For example, in a geographically distributed organization where there are many different office locations and each office location needs to administer their end users smart card tokens. In this setup, it may be required to use AD Group membership, for example, each office has at least one operator that is a member of a Card User Group. Employees at that same office is also a member in the same Card User Group. Employees are traveling between offices and are then given temporary membership to the Card User Group of the office being visited. The operators of that office are then, based on the group membership, able to administrate that users card.
Example Windows AD Group Permissions Configuration
This section will describe how to configure the vSEC:CMS to use Windows AD group permissions. A simple example will be used to better describe how this can be configured and used.
Example company XYZ has 2 different office locations, one office in UK and one in Germany. It is required that vSEC:CMS operators located in the UK office can only manage smart card users located in the UK office and similarly vSEC:CMS operators located in the German office can only manage smart card users located in German office.
In AD 2 groups are created, UKOffice and GermanOffice. All vSEC:CMS operators located in the UK office will be a member of the UKOffice and all vSEC:CMS operators located in the German office will be a member of the GermanOffice.
Similarly, all smart card users located in in the UK office will be a member of the UKOffice and all smart card users located in the German office will be a member of the GermanOffice.
Step 1 - Create Card Template
1. From Templates - Card Templates click the Add button.
2. From General click the Edit link and enter a template name and attach the smart card token that you wish to manage with this template and click the Detect button.
4. Click the Add button to create a template.
5. Enter a template name and click the Add button. Select the directory that is to be used from the directory connection drop down list and select the AD group(s) that are to be used.
6. Click the Test button to perform a test. From this dialog, it is possible to perform a simple test. Click the first Get DN button to search for an operator that is a member of the UKOffice group. Then click the second Get DN button to search for an end user who is a member of the UKOffice group and click the Test button to perform permission test. If all is configured corrected a success dialog will appear.
Note: If it is required to configure the AD group membership on lifecycle operations then you need to enable the Access rights per individual lifecycle tasks check box in the Permissions section from the General dialog.
Step 2 - Complete the Card Template
Complete the card template configuration as required and then perform an issuance for an operator located in UK Office with a user from the UK Office and this should be performed successfully.