1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. Authorization Manager (AzMan)

Authorization Manager (AzMan)

Overview

The Microsoft Authorization Manager (AzMan) creates and manages an Authorization Store, which serves as a repository for DigitalPersona LDS authorization policies and defines a namespace for DigitalPersona LDS roles, tasks, and operations.

Installation and administration of the Microsoft Authorization Manager Tool should be by a member of the computer’s Local Administrators group.

Although the group names, roles and tasks defined by DigitalPersona LDS can be customized, the operations that make up a task cannot be modified. You can change which operations may be performed as part of a given task, but removing a critical operation from a task may result in the failure of the task.

Those roles, tasks and operations defined by default during installation are described below.

Definition of terms

Operations – A set of permissions that are associated with system-level or API-level security procedures such as WriteAttributes or ReadAttributes. Operations are building blocks for tasks.

Tasks – A collection of operations and sometimes other tasks. Well-designed tasks represent recognizable work items (for example, “submit purchase order” or “submit expense”).

Groups – There are two types of AzMan groups used by DigitalPersona LDS: Windows Groups and AzMan Groups.

  • Windows Groups: are standard Windows Groups of any scope like Local, Global or Universal Groups supported by Windows OS and Active Directory
  • AzMan Groups: The only AzMan group used by DigitalPersona LDS is the LDAP Query Group. In AzMan, you can use LDAP queries to find objects in the DigitalPersona AD LDS or Active Directory You can use an LDAP query to specify an LDAP query group by typing the desired LDAP query in the space provided on the Query tab of the Properties dialog box of the application group.

LDAP Query Groups

The following two LDAP Query Groups are predefined by DigitalPersona LDS.

Group nameLDAP QueryGroup description
DigitalPersona AD Users“(&(objectCategory=userProxy)(objectC lass=userProxy))”All user accounts in DigitalPersona AD LDS database which also exist in the Active Directory database. Active Directory users are automatically added to this group upon enrollment.
DigitalPersona Users“(&(objectCategory=person)(objectClass
=user)(dpAccountName=*))”
All user accounts in DigitalPersona AD LDS database which do not exist in the Active Directory database. Users are automatically added to this group upon enrollment if they are not in Active Directory.

To add an additional application group

  • Right click the Group node and selected New Application Group.

Definitions

The Definition node contains two types of definitions, Role Definitions and Task Definitions.

Role Definitions

Each AzMan Role has the following properties.

  • Role Name
  • List of Users and Groups belonging to the Role
  • List of AzMan Tasks assigned to this Role

The following DigitalPersona LDS AzMan roles are predefined.

Role nameGroupDefault tasksRole description
DigitalPersona AD UsersDigitalPersona AD Users (AzMan Group)Manage SelfAll Active Directory users have this
Role assigned. It allows reading and writing public LDAP attributes from/to the DigitalPersona AD LDS database.
DigitalPersona UsersDigitalPersona Users (AzMan Group)Manage SelfAll DigitalPersona LDS users who do
not exist in the Active Directory database have this Role assigned. It allows reading and writing public LDAP attributes from/to the DigitalPersona AD LDS database.
Security OfficersAdministrators
(Windows Local Group)
Query Users Enroll UsersBy default only Windows users which belong to the Local Administrators group on a machine where DigitalPersona LDS Server is installed have this Role assigned. It allows enrolling credentials for any type of user in the DigitalPersona AD LDS database. Domain Administrators are assigned this role automatically during setup.
AdministratorsAdministrators
(Windows Local Group)
Query Users Manage Users Enroll Users Manage Licenses Manage PoliciesBy default only Windows users which belong to the Local Administrators group on a machine where DigitalPersona LDS Server is installed have this Role assigned. Local administrators are assigned this role automatically during setup. It allows practically any operation on DigitalPersona AD LDS users.

Tasks Definitions

The following authorization tasks are predefined.

Enroll Customers

User can enroll other customers (non Active Directory users). Default operations included are: Create User, Enroll Customer, Modify User Info and Set User Account Control.

Enroll Employees

User can enroll other employees (Active Directory users). Default operations included are: Create User, Enroll Employee, Modify User Info and Set User Account Control.

Enroll Self

User can enroll their own credentials. Default operations included are: Self Create User and Self Enroll Credentials.

Enroll Users

User can enroll other DigitalPersona users. Default operations included are: Create User, Enroll Credentials and Modify User Info and Set User Account Control.

Manage Licenses

User can activate DigitalPersona LDS licenses. Default operations included are: Activate Licenses.

Manage Policies

User can create and manage DigitalPersona LDS policies. Default operations included are: Assign Policies, Create Policies and Delete Policies.

Manage Self

User can manage their own DigitalPersona account. Default operations included are: Get Own Info and Modify Own Info.

Manage Users

User can manage other DigitalPersona users and their accounts. Default operations included are: Create User, Delete User, Enroll Credentials, Modify User Info, Recover User, Set User Account Control and Unlock User Account.

Query Self

User can query the DigitalPersona LDS database for their own information. Default operations included are: Get Own Info.

Query Users

User can query the DigitalPersona LDS database for user information. Default operations included are: Get User Info.

Authorization Operations

The following authorization operations are predefined. Activate License – Activates a product license.

Assign Policies – Assigns a policy to a DigitalPersona LDS group. Create Policies – Create DigitalPersona LDS policy.

Create User – Create DigitalPersona LDS Non AD user record. Delete Policies – Delete DigitalPersona LDS policies.

Delete User – Delete DigitalPersona LDS Non AD user.

Enroll Credentials – Enroll DigitalPersona LDS Non AD user credentials.

Enroll Customer Credentials – Enroll customer (DigitalPersona LDS Non AD user) credentials. Enroll Employee Credentials – Enroll employee (AD user) credentials.

Get Own Info – Query DigitalPersona LDS database for own user information (attributes). Get User Info – Query DigitalPersona LDS database for user information (attributes).

Modify Own Info – Change user’s own DigitalPersona LDS user information. Modify User Info – Change DigitalPersona LDS user information.

Recover User – Perform user recovery. (This feature is not implemented in the current version. The operation is reserved for future use.)

Self Create User – Create DigitalPersona LDS record. Must be a Windows AD user.

Self Enroll Credentials – Enroll own user credentials without needing Security Officer role. Set User Account Control – Set User Account control bits.

Unlock User Account – Remove lock from user account.

Enabling self-enrollment

You can enable DigitalPersona (AD/Employee and LDS/Customer) users to enroll and manage their own DigitalPersona LDS credentials by Adding the Enroll Self task to the predefined DigitalPersona AD Users or DigitalPersona Users role or to another role that you create.

WARNING: If you are using DigitalPersona Attended Enrollment to enroll users, self-enrollment should not be enabled for the same group of users.