Roles

The role-based model in Axidian CertiFlow provides flexible control over administrator and operator access to Management Console features. Each role is assigned a set of privileges that determine which actions its members can perform.

You can configure roles and privileges in Configuration → Roles. Until you assign the roles, all actions are prohibited.

Prerequisites

During the initial setup of Axidian CertiFlow, access to the Management Console is granted only to a dedicated role administrator account. You can specify the role administrator in the Axidian CertiFlow Configuration Wizard (Access Control → Role Administrator).

info

The role administrator account must have a User Principal Name (UPN) attribute and be a member of the user catalog.

To perform the initial access rights configuration, use the role administrator account to grant Axidian CertiFlow management rights to other users:

1. Log in to the Management Console under the role administrator account.
2. Go to Configuration → Roles.
3. Click next to the Administrator role.
4. In the Role membership list, select Add.
5. Add all users who require full access to Management Console features, including role management. Select:
   • Group to add a user group. In the search bar, enter the group's Common Name to find it.
   • User to add a specific user. In the search bar, enter the user's Common Name or Login to find them.
6. Click Save.

All users with the Administrator role can create new roles, assign privileges, and add users to roles.

Default roles

Axidian CertiFlow includes the Administrator and Operator roles by default.

Administrator	Maximum set of privileges Access to all sections This role is intended for specialists responsible for the configuration and operation of Axidian CertiFlow
Operator	Limited set of privileges No access to modify settings in the Configuration section This role is intended for specialists responsible for managing Axidian CertiFlow objects

Privileges

Privilege	Administrator	Operator
User
Finding users
Viewing user
Unlocking user
Resetting security questions
Setting photo
Resetting user password
Assigning CA user
Configuration
Viewing policy
Creating policy
Changing policy
Removing policy
Viewing policy link
Creating policy link
Changing policy link
Removing policy link
Viewing license
Adding license
Removing license
Viewing card type
Adding card type
Changing card type
Removing card type
Viewing role
Creating role
Changing role
Removing role
Viewing tag
Creating tag
Changing tag
Removing tag
Viewing print template
Adding print template
Changing print template
Removing print template
Viewing mail server settings
Changing mail server settings
Viewing recipient groups
Creating recipient groups
Changing recipient groups
Removing recipient groups
Viewing administrator notifications
Creating administrator notifications
Changing administrator notifications
Removing administrator notifications
Viewing administrator templates
Changing administrator templates
Viewing custom log dictionary
Creating custom log dictionary
Changing custom log dictionary
Removing custom log dictionary
Viewing custom log template
Creating custom log template
Changing custom log template
Removing custom log template
Event log
Viewing event log
Dashboard
Viewing dashboard
Card
Viewing card repository
Viewing card details
Adding card
Changing comment
Changing tags
Showing administrator PIN
Changing administrator PIN
Setting administrator PIN
Initializing card
Assigning card
Issuing card
Enabling card
Disabling card
Updating card
Canceling card updating
Replacing card
Resetting PIN
Changing PIN
Locking card
Unlocking card
Printing card
Revoking card
Cleaning card
Unassigning card
Removing card
AirCard
Change AirCard bindings
Removing AirCard
Agents
Viewing agent repository
Changing agent card bindings
Updating agent status
Removing agent
Updating agent name
Updating agent comment
Removing task
Documents
Adding document
Changing document
Removing document
Approving document
Custom logs
Viewing custom log
Adding record to custom log
Changing record in custom log
Removing record from custom log

Role types

Global	Permissions apply to all card usage policies.
Local	Permissions apply only to the specific policies to which this role is bound. Members of a local role can manage only those users who fall under the scope of its assigned policies.

info

You cannot change a role's type after it has been created.

Create a role

Global

To create a global role:

1. In the Roles section, click Create role.
2. Specify the role's name.
3. Select the Global role type.
4. To add role members, select Add in the Role Membership parameter.
5. Select one the options:

• Group to add a user group. In the search bar, enter the group's Common Name to find it.
• User to add a specific user. In the search bar, enter the user's Common Name or Login to find them.

6. Click Save.
7. Assign privileges to the role members.
8. Click Create.

Local

To create a local role:

1. In the Roles section, select Create role.
2. Specify the role's name.
3. Select the Local role type.
4. Assign privileges to the role members.
5. Click Create.
6. To add role members, go to Configuration → Policy Assignments.
7. Click next to the required policy.
8. In the Roles parameter, click Add role.
9. Select the local role you created and click Add.
10. Click Save.

For more information, see Policy assignment.

Card Monitor service role

To run the Card Monitor service, create a dedicated service role containing the account used by the service, and grant it the following privileges:

• Disabling card
• Updating card
• Canceling card updating
• Revoking card
• Cleaning card
• Unassigning card
• Removing card
• Removing agent
• Removing task
• Removing record from custom log

If Axidian CertiFlow is integrated with Axidian AirCard Enterprise, assign the Deleting AirCard privilege.