Manage Roles and Permissions

Roles are predefined sets of permissions that correspond to specific job functions or responsibilities within an organization. Each role defines a collection of access rights necessary to perform the associated tasks.

Access and privileges to the Unifyia platform is regulated by role-based access control (RBAC) as defined in the FIPS 210-3. Role-Based Access Control (RBAC) is a security model that grants system access based on a user's role within an organization. Instead of assigning permissions to individuals, roles are created based on job functions (e.g., admin, sponsor, registrar, operator), and users are assigned to these roles. The platform offers granular user controls by allowing role-based access privileges to features on the platform, device actions, and the also supports enforcing role-based authentication flows. It has default roles with a predefined set of permissions and to perform a specific job. This approach streamlines user permission management and strengthens security by ensuring users have access only to the resources required for their roles, along with clearly defined authentication methods for login. With granular role-based access privileges, you can

  • map permissions to roles.
  • enable separation of duties.
  • restrict particular actions to designated personnel.
  • allow visibility of workflows based on the role.
  • change new or existing role definitions as per your organization's policy.
  • map the device actions allowed for each role.
  • enforce role-based authentication.
  • enable multi-factor authentication (MFA) for high privileged roles that need to access sensitive data and control system operations.

List of Predefined Roles

Role Description
Administrator Can manage all aspects of onboarding of other privileged users, configurations, integrations, access control, and monitoring. Can create users and assign all types of roles, issue identities, and manage the allowed lifecycle actions of the issued identities.
Sponsor Can sponsor new users
Registrar Can enroll/register sponsored users
Adjudicator Can review user enrollment details and decide whether to approve or deny
Security Officer Can review user enrollment details and decide whether to approve or deny
Identity Issuer Can issue identities to users
Helpdesk Operator Manage lifecycle activities of the issued identities and user-related incidents 
User An applicant who can get approved credentials issued, self-issue additional identities as per organization's policies, and can self manage them.

The role management feature in the Unifyia platform allows you to do the following:

  • Enable and disable the predefined roles
  • Edit the role to add new or remove assigned privileges
  • Edit the role to add new or remove assigned device actions
  • Enforce role-based-authentication
  • Set

Manage Roles

  1. Log in to the Unifyia platform with administrative credentials.
  2. On the dashboard, navigate to Access Control > Roles & Permissions.
  3. A list of roles is displayed. By default, all the roles are enabled.
  4. To disable a role, slide the toggle button under the status column to the left side. To enable a role, slide the toggle button to the right side.
  5. To edit a role and change the access privileges, do the following:
    1. Select the pencil icon.
    2. You will find four tabs - General Information, Assign Permissions, Assign Device Actions, and Enforce Role-Based Authentication.
    3. Under the General Information, you can view the details but cannot edit any fields.
    4. Go to the Assign Permissions tab to change the permissions to the different features on the Unifyia platform. Under this tab, will find all the currently assigned and allowed permissions. Select or deselect permissions to change the role definition. Select Update to save the changes.
    5. Under the Assign Device Actions tab, you will find all the currently assigned and allowed device actions. Select or deselect the device actions as required to change the device action privileges. Select Update to save the changes.
    6. Under the Enforce Role-Based Authentication tab, you can define the allowed authentication methods to login for a role. Configure the required authentication methods. The selected methods are autosaved. To learn more about the authentication methods, refer to the section Configure Role-Based Authentication Methods.

Configure Role-Based Authentication Methods

The Unifyia application allows you to configure and enforce role-based authentication options to access the Unifyia application. Using this option, you can manage the following for each role:

  • add or delete the different authentication methods as per your organization's requirement.
  • enforce either a single authentication method such as certificate based authentication, a multi-factor authentication (MFA) flow, or a single sign on policy configured by your organization.
  • configure a preferred sequence of authentication (authentication flow) for your organization&'s stakeholders when you have configured MFA.
  • drag the configured authentication options to set the preferred sequence for the MFA flow options.
  • enable or disable the configured authentication options as per your authentication policy.

