Idea ID: 2800840

Granular Helpdesk Rights

Status: Accepted

AAF offers a dedicated Helpdesk Interface to e.g. manage authenticators, sharing authenticators, searching card holder and more. Accounts that are assigned to the role Helpdesk within the AAF solution gain access to all managed accounts and enrolled tokens. The work with international customers (e.g. Schwarz IT) have shown that these access rights are not sufficient.
Customers that are present in different countries also run different local helpdesk/ops teams. This led to the situation that these teams are only allowed to manage a limited set of accounts, or may require a limitation of their abilities (e.g. only unlock user).

Solution Description
There should be an ability within AAF that allows customer to create a kind of view that limits the amount of accounts that can be seen. In addition, it seems to be useful to create additional helpdesk roles to limit the functionality. Roles and Views could then combine to define the access rights for a set of helpdesk-administrators.
This basically follows the idea that Micro Focus implements with DRA to manage Active Directory environments. DRA uses a combination of groups, views and powers to describe the access rights. A equal functionality within AAF could help to assign and manage administrative rights within the solution.
This will help customers like Schwarz IT, WACKER., Evonik and others to implement a strict access concept.