30.10 Issuance Processes page (Operation Settings)

Setting

Active credential profiles per person

Default value

One per credential group

Description

This option allows you to control issuance of different types of credentials to users; for example, you might want to issue one smart card, one USB token, and so on.

Further information

See section 11.3.2, Additional credential profile options.

 

Setting

Allow derived credential requests to create accounts

Default value

No

Description

Must be set to Yes to allow SSRP to issue a derived credential to a cardholder whose original credential was issued by a different system. The unknown user is added to MyID.

Further information

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal guide.

 

Setting

Allow parent and child credential profiles

Default value

No

Description

Used for VSCs.

Further information

See the Setting up parent/child credential profiles for VSCs section in the Microsoft VSC Integration Guide.

 

Setting

Allow requests without user data approved

Default value

No

Description

Determines whether requests for credentials can be created if the person's user data approved status is not set.

Set this option to Yes to allow an operator or the Lifecycle API to request credentials even if the person's user data approved status is not set. Even though the request can be created, if the Require user data to be approved option on the credential profile is set, the request cannot be approved or collected until the person's user data approved status is set.

Set this value to No to prevent credentials from being requested when the person's user data approved status is not set and the Require user data to be approved option on the credential profile is set.

Further information

 

 

Setting

App Download URL – ANDROID

Default value

 

Description

The URL for the Android version of the MyID Identity Agent.

Leave blank to hide this option.

If you click on a provisioning URL on a mobile device, but do not have the Identity Agent app installed, this link is displayed to allow you to download the app and try again.

For derived credentials, the URL is embedded into the QR code that is displayed to the user and allows them to download the Identity Agent app when using the Self-Service Kiosk to collect Derived Credentials.

Further information

See the Configuring SMS and email notifications section in the Mobile Identity Management guide or the Derived Credentials Configuration Guide for details.

 

Setting

App Download URL – iOS

Default value

 

Description

The URL for the iOS version of the MyID Identity Agent.

Leave blank to hide this option.

If you click on a provisioning URL on a mobile device, but do not have the Identity Agent app installed, this link is displayed to allow you to download the app and try again.

For derived credentials, the URL is embedded into the QR code that is displayed to the user and allows them to download the Identity Agent app when using the Self-Service Kiosk to collect Derived Credentials.

Further information

See the Configuring SMS and email notifications section in the Mobile Identity Management guide or the Derived Credentials Configuration Guide for details.

Note: Due to restrictions imposed by Apple, the URL must be opened in the Safari browser and must link to a page that contains a link to the app to download; the user can then select this link. The URL cannot be a direct link to the app file itself.

 

Setting

Automated Card Issuance Time Limit

Default value

240

Description

The time (in seconds) to be spent attempting to issue a card before canceling the process.

Further information

 

 

Setting

Automated Detect Card Time Limit

Default value

40

Description

The time (in seconds) to be spent attempting to detect a card before it is rejected.

Further information

 

 

Setting

Automated Remove Card Time Limit

Default value

30

Description

The time (in seconds) that MyID will wait before allowing another print command to be sent once the card has been removed from the printer.

Further information

 

 

Setting

Automatic Completion of Issuance

Default value

Ask

Description

Enable the automatic submission of the Print Card stage.

Further information

 

 

Setting

Automatic Completion of Issuance Timeout

Default value

300

Description

Timer value (in seconds) for automatically submitting certain forms.

Further information

 

 

Setting

Automatic Update Collection

Default value

2,245

Description

If a user logs in with pending jobs, run the first workflow listed that they have access to.

Workflows should be listed as option,operationid;option,operationid and so on. For example: 2,245 – this automatically launches the Activate Card workflow.

Further information

See the Workflow IDs section in the Installation and Configuration Guide for a list of the workflow IDs available in MyID.

 

Setting

Automatically create card update jobs when additional identities are modified

Default value

No

Description

Create card update jobs automatically on changes to additional identities.

Further information

See section 25, Additional identities for details.

Note: Changes carried out using the Credential Web Service API create update jobs whether this option is set to Yes or No. See the Credential Web Service document for details.

 

Setting

Batch Encode Card Timeout

Default value

15

Description

The number of seconds to allow a card to be read before timing out in the Batch Encode Card workflow.

Further information

 

 

Setting

Change Credential Profile At Approval

Default value

No

Description

If set, an operator can change the credential profile when approving a request. Note: This affects requests approved through the MyID Operator Client only.

Further information

See the Approving requests section in the MyID Operator Client guide.

 

Setting

Display credential profile details

Default value

Ask

Description

Whether credential profile details are displayed when a card is issued.

Further information

 

 

Setting

Enable unrestricted cancellation

Default value

No

Description

Controls whether the Unrestricted Cancellation option appears in the Issuance Settings section of the Credential Profiles workflow.

This option allows you to re-use a card without first canceling it.

Further information

 

 

Setting

Expire cards at end of day

Default value

No

Description

If set, credentials will be issued with an expiry date set to the end of day, that is, 23:59:00 UTC.

