3.4 Roles and groups
The features you can access in the MyID Operator Client depend on your role as an operator, and the roles you can have depend on which group you belong to.
To specify which roles are available to each group, you must use the
To specify which features are available to each role, you must use the Edit Roles workflow; see the Roles section in the Administration Guide for details.
The options that appear in the Edit Roles workflow map to the features in the MyID Operator client in the following way:
|
Option in Edit Roles |
Feature |
|---|---|
|
Add Person |
Browse Groups |
|
Browse |
|
|
Search Group |
|
|
View Person |
|
|
Add Person |
|
|
View Persons Images |
|
|
Adjudication History |
Search Reports |
|
Adjudication History |
|
|
All Requests |
Search Reports |
|
All Requests |
|
|
Approve Person |
Browse Groups |
|
Search Group |
|
|
View Persons Images |
|
|
People |
|
|
View Person |
|
|
Browse |
|
|
Approve Person |
|
|
Archived Requests |
Search Reports |
|
Archived Requests |
|
|
Assign Card |
Assign Device Search |
|
Assign Device |
|
|
Unassign Device |
|
|
Assign Device (Search) |
|
|
Assigned Devices |
Search Reports |
|
Assigned Devices |
|
|
Cancel Credential |
Browse |
|
View Device |
|
|
Browse Groups |
|
|
Search Group |
|
|
View Person |
|
|
Devices |
|
|
People |
|
|
Devices |
|
|
Cancel Device |
|
|
Cancel Request |
Browse Groups |
|
Browse |
|
|
View Request |
|
|
Requests |
|
|
Search Group |
|
|
Cancel Request |
|
|
Devices |
Search Reports |
|
Devices |
|
|
Directory Sync |
Directory Sync |
|
Download Reports |
Download Reports |
|
Edit Person |
Edit Person (Directory) |
|
Edit Person (Directory) |
|
|
Browse Directory Root |
|
|
Browse Directory Root |
|
|
Browse Directory Groups |
|
|
Browse Directory Groups |
|
|
Search Person (Directory) |
|
|
Browse |
|
|
Search Person (Directory) |
|
|
View Person (Directory) |
|
|
View Person (Directory) |
|
|
Search Group |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
Browse Groups |
|
|
Enable Person |
|
|
Edit Person |
|
|
Disable Person |
|
|
Enable Person |
|
|
View Persons Images |
|
|
View Persons Images |
|
|
Disable Person |
|
|
People |
|
|
View Person |
|
|
People |
|
|
View Person |
|
|
Edit PIV Applicant |
View Person |
|
View Person |
|
|
People |
|
|
People |
|
|
Disable Person |
|
|
View Persons Images |
|
|
View Persons Images |
|
|
Enable Person |
|
|
Disable Person |
|
|
Enable Person |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse Groups |
|
|
Browse |
|
|
Browse |
|
|
Search Group |
|
|
View Person (Directory) |
|
|
Search Person (Directory) |
|
|
Search Person (Directory) |
|
|
Browse Directory Groups |
|
|
Browse Directory Groups |
|
|
Browse Directory Root |
|
|
Browse Directory Root |
|
|
Edit Person (Directory) |
|
|
Edit Person (Directory) |
|
|
View Person (Directory) |
|
|
Edit PIV Applicant |
|
|
Identify Card |
Devices |
|
View Device |
|
|
Device Certificates |
|
|
Device Requests |
|
|
Initial PIV Enrollment |
Disable Person |
|
Enable Person |
|
|
View Persons Images |
|
|
People |
|
|
View Person |
|
|
Search Group |
|
|
Browse |
|
|
Browse Groups |
|
|
Edit Person (Directory) |
|
|
Browse Directory Root |
|
|
Browse Directory Groups |
|
|
Search Person (Directory) |
|
|
View Person (Directory) |
|
|
Initial PIV Enrollment |
|
|
Mobile Devices |
Search Reports |
|
Mobile Devices |
|
|
People |
Search Reports |
|
People |
|
|
Authenticate |
Authenticate |
|
Provision Certificates |
View Certificate |
|
Remove Person |
Search Group |
|
Browse Groups |
|
|
Browse |
|
|
View Person |
|
|
People |
|
|
Remove Person |
|
|
Request Card |
Request Device |
|
Devices |
|
|
People |
|
|
View Person |
|
|
View Persons Images |
|
|
Persons Available Credential Profiles |
|
|
Requests |
|
|
Browse |
|
|
Search Group |
|
|
Browse Groups |
|
|
View Request |
|
|
Requests |
|
|
Request Device |
|
|
Persons Credential Profiles (Directory) |
|
|
View Person (Directory) |
|
|
Search Person (Directory) |
|
|
Browse Directory Groups |
|
|
Browse Directory Root |
|
|
Request Card Update |
Request Update |
|
Request Replacement Card |
View Request |
|
Requests |
|
|
Requests |
|
|
Persons Available Credential Profiles |
|
|
View Persons Images |
|
|
Request Replacement Device |
|
|
Request Device Renewal |
|
|
Device Available Credential Profiles |
|
|
View Person |
|
|
People |
|
|
Devices |
|
|
Requests |
Search Reports |
|
Requests |
|
|
Send Auth Code for Activation |
Get Activation Code Expiry for Device |
|
