Editing a PIV applicant

4.4 Editing a PIV applicant

The MyID Operator Client provides the following screens to allow you to edit the details of PIV applicants:

Initial PIV Enrollment – used to edit people accounts that do not yet have fingerprints enrolled.
Update PIV Applicant – used to edit people accounts that already have fingerprints enrolled. You must authenticate to this screen by providing the person's fingerprints.
Edit PIV Applicant – used as an administrative tool to edit people accounts whether or not they have fingerprints enrolled. No biometric authentication is required to access this screen.

Each screen provides the same information and allows you to edit the same details.

You are recommended to assign the Initial PIV Enrollment and Update PIV Applicant options in the Edit Roles workflow to your operators who carry out PIV enrollment, and to assign the Edit PIV Applicant option only to administrative users who may need to carry out edits on people accounts that already have fingerprints enrolled, but cannot use the person's fingerprints to authenticate.

For FIPS 201 compliance, subsequent updates to an applicant's record after the initial enrollment should be authenticated using the applicant's fingerprints; for more information about compliance with FIPS 201, see the The PIV Applicant Editor role section in the PIV Integration Guide.

The PIV applicant editing screens work in the same way as the Edit Person screen does for non-PIV applicants (see section 4.3, Editing a person), but have the following additional tabs:

STATUS
POSITION
SPONSOR
APPLICATION
BIOMETRICS

For more information about PIV attributes, see the Editing PIV applicants section in the PIV Integration Guide.

To edit a PIV applicant:

Search for a person, and view their details.

See section 4.1, Searching for a person for details.

You can also view a person's details from any form that contains a link to their account.

For example:
- Click the link icon on the Full Name field of the View Request form.
- Click the link icon on the Owner field of the View Device form.
Click one of the following options in the button bar at the bottom of the screen:
- Initial PIV Enrollment – if the applicant does not yet have fingerprints enrolled.
- Update PIV Applicant – if the applicant already has fingerprints enrolled.
- Edit PIV Applicant – used as a privileged workflow to bypass the biometric authentication for editing PIV applicants.
You may have to click the ... option to see any additional available actions.
For Update PIV Applicant only:
1. The Verify Fingerprint dialog appears.
  
  Note: The MyID Operator Client remembers the Verification Device you select the next time you try to verify fingerprints, and automatically opens the Fingerprint Capture dialog without you having to click Verify. If you need to change the verification device, close the Fingerprint Capture dialog.
2. Select the Verification Device you want to use from the drop-down list.
3. Click Verify.
  
  The Fingerprint Capture dialog appears.
4. Follow the instructions on screen.
  
  If the fingerprint does not match, an error similar to the following appears:
  
  OA10051: No match was found for the fingerprint
  
  You can click Verify to attempt to match again. If you exceed the number of match attempts (configured by the Number of fingerprint validation attempts option on the Biometrics tab of the Operation Settings workflow), an error similar to the following appears:
  
  OA10050: Number of fingerprint attempts has been exceeded
Update the person's details.
Click SAVE.

4.4.1 Setting the person's status

On the STATUS tab of the PIV applicant editing screens, you can see the following options:

User Data Approved – certifies that the applicant has been through the correct enrollment process and has been approved to receive a PIV card.
Vetting Date – the date the person passed their identity checks.

For more information on setting the User Data Approved and Vetting Date options, see section 4.12, Approving user data.
Maximum credential expiry date – optionally, specify the latest expiry date for any device issued to this person.

This setting affects all future device requests. It does not affect any issued devices or existing requests.

See section 4.8, Requesting a device for a person for details.

Note: This setting affects device requests made through the MyID Operator Client only. Requests made through MyID Desktop or the Lifecycle API do not take this setting into account. Note, however, that if you specify an explicit expiration date when requesting a device using MyID Desktop, an error appears if that date exceeds the Maximum credential expiry date set for the person. If you do not specify an explicit expiration date, MyID Desktop ignores the Maximum credential expiry date altogether.

You can also set this date using the MaxRequestExpiryDate option in the Lifecycle API. See the Lifecycle API guide for details.
NACI Status – records the status of the NACI check.

Note: You must use this only in accordance with FIPS 201-3 guidelines. For PIV-I and CIV, set this to Not Requested.