The time zone setting of the operator's workstation may affect the expiry date. Because the expiry time is 23:59:00 UTC, to ensure that the expiry time is in the future, if the operator's workstation is behind UTC (for example, PDT, which is UTC -7) the expiry is set to 23:59:00 UTC on the following date.

This prevents the case where, for example, on January 1 at 20:00:00 PDT an operator requests a same-date expiry. An expiry date of 23:59:00 UTC on January 1 would be in the past, but an expiry date of 23:59:00 UTC on January 2 is still in the future.

Note: This setting is designed for devices requested through the MyID Operator Client. Note, however, that even if the devices were requested through the MyID Operator Client, the expiry date is not set to the required value if the devices are collected through the Issue Card or Collect My Card workflows. All other methods of collecting devices work as expected.

This setting affects requests made in MyID Desktop only under the following circumstances:

  • The Expire cards at end of day option is set.

  • You do not set an explicit expiry date in Request Card. (Setting an explicit expiry date in MyID Desktop sets the time to 00:00:00 UTC.)

  • You do not collect the request using the Issue Card or Collect My Card workflows. (These workflows do not check the Expire cards at end of day option at all.)

Under the above circumstances, when you collect the device, the time is set to 23:59:00 UTC.

When this option is set to the default NO, the time is set to 00:00:00 UTC (the start of the day).

This setting also affects the CardExpiryDate and MaxRequestExpiryDate nodes in the Lifecycle API; if the Expire Cards at End of Day configuration option is set to Yes, the time portion of the expiry date is set to 23:59 UTC. If the Expire Cards at End of Day option is set to No, the time portion is set to 00:00 UTC.

Note: This setting does not affect any existing expiry dates, whether for requests already created, or maximum credential expiry dates already set for users.

Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the certificate, the date is set as expected, but the time may not match exactly, depending on the certificate authority being used.

Further information

See the CardExpiryDate and MaxRequestExpiryDate sections in the Lifecycle API document, the Setting expiry dates for a card section in the Operator's Guide, and the Approving requests section in the MyID Operator Client guide.

 

Setting

Manual Card Update

Default value

No

Description

Whether a card update can be performed manually. This allows you to select which updates to apply to the card from the list of available updates.

Further information

 

 

Setting

Maximum multiple credential requests

Default value

1

Description

This is the maximum number of multiple credential requests that will be accepted.

Further information

See the Requesting multiple cards section in the Operator's Guide.

 

Setting

Maximum unvalidated multiple credential requests

Default value

1

Description

The maximum number of multiple credential requests that will be accepted without secondary validation.

Further information

See the Requesting multiple cards section in the Operator's Guide.

 

Setting

Output Mechanism for Job Challenge Code Generation

Default value

Choose at request

Description

Determines how the one-time password for job authentication is delivered. Choose one of the following:

Email

Display on screen

Both

Choose at request

Further information

See section 24.8, Requesting a device identity.

 

Setting

Print Card Timeout

Default value

5

Description

The number of seconds between printing a card and issuing.

Further information

 

 

Setting

Printer Request Buffer Delay

Default value

10

Description

This is the time in seconds to pause between sending requests to the printer.

Further information

Used with the Fargo SDK for Fargo printers.

 

Setting

Reload Device Profile

Default value

No

Description

Whether the device profile is reloaded onto the card during issuance. Used for Thales authentication devices.

Further information

 

 

Setting

Requisite User Data

Default value

No

Description

Displays an extra option in the Credential Profiles workflow that allows you to restrict issuance to user accounts with specific user attribute mappings.

Further information

 

 

Setting

Restrict collection of replacement devices if expiry date within (Days)

Default value

0

Description

Stops the issuance of a replacement credential if the date for the expiry is within the specified number of days.

Further information

 

 

Setting

Rotate Keys On Card Update

Default value

No

Description

When a card update is collected, any GlobalPlatform or PIV 9B keys associated with the device will also be updated if they are found to be out of date.

Further information

See section 7.3.8, Rotating customer keys for details.

 

Setting

Set Credential Profile On Renewal

Default value

No

Description

If set to Yes, the operator can specify a credential profile when renewing a device.

Note: This setting affects devices renewed through the MyID Operator Client only.

Further information

 

 

Setting

Set expiry date at request

Default value

No

Description

If set to Yes, the operator can specify a date for expiry of credentials when they are requested.

Note: This setting affects the MyID Operator Client and MyID Desktop only. Requests created using APIs directly are not affected.

Further information

 

 

Setting

Show Disqualified Credential Profiles

Default value

Yes

Description

Set to Yes to display all credential profiles, whether or not they meet the Requisite User Data requirements.

Set to No to hide any credential profiles that do not meet the Requisite User Data requirements.

Note: This setting affects the display of credential profiles in the MyID Operator Client only.

Further information

See section 11.3.1.11, Requisite User Data.

 

Setting

Show the Card Content button in the Audit Workflow

Default value

Yes

Description

Set to Yes to display the Card Content button on the Audit workflow.

Further information