Send Auth Code for Activation |
|
|
Send Auth Code for Job Collection |
Get Collection Code Expiry for Job |
|
Send Auth Code for Job Collection |
|
|
Send Auth Code for Logon |
Get Auth Code Expiry for Person Logon |
|
Send Auth Code for Logon |
|
|
Send Auth Code for PIN Unlock |
Get Unlock PIN Code Expiry for Device |
|
Send Auth Code for PIN Unlock |
|
|
Unapprove Person |
People |
|
View Person |
|
|
View Persons Images |
|
|
Search Group |
|
|
Browse |
|
|
Browse Groups |
|
|
Unapprove Person |
|
|
Unassigned Devices |
Search Reports |
|
Unassigned Devices |
|
|
Unrestricted Audit Report |
Search Reports |
|
Unrestricted Audit Report |
|
|
Update PIV Applicant |
Edit Person (Directory) |
|
Browse Directory Groups |
|
|
Browse Directory Root |
|
|
Search Person (Directory) |
|
|
View Person (Directory) |
|
|
Browse |
|
|
Browse Groups |
|
|
Search Group |
|
|
View Persons Images |
|
|
Enable Person |
|
|
Disable Person |
|
|
View Person |
|
|
People |
|
|
Update PIV Applicant |
|
|
Validate Request |
Requests |
|
Reject Request |
|
|
Jobs Available Credential Profiles |
|
|
View Request |
|
|
Approve Request |
|
|
Browse Groups |
|
|
Search Group |
|
|
Browse |
|
|
View Auth Code for Activation |
Get Activation Code for Device |
|
View Auth Code for Activation |
|
|
View Auth Code for Job Collection |
Get Collection Code for Job |
|
View Auth Code for Job Collection |
|
|
View Auth Code for Logon |
Get Auth Code for Person Logon |
|
View Auth Code for Logon |
|
|
View Auth Code for PIN Unlock |
Get Unlock PIN Code for Device |
|
View Auth Code for PIN Unlock |
|
|
View Person |
View Person (Directory) |
|
Search Person (Directory) |
|
|
Browse Directory Root |
|
|
Browse Directory Groups |
|
|
Browse |
|
|
Browse Groups |
|
|
Requests |
|
|
View Request |
|
|
Search Group |
|
|
Devices |
|
|
Requests |
|
|
View Person |
|
|
People |
|
|
View Persons Images |
|
|
View User Audit |
History |
|
View Person |
|
|
People |
|
|
Search Group |
|
|
Browse Groups |
|
|
Browse |
|
|
View Audit |
|
|
Audit Details |
3.4.1 Roles example
For example:
- Operator Andrea is in the HR group. This group has access to the roles Standard Operator (which has access to the View Person feature) and Data Entry (which has access to the Edit Person and Add Person features). With these two roles, Andrea can search for people, view their details, edit their details, and add new people, but cannot request devices.
- Operator Boris is in the IT group. This group has the Standard Operator role, as above, and the Device Operator role, which has access to the Request Card feature (this provides access to the Request Device option in the MyID Operator Client; the corresponding workflow in MyID Desktop is called Request Card, hence the name). Boris can search for people, view their details, and request devices for them, but cannot edit their details or add new people.
- Operator Charley is in the HR group like Andrea, but while the group has access to the Standard Operator and Data Entry roles, Charley has been assigned only the Standard Operator role. Charley can search for people and view their details, but cannot request devices, edit their details, or add new people.
3.4.2 Scope
The extent to which operators can carry out actions for people is determined by their scope. For example, if Andrea is in charge of data entry for the HR department, you may want to restrict her to viewing, editing, and adding people only in the HR group and its subgroups; in this case, you would give Andrea the Standard Operator and Data Entry roles with a scope of Division. Charley, on the other hand, has wider responsibilities, and can search for and view people throughout the system with the Standard Operator role and a scope of All.
For more information, see the Scope and security section in the Administration Guide.
3.4.3 Administrative groups
You may not want the scope of an operator to be determined by their own group. For example, Andrea is in the HR department, but may be given extra responsibility for working with people to Finance department. To manage this, instead of simply giving Andrea a scope of All, you can give Andrea one or more administrative groups. For example, you can add the Finance group as one of Andrea's administrative groups, and Andrea can work with members of the Finance group as well as her own HR group.
For more information on working with administrative groups in the MyID Operator Client, see section 4.13, Working with administrative groups.