4.4.2 Providing the person's position details

On the POSITION tab of the PIV applicant editing screens, set the following details:

Privilege – select the applicant's privileges from the list. This is agency-specific data that can be printed on the card.
Affiliation – the cardholder's role or position within the organization; for example, Contractor or Emergency Responder.
Agency Association – indicates how the cardholder is associated to the agency; for example, Employee or Contractor. These options are defined by FIPS 201.
Department – the department’s name within the agency.
Agency – the group name from the Personal tab.
Position – the position of the applicant within the agency.
Rank – the rank of the applicant.
Emergency Role – the specific role in the event of an emergency of the applicant, if any.
Additional Information – contains any extra information about the applicant's position.
PIV DN – the distinguished name for the user.

The operator must enter the PIV DN manually. If you require MyID to generate the distinguished name for PIV applicants, contact Intercede for further guidance, quoting SUP-335.

4.4.3 Providing the details of the person's sponsor

On the SPONSOR tab of the PIV applicant editing screens, set the following details:

Name – the name of the person sponsoring the applicant.
Position of sponsor – the position of the sponsor.
Email of sponsor – the email address of the sponsor.
Agency of sponsor – the agency to which the sponsor belongs.
Phone – the phone number of the sponsor.

4.4.4 Providing the person's application documents

On the APPLICATION tab of the PIV applicant editing screens, you can provide details of the following documents for the person:

SF85 or OPM document
Two identity documents

Note: You can scan identity documents using the MyID Operator Client; see section 4.6, Scanning documents.

Complete the following details for the person:

Nationality – select the country of the person's nationality from the drop-down list.
Country of Birth – select the country where the person was born from the drop-down list.
Applicant's Place of Birth – for people born in the United States, select the state, district, or territory. For people born outside the United States, this is automatically set to the same value as the Country of Birth.
Application ID – optionally, type a reference number that you can use to track the person's application. You can search for this value in the People reports.

For each identity document, provide the following details:

Title – select the document type. Only documents of the types listed are acceptable as proof of identity.
Issued by – enter details of the organization that issued the document.
Number – the document's serial number.
Expiration – the expiration date of the document.
The Capture Date is populated automatically when you use the PIV applicant editing screens in the MyID Operator Client.

4.4.5 Providing the person's biometrics

On the BIOMETRICS tab of the PIV applicant editing screens, you can provide the person's biometric details, including scanning fingerprints and capturing facial biometrics.

4.4.5.1 Personal details

You can provide the following information about the person:

Height (ft-in) – type the height of the person in feet and inches; for example, 6' 2".
Hair Color – select the hair color of the person from the drop-down list.
Weight (lbs) – type the weight of the person in pounds; for example, 160 lbs.
Eye Color – select the eye color of the person from the drop-down list.
Gender – select the gender of the person from the drop-down list.
Racial origin of cardholder – select the racial origin of the person from the drop-down list.

4.4.5.2 Signatures

If a signature has been imported for the person, it is displayed on this screen:

4.4.5.3 Iris data

If an iris has been captured for the person, the following indicator is displayed:

If no iris has been captured for the person, the following indicator is displayed instead:

Note: You cannot capture iris data using MyID. To add iris data to a person's record, use the Lifecycle API. For more information, see the PivCardRequest/Agency/Applicant/Biometry/BioSample section in the Lifecycle API guide.

4.4.5.4 Fingerprints

You can capture fingerprints for the person. If the person has already had fingerprints captured, they are indicated on the Fingerprints control. If the person already has fingerprints captured, you can still capture their fingerprints; any additional fingers are added to their record, and any updated fingerprints replace the fingerprints stored in the database.

To capture fingerprints:

Click CAPTURE FINGER.

The fingerprint dialog appears:
Select the fingers you want to capture.
Click CONFIRM.

The fingerprint capture dialog appears. Follow the on-screen instructions to capture each fingerprint.

Note: The Account for missing fingerprints and Enforce a minimum number of fingerprints during enrollment? options are not enforced when capturing fingerprints using the MyID Operator Client.

Note: Once you have captured the fingerprints, the newly-captured fingerprints are indicated on the capture control on the BIOMETRICS tab; previously-captured fingerprints are not indicated until you exit the PIV applicant editing screen and re-enter it.

