Administrator Roles (Delegated Administration)
Imprivata uses administrator roles and sub-Administrator roles with nested scope so you can delegate administrative authority throughout the enterprise. Administrator roles help delegate administration operations throughout an enterprise.
Note that scoping administrator roles by site relates to the end-user computers those Administrators can manage, not to the end-users they can manage. End-user scoping is related to domains and organizational units (OUs) and is unrelated to Imprivata sites.
Delegated administration employs three important concepts: administrative operations, scope of delegation, and inheritance of these two properties, described in the following sections.
Administrator Levels
Imprivata provides three levels of administrator roles. There can be any number of users assigned to an administrator role. You do not have to use all three levels; you can create all administrator roles from the Super Administrator role.
The Super Administrator
There is only one Super Administrator role, named Super Administrator, and it cannot be edited or deleted. The Super Administrator can perform all operations in the enterprise. All other administrator roles are subordinate to the Super Administrator role, including any other roles you create with enterprise-wide scope and full operational authority.
Administrators
You can create as many subordinate roles as you need, and have any number of users in each role. Administrators in subordinate roles can run reports allowed by their role, but they do not see results from actions that occur outside their scope.
Each administrator is a member of an administrator role. Multiple Administrators can share a role, but an administrator can have only one administrator role.
Administrator Operations
Operations are the administrative activities that an administrator can perform. Imprivata allows fine granularity of delegated administration to create a variety of specialist administrator roles based on users, administrative operations, or geography.
An administrator role can include individual or classes of activities. For example, you can create an administrator role with only APG-related authority. Other examples of administrator roles limited by operations might include Help Desk Administrator, Application Profile Creator, ID Token Administrator, and Compliance Auditor.
Imprivata operations can be further restricted by administrative scope, described in Understanding Administrator Scope.
Administrator Operations
The following tables list the attributes that are available and can be assigned to administrator roles.
Properties
| Operation(s) | Description |
|---|---|
| Update System Properties |
Ability to define system operations and maintenance such as:
|
| System Lockdown | Administrators with System Lockdown privileges can still access Imprivata applications when they are locked down. |
| Upload License |
Allows users to upload new license files to the Imprivata appliance. |
| Edit Email Notification Templates |
Edit the templates for standard email notifications. |
| Maintain Audit Log |
Gives the user the ability to maintain Imprivata audit logs. Users with this role are allowed to either delete and archive, only archive or only archive audit records. |
| Download Agent MSI Files |
Allows the user to download the agent MSI files. 32-bit and a 64-bit MSI files are available for download. |
|
Create/Edit Security Questions Delete Security Questions |
Allows users to maintain security questions that are used by Imprivata Self-Services. |
|
Create/Edit Procedure Code Delete Procedure Code Update Extension Object |
Extends the capabilities of Enterprise Access Management with extension objects or procedure codes. There are two extension objects available: Carefx and MediTech. Other procedure codes can be created as command sequences to be executed as a batch file or vbs scripts. |
| Enable/disable temporary codes | Allows administrators to turn on and off the temporary codes feature for your whole enterprise. |
|
Update proxy to RADIUS Delete proxy to RADIUS Enable/disable proxy to RADIUS Update RADIUS host clients Delete RADIUS host clients |
The Imprivata appliance has a built-in RADIUS server that can be configured to be a trusted client to other external servers. |
| Configure ProveID |
ProveID is a built-in API that allows external applications to access the Imprivata agent's authentication services and devices. The external application's name is mapped to the name used in the application profile within SSO. |
| Edit Sites |
Sites are configured during the setup of an Imprivata enterprise with a Single Sign-On license. An Imprivata enterprise may have multiple sites and each site may have multiple appliances. This role allows users to edit and manage existing sites within an enterprise. |
| Configure Virtual Desktop Access |
Configure system settings for using Imprivata applications on virtual desktops. |
Policies
| Operation(s) | Description |
|---|---|
|
Create/Edit User Policy Delete User Policy Assign User Policy |
User policy are assigned to users across the enterprise. User policies apply to the user wherever the user authenticates, even at a satellite office at another Imprivata site. User policies allow you to set different authentication parameters for different user groups. User policies are configured on the User policies page (Users menu > User policies). |
|
Update Computer Policy Delete Computer Policy |
