Operators are the people who logon to the Web Client. Like credential holders, operators must have card and/or code access to some portions of the secured facility. In addition, operators have access to all or part of the Web Client. This requires that the operator be provided with a Roles, allowing them to use at least a portion of Web Client functions.
For administrative operations such as Add, Edit, or Delete Operators, the service account will need a certain set of permissions to carry out the task successfully. An important note here is that the Web Service Itself on the Server should have some permissions enabled; if not, an "Elevated Permissions Required" prompt will come up asking the Operator for an account that has Active Directory and SQL permissions if the service account does not have enough privileges. A prompt will appear asking for the required elevated credentials, see below.
...
You need to ask your IT or Administrator for an account with the Windows permissions mentioned below to continue.
The Windows account provided should have the following permissions:
Local and Active Directory accounts permissions:
Read permissions for searching user accounts
Read permissions for getting user properties (specifically password settings)
Write permissions to create a new user
Read permissions to read user account information
Read permissions to read user account information
Write permissions to remove user membership from local or domain group
As a recommendation, it would be ideal that your IT personnel establish a gMSA (Group Managed Service Account) with this password that can be managed by Windows, since having a manually managed service account, the following must be established:
Password does not change (or it would be subject to password rotation policy)
Deny Interactive Login (via Group Policy)
Log On as a Service (via Group Policy)
Review these requirements with your IT personnel.
There are occasions when an operator may need to be restricted immediately from using any Web Client. To Lock Down an operator, please follow the steps below:
Only operators who are members of the Administrator Role can view and access the Operators folder to perform these functions, for all other operators, the folder is hidden. Regular Operators can handle their own Two-Factor features.
In the Device Control tab, expand the Velocity Configuration folder.
...
Click the Operators folder. All currently defined operators appear on the right side window.
Select (one or more) or Right-click on the Operator you want to Lock Down.
From the Action button or right-click menu, select LockDown.
A pop-up confirmation box with one or more operator names will appear, asking you to confirm your action.
...
Click Yes to Lock Down the operator(s).
The operator is now Locked Down and will not be able to access the Web Client.
To Enable a Locked Down operator, please follow the steps below:
Repeat Steps 1 - 2 of the above instructions.
Select (one or more) or Right-click on the Locked Down Operator and click Enable from the Action Button or right-click menu. A popup confirmation box will appear with one or more operator names, asking you to confirm your action.
...
Click Yes to Enable the operator(s).
Add New Operator
Click the Add New Operator button.
Add New Operator window will be displayed as below:
Two-factor tab will be available only when a trusted certificate is installed on the server; otherwise, this button will not be available. If you wish to have Two-factor capabilities, please refer to the Installation process documentation for more information.
...
General | |
User Name | Name of the Operator. |
Full Name | Enter the full name of the Operator (up to 64 Characters) |
Description | Type a brief description of the Operator's duties or title. |
Windows Credential |
|
Restricted by Shift | Check this box to indicate that this operator's activity on the Web Client is restricted to certain times. In the given fields, specify the Shift Start and Shift End. By default, the box is unchecked. |
Auto lock workstation after | Check this box to indicate that the Web Client locks up the workstation after a designated number of minutes have elapsed. You can either enter the value directly or use the spin button to assign the values. By default, it is unchecked. |
Disable operator after | This feature will disable inactive accounts after a period of time which is determined by the organization. This option is set individually for each operator, enabling you to specify the period of inactivity that is allowed for the assigned roles. By default, the value is 0. |
Acknowledge alarms up to level | Indicate the priority level of events this operator is allowed to view. The range is 1 - 99 with the default 99 (the highest). |
Roles | A role is a list of tasks and features that are available to operators who are assigned that role. Member of: This pane includes a list of all roles of which this operator is a member. Not a Member of: This pane includes a list of all currently-defined roles of which this operator is not a member. Use to remove the roles from members of pane. Use to add the roles to the members of pane. |
Two-factor | |
Status |
Add Key: By clicking this button, the FIDO Security key can be added to the Operator. Please refer to the Two-Factor Authentication. Once the key is successfully added, it will be listed in the below section as shown. Once the Security Key is selected, the action button will be enabled and allow you to Rename or Delete the Key. |
Save Changes | Click this button to save changes. |
Cancel | Click this button to discard changes and exit this window. |