4.4.5.5 Facial biometrics

For information on capturing facial biometrics, see section 4.7, Capturing facial biometrics.

4.4.6 Considerations

The PIV applicant editing screens in the MyID Operator Client do not work in exactly the same way as the Edit PIV Applicant workflow (which was available in MyID Desktop in previous versions of MyID). There are some differences and limitations:

Association text is not printed on cards.

This is a known issue. The person's Agency Association code is stored in the database, but the text description is not saved.
Changing a person's group does not affect their PIV DN or Department.

If you change a person's group, you must update these fields manually.
The person's PIV DN does not change automatically.

If you change the person's name, nickname, or Agency Association, you must update the PIV DN field manually.
The Allow duplicate DN does not affect the PIV DN.
There is no relationship between fields on the system tab and person's MyID logon name. If there are changes required to keep them synchronized, you must apply this manually. This does not occur where directory synchronization is used.
The Account for missing fingerprints configuration option is not supported in the MyID Operator Client.
Unlike in MyID Desktop, you do not need to have the PIV Applicant Editor role to edit PIV attributes in the MyID Operator Client; if your role has access to the Edit PIV Applicant option in the Edit Roles workflow, you can edit PIV attributes.
The Association and Rank fields were automatically populated with default values in MyID Desktop, but not in the MyID Operator Client.
You cannot scan identity documents in the MyID Operator Client.
In MyID Desktop, the PIV Applicant role was added to a person if you used the Edit PIV Applicant workflow to import them from a directory. There is no equivalent process in the MyID Operator Client; instead, you can set the default roles for the group to which you are adding the user to include the PIV Applicant role.
Changing the NACI Status to Rejected does not carry out any further revocations.

There are some differences in the field names between the MyID Operator Client and MyID Desktop:

MyID Desktop	MyID Operator Client
Security	Employee ID
Address 1	1st line of Address
Address 2	2nd line of Address
Association	Agency Association
Extra Info	Additional Information
Birth Country	Country of Birth
Place of Birth	Applicant's Place of Birth
Race	Racial origin of cardholder
Iris Captured	Iris Status
[Sponsor] Position	Position of sponsor
[Sponsor] Email	Email of sponsor
[Sponsor] Agency	Agency of sponsor

4.4.7 Adding PIV applicants from a directory

You can use the Edit Person (Directory) screen to add a new user from a connected LDAP.

Note: If you have the Edit Directory Information configuration option (on the LDAP page of the Operation Settings workflow) set to No, you will be unable to edit any of the person data that is mapped to the directory. The default is Yes.

The user must belong to an LDAP group that is mapped to an existing MyID group, and the Search a Directory option (on the LDAP page of the Operation Settings workflow) must be set to Yes or Ask.

If you use click the EDIT PERSON button on the View Person (Directory) screen to select a user who is not already in the MyID database, the user is imported, given the Cardholder and Password User roles, and assigned to the group that matches their LDAP group. If you want the person to be a PIV applicant, add the PIV Applicant role to their list, and click SAVE. You can then use the PIV applicant editing screens to edit the user's details as normal.

To add PIV applicants from a directory, you must set up the groups in MyID before you begin:

Both the LDAP group the PIV applicant belongs to, and the parent LDAP group, must have been imported from LDAP into MyID. The hierarchy between the group the user belongs to and the parent group must be the same in both MyID and the LDAP. There are various ways to achieve this:
- In the Edit Groups workflow, select Import LDAP Branch/OU and children to import a group above the group the user belongs to.
  
  This will ensure that the hierarchy of the group and parent group is consistent in both MyID and LDAP.
- Alternatively, you can create the parent group first, then import the group the user belongs to as a child of the parent group.
- If this hierarchy of group and parent group is not set up correctly, you will see the following error when trying to import users from LDAP in the Edit PIV Applicant workflow:
  
  Target is not associated with a MyID group
Additionally, you must ensure that the PIV attributes have been configured for the group that the MyID user belongs to; you can do this using the Amend Group workflow.
The logged on user must have the PIV Applicant Editor role and access to the Edit Person and PIV applicant editing screens to import users from LDAP using the Edit Person (Directory) screen.