Computer policies govern security-related behaviors that are controlled at specific computers. A computer policy created by an Administrator at one site is available to Administrators across the enterprise at any Imprivata site. The Computer Policies page under the Computers menu lists the computer policies, and the number of computers that use them. |
| Add/edit computer policy assignment rules | |
| Run Computer Policy Assignment Rules |
Restrict an Administrator from running computer policies assignment rules. When un-checked, the following actions will be disabled for administrators: In the Imprivata Admin Console, go to Computers > Computers and select checkboxes for one or more computers. Click Apply Policy. "Apply a policy based on current policy assignment rules for the selected computers" is disabled. In the Imprivata Admin Console, go to Computers > Computer policy assignment. The Run rule now button is disabled. When un-checked, this action is disabled for this Administrator, even if Add/edit computer policy assignment rules is enabled. |
Users
| Operation(s) | Description |
|---|---|
|
Add/Edit Users |
Allows the administrator to add or edit users after the connection between the Imprivata Directory and an external source (Microsoft AD) allowed the Admin to reset an Imprivata domain user's PIN is established. |
| Enable/Disable User |
Allows the administrator to enable and disable users. Users must be enabled to use SSO and other Imprivata application privileges. |
| Notify User |
Allows the administrator to send notifications to users via email from the Imprivata Admin Console. Notifications can include requests to install the Imprivata agent or enroll security questions. |
| Delete User |
Allows the administrator to delete users from the Imprivata directory. |
| Unlock User | Allows the administrator to unlock user accounts if they are locked out. |
|
Reset Imprivata Directory User Password |
Allows the administrator to reset an Imprivata domain user's password and PIN. |
|
Notify Imprivata Directory User |
Allows the administrator to send notifications to users from the Imprivata domain. |
| Generate/revoke temporary codes |
Allows administrators to generate temporary codes for Remote Access users who have misplaced their device and need to log in. See Temporary Codes for Remote Access |
| Create/Edit User Directory Connection |
Allows the administrator to create new connections or edit existing connections between the Imprivata directory and an external server. |
|
Preview Synchronize to User Directory Directory Synchronize to User Directory |
Allows the administrator to perform a manual synchronization of the user database and preview the synchronization before committing to the import. Both options must be selected for the administrator to perform these functions. |
| Delete Domain |
Allows the administrator to delete an existing Imprivata Directory and create a new directory. It is recommended that the Create/Edit User Directory Connection role also be selected. |
|
Trust/Upload TLS Certificate Delete TLS Certificate |
Allows the administrator to upload new TLS certificates or delete an existing trusted TLS certificate. Both roles must be selected for the administrator to perform these operations. TLS certificates are required for operations that allow users to change their Imprivata password, such as the Self-Service Password Reset feature. |
|
Upload Kerberos Key Delete Kerberos Key |
Allows the administrator to upload a Kerberos keytab file to the Imprivata appliance. |
|
Update Imprivata Directory pending users Delete Imprivata Directory pending users Approve Imprivata Directory pending users |
Allows the administrator to update the status of pending users. All three roles must be assigned to the administrator to perform this function. Pending users are users who are imported from a CSV file as potential Imprivata users. After imported, they are assigned a Pending status. |
|
Update Computers Delete Computers Assign Computer Policy |
Allows the administrator to update computer records, such as by assigning computer policies. Computers are automatically added to the Computers page (Imprivata Admin Console> Computers menu > Computers) when an Imprivata agent is installed and the agent communicates with the Imprivata appliance. If a computer is deleted, it will be re-added the next time the Imprivata agent pings the Imprivata server. See Managing Computer Accounts and Creating and Managing Computer Policies |
|
Create/Edit Administrator Roles Delete Administrator Roles |
Allows the administrator to create and delete additional administrator roles. There can only be one Super Administrator role. |
Reports
See Using Reporting Tools and Configuring Event Notifications for more information about the functions described in the following table.
| Functions | Description |
|---|---|
|
View Report Update Report |
Allows the administrator to view and update Imprivata reports. Both roles must be selected. |
| Delete Report | Allows the administrator to delete existing Imprivata reports. |
| Export Report | Allows the administrator to export Imprivata data to a .CSV file. |
|
Create/Edit Notification Enable/Disable Notification |
Allows the user to create and edit event notifications. Both roles must be selected. |
| Delete Notification | Allows the user to delete existing event notifications. |
Note: To create and run an Administrator Activity report, in the Imprivata Admin Console, go to Reports > Add new report.
Tokens
See Managing OneSpan (VASCO) OTP Tokens and Managing an Individual OneSpan (VASCO) OTP Token for more information about managing OneSpan (VASCO) OTP tokens, including the functions described in the following table.
