Self-Service App features

3.5 Self-Service App features

Control over which actions and tasks are available to Self-Service App users is maintained within MyID by using the standard roles mechanism. The user must be granted a role that has access to the correct workflows.

Use the Edit Roles workflow to specify which actions and task types are available.

3.5.1 Controlling which actions are available

The Default SSA User role determines which actions are visible in the Self-Service App's list of actions. Note, however, that once you have selected an action, you must authenticate to MyID, at which point if your own roles do not allow access to the appropriate workflow, you will not be allowed to progress with the action.

The Self-Service App can carry out the following actions:

Change My Security Phrases

Allows you to change your security phrases. Requires that the user's role has access to the Change My Security Phrases workflow.
Reset My PIN

Allows you to reset a locked card PIN. Requires that the user's role has access to the Unlock My Card workflow.
Change My PIN

Allows you to change your card PIN. Requires that the user's role has access to the Change PIN workflow.

Note: This action requires a card that has been issued with MyID Logon capabilities; the user must also be permitted to log on with a smart card.
Update My Device

Allows you to update your card. Requires that the user's role has access to the Collect My Updates workflow.

See section 4.12, Self-service device update for details.

When MyID is installed, the Default SSA User role has access to the Change PIN, Unlock My Card, and Change My Security Phrases workflows.

Note: If you have upgraded from an earlier version of MyID, the Default SSA User role may not have all of the required workflows; for example, MyID versions earlier than 11.4 did not include the Change My Security Phrases workflow for this role by default, and the upgrade process does not change the assigned workflows for the role. Use the Edit Roles workflow to make sure that the role has the correct workflow permissions.

3.5.2 Controlling which actions are available using the registry

You can use the Self-Service App action block list to hide particular actions from the Self-Service App on a per-machine or per-user basis.

This is not a security feature (anyone with access to the registry can make these changes) but a usability feature; because the Self-Service App displays the list of all actions available to the Default SSA User role, and only checks whether the user can carry those actions based on the user's own roles after the action is selected, you may want to be able to hide the unavailable actions on some PCs or for some users.

You specify the actions based on their numeric operation ID. You can use the following IDs:

110 – Change My Security Phrases
255 – Reset My PIN
202 – Change My PIN

To block actions on a per-user basis:

On the client PC, open the Registry Editor.
Open the following key:

HKEY_CURRENT_USER\Software\Intercede\SsaActionBlacklist

If the key does not exist, create it.
Within this key, create a String value with the name of the operation ID you want to hide.

For example, create a String value with the name 110 to hide the Change My Security Phrases operation.

Note: You do not need to add any data to the String value. The Self-Service App checks whether the String value is present.

Note: If you override the username being used for SSA using either the /un command line argument or the MYID_USERNAME environment variable, the per-user block list is ignored. You can still use the per-machine block list.

To block actions on a per-machine basis:

On the client PC, open the Registry Editor.
Open the following key:

HKEY_LOCAL_MACHINE\Software\Intercede\SsaActionBlacklist

On a 64-bit system, create the following key instead:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Intercede\SsaActionBlacklist

If the key does not exist, create it.
Within this key, create a String value with the name of the operation ID you want to hide.

For example, create a String value with the name 110 to hide the Change My Security Phrases operation.

Note: You do not need to add any data to the String value. The Self-Service App checks whether the String value is present.

3.5.3 Controlling which tasks are available

The Self-Service App can carry out the following types of task:

Collect a card.

Requires access to the Collect My Card workflow.
Activate a card.

Requires access to the Activate Card workflow.
Update a card.

Requires access to the Collect My Updates workflow.

Note: This task requires a card that has been issued with MyID Logon capabilities; the user must also be permitted to log on with a smart card.
Collect a replacement card.

Requires access to the Collect My Card workflow.
Collect a certificate renewal.

Requires access to the Collect My Certificates workflow.

Note: This task requires a card that has been issued with MyID Logon capabilities; the user must also be permitted to log on with a smart card.
Lock or unlock a VSC (in automation mode only).

Requires access to the Update VSC workflow.

If you launch the Self-Service App automation mode using a MyID username and password, you are strongly recommended to use a specially-created MyID user that has access only to the required workflow. Create a new role, grant it access only to the Update VSC workflow, create a new user with access only to that role, and set the user's security phrases. The MyID user must also have sufficient scope to carry out operations on behalf of the end user.

See the Requesting VSC locks section in the Microsoft VSC Integration Guide for details of requesting PIN locks for VSCs.