5.15 Editing PIV applicants

Important: The Edit PIV Applicant workflow, which was previously available in MyID Desktop, is now End of Support, and has been replaced with equivalent functionality in the MyID Operator Client; see the Editing a PIV applicant section in the MyID Operator Client guide for details.

The MyID Operator Client provides the following screens to allow you to edit the details of PIV applicants:

• Initial PIV Enrollment – used to edit people accounts that do not yet have fingerprints enrolled.

• Update PIV Applicant – used to edit people accounts that already have fingerprints enrolled. You must authenticate to this screen by providing the person's fingerprints.

• Edit PIV Applicant – used as an administrative tool to edit people accounts whether or not they have fingerprints enrolled. No biometric authentication is required to access this screen.

Each screen provides the same information and allows you to edit the same details.

You are recommended to assign the Initial PIV Enrollment and Update PIV Applicant options in the Edit Roles workflow to your operators who carry out PIV enrollment, and to assign the Edit PIV Applicant option only to administrative users who may need to carry out edits on people accounts that already have fingerprints enrolled, but cannot use the person's fingerprints to authenticate.

For FIPS 201 compliance, subsequent updates to an applicant's record after the initial enrollment should be authenticated using the applicant's fingerprints; for more information about compliance with FIPS 201, see section 5.15.1, The PIV Applicant Editor role.

You can add applicants to MyID in the following ways:

• Enroll using the MyID Core API.

  See the MyID Core API guide for details.

• Manually add using the Edit Person workflow (in MyID Desktop) or the Add Person screen (in the MyID Operator Client) and assign the PIV Applicant role.

• Edit a person from a directory using the Edit Person (Directory) screen in the MyID Operator Client, and assign the PIV Applicant role.

  Note: If you import a user from a directory, and have set up directory synchronization, the MyID applicant records can be updated by changes in the directory.

• If you use the Request Card workflow to import a user, by default the user will not be assigned the PIV Applicant role, and you will be unable to edit the users using the Edit PIV Applicant screen. To remedy this, you can set the default roles for the group to which you are adding the user to include the PIV Applicant role.

  See the Default roles section in the Administration Guide for details.

  However, you can edit the person using the Initial PIV Enrollment screen, even if the person does not have the PIV Applicant role.

5.15.1 The PIV Applicant Editor role

The PIV Applicant Editor role is created by default, and on initial configuration provides access to the Edit PIV Applicant and Edit Person screens in the MyID Operator client. This role is also set as the manager for the PIV Applicant role, which means that you must have the PIV Applicant Editor role to assign the PIV Applicant role to any users.

You must assign the PIV Applicant Editor role to the operators you want to be able to assign the PIV Applicant role to applicants.

Important: The PIV Applicant Editor role is created with its logon mechanisms set to Smart Card only – if you log on to MyID using security phrases or integrated Windows logon, you cannot assign the PIV Applicant role to any users. In the MyID Operator Client, the PIV Applicant role does not appear in the list if you cannot assign it; in MyID Desktop, if you attempt to assign the PIV Applicant role without logging on with the correct mechanism, an error similar to the following appears:

Supplied logon name is invalid. Please enter a new logon name.

You must make sure that your business processes still meet the requirements for FIPS 201 (if applicable). You may want to restrict or prevent access to editing a PIV applicant's details after enrollment. For FIPS 201 compliance, subsequent updates to an applicant's record after the initial enrollment should be authenticated using the applicant's fingerprints; therefore you are recommended to remove access to the Edit PIV Applicant workflow from the PIV Applicant Editor role (as this screen overrides any biometric authentication requirements) and instead provide access to the Initial PIV Enrollment screen (which allows you to carry out the initial enrollment, including capturing biometrics, but cannot be used once fingerprints have been saved) and Update PIV Applicant screen (which allows you to update an applicant's account that already has fingerprints captured, but requires fingerprint authentication to access).

If you assign both Initial PIV Enrollment and Update PIV Applicant to an operator in the Edit Roles workflow, the MyID Operator Client displays the appropriate option for the applicant at their stage in the enrollment process; if the applicant does not yet have fingerprints enrolled, the operator sees only the Initial PIV Enrollment option. Once the applicant's fingerprints have been saved, the operator sees only the Update PIV Applicant option.