| Functions | Description |
|---|---|
|
Create/Edit ID Token Server Connection Update Kernel Parameters |
Allows the administrator to configure Imprivata as a trusted RADIUS client in an external ID token system's administration console. |
| Import DPX Files |
Allows the administrator to import .DPX files via the Imprivata Admin Console. A .DPX file is provided by a OneSpan/VASCO OTP token vendor; it contains all information about the tokens that is required for users to use OneSpan/VASCO OTP tokens as an authentication method. |
| Change Token Status | Allows the administrator to change the status of a OneSpan/VASCO OTP token. |
| Delete Tokens | Allows the administrator to delete imported OneSpan/VASCO OTP tokens from the system. |
| Reset Tokens | Allows the administrator to reset a disabled OneSpan/VASCO OTP token. |
|
Reset Token PIN Change Token PIN |
Allows the administrator to reset and change a OneSpan/VASCO OTP token's static PIN. |
| Generate Unlock PIN | Allows the administrator to unlock a locked OneSpan/VASCO OTP token. |
| Generate Virtual OTP | Allows the administrator to generate a one-time password for a OneSpan/VASCO OTP token in the event token is lost or forgotten. |
| Assign tokens | Allows the administrator to assign OneSpan/VASCO OTP tokens to users. |
SSO
See Single Sign-On and Draft Application Profiles for more information about configuring Single Sign-On settings and profiling applications with the Application Profile Generator.
| Functions | Description |
|---|---|
|
Create/Edit Application |
Allows the administrator to create new application profiles and edit existing application profiles. |
| Enable/Disable Application | Allows the administrator to enable or disable application profiles. Application profiles must be enabled to allow SSO privileges to that application. |
| Delete Application | Allows the administrator to delete application profiles. |
|
Create/Edit Container |
Allows the administrator to create new containers or edit existing containers. A container is a terminal emulator or other program that allows an application to be hosted on a mainframe or a UNIX server and used on a desktop. |
| Delete Container | Allows the administrator to delete existing containers. |
| Edit Shared Credential Store |
Allows the administrator to edit existing credential stores. Credential stores are created when one or more applications share the same username and password. |
|
Upload Application/Container XML Download Application/Container XML |
Allows the administrator to import or export application profile details via XML file. |
|
Update Provisioning System Adaptors Delete Provisioning System Adaptors |
Allows administrators to update and delete provisioning adaptors. Both roles must be selected. |
| Enable/Disable Provisioning System Adaptors | Allows administrators to enable or disable provisioning system adaptors. |
| Update Provisioning Security | Allows administrators to update provisioning system adaptor security settings. |
MFA (Confirm ID)
| Functions | Description |
|---|---|
| Update workflow policy |
Configure the authentication methods allowed for each workflow and associate user policies with MFA workflows. See Configuring the Enterprise Access Management MFA Workflow Policy |
| Update EMR applications |
Configure EMR applications for use with Enterprise Access Management MFA. |
Understanding Administrator Scope
The scope of an administrator role determines the users and computers that can be seen and acted upon by Administrators in the role. However, the scope cannot control who the end users are; end-user scoping is related to domains and organizational units (OUs) and is unrelated to Imprivata sites.
A Super Administrator can act upon all users and computers within an enterprise. Other administrator roles can be restricted in scope:
- User scope can be restricted by domains, and by OUs within domains. Users are affected by User Policies, described in Creating and Managing User Policies.
- Computer scope can be restricted to specific Imprivata sites. Computers are affected by Computer Policies, described in Creating and Managing Computer Policies.
Understanding Inheritance
Imprivata allows any number of administrator roles, each with a different set of operations and a different scope of sites or users. You can derive a new, limited administrator role from another administrator role. The new role can then be further restricted to have different operations and scope, based on your organizational needs.
Example
Consider four administrator roles:
-
Super Administrators have global scope and can perform all operations. The Super Administrator role comes with Imprivata, so you do not have to create it. It is recommended that there should be at least two people per site or region assigned to this role to avoid the scenario where one leaves or does not have access to the other's credentials. Super Administrator responsibilities include managing users and AD synchronization, application profiles, reporting, managing sites, and full ownership of the Imprivata Admin Console functions. The super administrator role should not be changed from the default.
-
Headquarters Site Administrators can perform all operations within a limited scope (the Headquarters site only). This role was based on the Super Administrator role, and the scope was restricted to all computers within the Headquarters site.
-
Compliance Auditor Administrators can perform only reporting operations, but have access to information across the entire enterprise. This role was based on the Super Administrator role, and the operations were restricted to reporting operations.
-
Headquarters Compliance Auditors can perform only reporting operations, and can perform them within the Headquarters site only. This role could be based on either the Headquarters Site Administrator role or the Compliance Auditor role. The operations are restricted to reporting only, and the scope is restricted to all computers within the Headquarters site.
When choosing which role to use as a base for a new role, consider inheritance:
-
If you are likely to change the scope of the role, then you can take advantage of the Imprivata delegated administration inheritance by basing the role on the Headquarters Site Administrator. Then as the scope of the Headquarters Site Administrator changes, the scope of the subordinate role changes with it.
-
If you expect to change the operations available to the role, then base the subordinate role on an operationally based role. If you decide to add the Properties > Maintain Audit Log operation to the Compliance Auditor role, then the subordinate roles will inherit the same operational capabilities as the changes occur.
