 Scope and security

When a person is added to MyID, an operator assigns a role or roles and can also specify the scope of those roles. Five options are available; from narrowest to widest range, these are:

• None – the person is not assigned to this role.
• Self – this limits the scope to the person’s own record.
• Department – all people in the same group as the holder.
• Division – all people in the same group as the holder or a sub-group of it.
• All – the role can be performed in relation to anyone.

Note: If a user is imported from an LDAP directory, scope affects not only which MyID groups that user can work with, but also which groups within the LDAP the user can work with using MyID. For example, a user who has a scope other than All may not be able to view all the users in the LDAP directory when trying to import users into MyID.

For more information about configuring LDAP and scope, contact customer support.

Scope can give a user the ability to make very significant changes for some workflows. For example, if a user has a scope larger than Self for the Change Security Phrases workflow, they can potentially change the logon security phrases for a large number of users without any further authentication or confirmation. We recommend that you assign workflows with the potential to make this level of change to a separate role, and grant this role to users with a scope of Self unless you want them to be able to change other users' devices and records.

Workflows that you may want to assign to a separate role and restrict to Self are:

• Change Security Phrases
• Request Replacement Card

The following workflows are safe to assign with a wider scope, as they are constrained to work on your own account or credentials whatever the scope:

• Collect My Card
• Collect My Device
• Recover My Certificates
• Change My Security Phrase

Note: When adding or editing another person's user account, you cannot set a scope higher than your own level.

4.5.1 Known issues

• IKB-303 – Non-directory users have effective scope of All over the directory

  If you have a combination of directory users and non-directory users in your MyID system, any non-directory user has an effective scope of All over the directory; they can access the records of any directory users. Directory users are correctly given scope based on their position in the directory, but non-directory users do not have a position in the directory, and are therefore given a scope of All.