The Approval Manager module when licensed provides the option to dually authenticate the add/edit or delete operations using ADSS Server Console. It makes sure that no change is made unnoticed within the ADSS Server Console. When dual control is enabled it means that if one user performs a configuration operation and creates, edit or deletes any element in any record then that action is left pending until a second user (the security officer) has approved the operation.  Both users must have suitable privileges to access the Approval Manager. This ensures that critical changes cannot be made without considered approval by two suitably privileged members of staff.

An ADSS Server user that has access to the Approval Manager is deemed to be a Security Officer role holder, as this privileged role allows the Security Officer to approve or reject operations performed by other users. Security Officers cannot approve their own operations ensuring that dual control is preserved in all cases. The Security Officer can perform others configurations on ADSS Server depending on the privileges assigned to them. If this is not required then additional privileges should not be assigned.

Before enabling dual control ensure that at least one user exists with access to the Approval Manager module and also the issuer of this user's SSL client certificate is registered in Trust Manager. When Dual Control is already enabled then the Security Officer must approve the creation of new users before these newly generated users can login.


See also

ADSS Server Knowledge Base

Welcome

Getting Started
Concepts & Architecture
ADSS Services
Management Reporting
Key Manager
Trust Manager
CA Manager
Client Manager
Global Settings
External Services
User Manager
System Logs
Server Manager
Approval Manager

Operational Management

Advanced Configuration