Operators

Operators are the people who logon to the Web Client.  Like credential holders, operators must have card and/or code access to some portions of the secured facility.  In addition, operators have access to all or part of the Web Client. This requires that the operator be provided with a Roles, allowing them to use at least a portion of Web Client functions. 

For administrative operations such as Add, Edit, or Delete Operators, the service account will need a certain set of permissions to carry out the task successfully. An important note here is that the Web Service Itself on the Server should have some permissions enabled; if not, an "Elevated Permissions Required" prompt will come up asking the Operator for an account that has Active Directory and SQL permissions if the service account does not have enough privileges. A prompt will appear asking for the required elevated credentials, see below.

You need to ask your IT or Administrator for an account with the Windows permissions mentioned below to continue. 

The Windows account provided should have the following permissions:

Local and Active Directory accounts permissions: 

  • Read permissions for searching user accounts

  • Read permissions for getting user properties (specifically password settings)

  • Write permissions to create a new user

  • Read permissions to read user account information

  • Read permissions to read user account information

  • Write permissions to remove user membership from local or domain group

As a recommendation, it would be ideal that your IT personnel establish a gMSA (Group Managed Service Account) with this password that can be managed by Windows, since having a manually managed service account, the following must be established: 

  • Password does not change (or it would be subject to password rotation policy)

  • Deny Interactive Login (via Group Policy)

  • Log On as a Service (via Group Policy)

Review these requirements with your IT personnel.

There are occasions when an operator may need to be restricted immediately from using any Web Client. To Lock Down an operator, please follow the steps below:

Only operators who are members of the Administrator Role can view and access the Operators folder to perform these functions, for all other operators, the folder is hidden. Regular Operators can handle their own Two-Factor features. 

  1. In the Device Control tab, expand the Velocity Configuration folder.

  1. Click the Operators folder.  All currently defined operators appear on the right side window.

  2. Select (one or more) or Right-click on the Operator you want to Lock Down.

  3. From the Action button or right-click menu, select LockDown.

    A pop-up confirmation box with one or more operator names will appear, asking you to confirm your action.

  1. Click Yes to Lock Down the operator(s). 

The operator is now Locked Down and will not be able to access the Web Client.

To Enable a Locked Down operator, please follow the steps below:

  1. Repeat Steps 1 - 2 of the above instructions.

  2. Select (one or more) or Right-click on the Locked Down Operator and click Enable from the Action Button or right-click menu. A popup confirmation box will appear with one or more operator names, asking you to confirm your action.

  1. Click Yes to Enable the operator(s).

Add New Operator

  1. Click the Add New Operator button.
    Add New Operator window will be displayed as below:

Two-factor tab will be available only when a trusted certificate is installed on the server; otherwise, this button will not be available.  If you wish to have Two-factor capabilities, please refer to the Installation process documentation for more information.

General

 

User Name

Name of the Operator.

Full Name

Enter the full name of the Operator (up to 64 Characters)

Description

Type a brief description of the Operator's duties or title.

Windows Credential

  • Password: Type the new password for this operator.

  • Confirm Password: Retype the new password. The 'Password' and 'Confirm Password' entries must match.

    • User cannot change password: Check this box to indicate that this operator cannot change password.

    • Password never expires: Check this box to indicate that the operator's password never expires.

    • Account is disabled: Check this box to indicate that the current operator account is disabled.

  • + Find: Click this button to display the Users dialog box and find the user you want to add. This list will populate depending on your Windows Configuration.

    • Look to determine the user account.

    • User Name, you can directly enter the User name of the account.

    • Exclude existing users, click this checkbox to hide the existing user accounts.

Restricted by Shift

Check this box to indicate that this operator's activity on the Web Client is restricted to certain times. In the given fields, specify the Shift Start and Shift End. By default, the box is unchecked.

Auto lock workstation after

Check this box to indicate that the Web Client locks up the workstation after a designated number of minutes have elapsed. You can either enter the value directly or use the spin button to assign the values. By default, it is unchecked.

Disable operator after

This feature will disable inactive accounts after a period of time which is determined by the organization. This option is set individually for each operator, enabling you to specify the period of inactivity that is allowed for the assigned roles. By default, the value is 0.

Acknowledge alarms up to level

Indicate the priority level of events this operator is allowed to view.

The range is 1 - 99 with the default 99 (the highest).

Roles

A role is a list of tasks and features that are available to operators who are assigned that role.

Member of: This pane includes a list of all roles of which this operator is a member.

Not a Member of: This pane includes a list of all currently-defined roles of which this operator is not a member.

Use to remove the roles from members of pane.

Use to add the roles to the members of pane.

Two-factor

 

Status

  • Active: This determines the Two-factor authentication is enabled and active. 

  • Bypass: By clicking this allows the operator to bypass the Two-factor authentication and login with credentials only.

Add Key: By clicking this button, the FIDO Security key can be added to the Operator. Please refer to the Two-Factor Authentication. Once the key is successfully added, it will be listed in the below section as shown.

 

Once the Security Key is selected, the action button will be enabled and allow you to Rename or Delete the Key.

Save Changes

Click this button to save changes.

Cancel

Click this button to discard changes and exit this window.