3.4 Roles and groups
The features you can access in the MyID Operator Client depend on your role as an operator, and the roles you can have depend on which group you belong to.
To specify which roles are available to each group, you must use the
To specify which features are available to each role, you must use the Edit Roles workflow; see the Roles section in the Administration Guide for details.
The options that appear in the Edit Roles workflow map to the features in the MyID Operator client in the following way:
|
Option in Edit Roles |
MyID Operator Client feature |
|---|---|
|
Add Group |
View Group |
|
|
Search Group |
|
Add Group |
|
|
Add Person |
View Person |
|
Add Person |
|
|
View Person's Images |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Amend Group |
View Group |
|
|
Search Group |
|
Edit Group |
|
|
Approve Person |
View Person |
|
Search Person |
|
|
View Person's Images |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Cancel Credential |
View Person |
|
Search Person |
|
|
Devices |
|
|
View Device |
|
|
Search Device |
|
|
Cancel Device |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Cancel Request |
View Request |
|
Search Requests |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Edit Person |
View Person |
|
Search Person |
|
|
Edit Person |
|
|
View Person's Images |
|
|
Disable Person |
|
|
Enable Person |
|
|
Search Group |
|
|
Edit Person (Directory) |
|
|
Browse Groups |
|
|
Browse |
|
|
Browse Directory Root |
|
|
Browse Directory Groups |
|
|
Search Person (Directory) |
|
|
View Person (Directory) |
|
|
Edit PIV Applicant |
View Person |
|
Search Person |
|
|
View Person's Images |
|
|
Disable Person |
|
|
Enable Person |
|
|
Search Group |
|
|
Browse Groups |
|
|
Edit PIV Applicant |
|
|
Browse |
|
|
Browse Directory Root |
|
|
Browse Directory Groups |
|
|
Search Person (Directory) |
|
|
View Person (Directory) |
|
|
Edit Person (Directory) |
|
|
Identify Card |
View Device |
|
Search Device |
|
|
Device Certificates |
|
|
Device Requests |
|
|
Remove Group |
View Group |
|
|
Search Group |
|
Remove Group |
|
|
Remove Person |
View Person |
|
|
Search Person |
|
|
Remove Person |
|
|
Search Group |
|
|
Browse Groups |
|
Browse |
|
|
Request Card |
View Person |
|
Search Person |
|
|
Devices |
|
|
Request Device |
|
|
Requests |
|
|
View Person's Images |
|
|
Browse Directory Groups |
|
|
Search Person (Directory) |
|
|
View Person (Directory) |
|
|
Request Device |
|
|
Person's Credential Profiles (Directory) |
|
|
Person's Available Credential Profiles |
|
|
View Request |
|
|
Search Requests |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Browse Directory Root |
|
|
Request Replacement Card |
View Person |
|
Search Person |
|
|
Devices |
|
|
Requests |
|
|
View Person's Images |
|
|
Person's Available Credential Profiles |
|
|
Request Replacement Device |
|
|
Request Device Renewal |
|
|
Device Available Credential Profiles |
|
|
View Request |
|
|
Search Requests |
|
|
Unapprove Person |
View Person |
|
Search Person |
|
|
View Person's Images |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Validate Request |
View Request |
|
Approve Request |
|
|
Search Requests |
|
|
Reject Request |
|
|
Job's Available Credential Profiles |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
View Person |
View Person |
|
Search Person |
|
|
Devices |
|
|
Requests |
|
|
View Person's Images |
|
|
View Request |
|
|
View Person (Directory) |
|
|
Search Requests |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Browse Directory Root |
|
|
Browse Directory Groups |
|
|
Search Person (Directory) |
|
|
View User Audit |
View Person |
|
Search Person |
|
|
History |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
View Audit |
|
|
Audit Details |
3.4.1 Roles example
For example:
- Operator Andrea is in the HR group. This group has access to the roles Standard Operator (which has access to the View Person feature) and Data Entry (which has access to the Edit Person and Add Person features). With these two roles, Andrea can search for people, view their details, edit their details, and add new people, but cannot request devices.
- Operator Boris is in the IT group. This group has the Standard Operator role, as above, and the Device Operator role, which has access to the Request Card feature (this provides access to the Request Device option in the MyID Operator Client; the corresponding workflow in MyID Desktop is called Request Card, hence the name). Boris can search for people, view their details, and request devices for them, but cannot edit their details or add new people.
- Operator Charley is in the HR group like Andrea, but while the group has access to the Standard Operator and Data Entry roles, Charley has been assigned only the Standard Operator role. Charley can search for people and view their details, but cannot request devices, edit their details, or add new people.
3.4.2 Scope
The extent to which operators can carry out actions for people is determined by their scope. For example, if Andrea is in charge of data entry for the HR department, you may want to restrict her to viewing, editing, and adding people only in the HR group and its subgroups; in this case, you would give Andrea the Standard Operator and Data Entry roles with a scope of Division. Charley, on the other hand, has wider responsibilities, and can search for and view people throughout the system with the Standard Operator role and a scope of All.
For more information, see the Scope and security section in the Administration Guide.
3.4.3 Administrative groups
You may not want the scope of an operator to be determined by their own group. For example, Andrea is in the HR department, but may be given extra responsibility for working with people to Finance department. To manage this, instead of simply giving Andrea a scope of All, you can give Andrea one or more administrative groups. For example, you can add the Finance group as one of Andrea's administrative groups, and Andrea can work with members of the Finance group as well as her own HR group.
For more information on working with administrative groups in the MyID Operator Client, see section 4.12, Working with administrative groups.