The Unifyia application allows you to configure the below authentication flows for each role:

  • Certificate Based Authentication: Authentication using digital certificates encoded within smart cards or security keys.
  • Multi-factor Authentication:
    • Certificate Based Authentication: Authentication using digital certificates encoded within smart cards or security keys.
    • FIDO2 Passkeys: An authentication method using built-in security keys (platform authenticators) and external security keys (cross-platform authenticators) on PCs and mobile devices.
    • Unifyia ID Wallet
      • Unifyia ID Wallet with PKI Using Push Verify - Consent-based authentication method where a PKI credential stored on a mobile is used for signing the consent
      • Unifyia ID Wallet with Push Verify – Consent-based authentication method
      • Unifyia ID Wallet with OTP – Authentication method using one-time passwords
    • Single Sign On: Sign in method where the credentials of the integrated identity providers (IdPs) are verified for SSO.
    • Password: Available only for the system administrator .
NOTE
  • It is recommended that you choose any one flow out of the three listed authentication flows. Disable the other flows that are not required to avoid confusion and complexity.

Certificate Based Authentication

The Unifyia platform allows you to set certificate based authentication (CBA) method that leverages the digital certificates encoded within smart cards or security keys. Navigate to the Enforce Role-Based Authentication tab for a selected role. To enable the CBA flow, select the option Enable from the dropdown list under the Requirement column. To disable the option select Disable.

Multi-Factor Authentication

Organizations looking to implement multi-factor authentication can choose the Multi-Factor Authentication flow option. This allows you to set up two or more authentication flows for each role. To configure, follow the steps below:

  1. Navigate to the Enforce Role-Based Authentication tab for a selected role.
  2. To enable the MFA flow, select the option Enable from the dropdown list under the Requirement column.
  3. Select the Pencil icon to display the list of available options to edit. By default FIDO2 Passkeys is selected as the first option.
  4. Select Plus (+) icon to add a new row. From the drop down, select the second authentication flow.
  5. You can arrange the displayed options according to your preferred sequence to set the sequence of the authentication methods to appear during the login process. For example, if you have configured two options - the first option as FIDO2 passkeys and the second option as Unifyia ID Wallet with OTP, and you wish to change the order so that Unifyia ID Wallet with OTP is the first option, simply drag this option to the top position in the list. As a result, the default user authentication for your organization will be set to Unifyia ID Wallet with OTP, followed by FIDO2 passkeys. If you have CBA as one of the authentication flow options, it is by default moved to the last in the sequence.
  6. To delete a listed authentication option, select the Cross (X) icon.
  7. Select Back to exit the page.

Single Sign-On

NOTE
  • Identity providers (IdPs) must be integrated with the Unifyia platform to leverage the Single Sign On authentication flow. Currently, the platform supports Microsoft Entra ID and Okta.

Organizations may choose to leverage the existing authentication framework to manage access to the Unifyia platform by identity providers for identity federation. To support this approach, the Unifyia platform enables organizations to configure the Single Sign on authentication flow. To configure, follow the below steps:

  1. Navigate to the Enforce Role-Based Authentication tab for a selected role.
  2. To enable the Single Sign On flow, select the option Enable from the dropdown list under the Requirement column.
  3. Select the Pencil icon to display the list of available options to edit.
  4. From the listed options, select the IDP for which you wish to implement the authentication flow.
  5. Select Back to exit the page.

Password

Password-based authentication is only available for the system administrator (the initial admin created during deployment). This method is not recommended for organizations that need to adopt zero-trust strategies. It is enabled solely to ensure that the Unifyia platform's system administrator retains access. All other administrators created by the system administrator will use passwordless authentication or certificate-based authentication. To configure this, follow the steps below:

  1. Navigate to the Enforce Role-Based Authentication tab for a selected role.
  2. To enable the Password flow, select the option Enable from the dropdown list under the Requirement column.
  3. Select the Pencil icon to display the list of available options to edit.
  4. From the listed options, select System Admin. This means that only the system administrator is allowed password based authentication.
  5. Select Back to exit the page.

    6. You have completed the configuration of role-based authentication flows. Learn more about the different methods users can use to authenticate based on the configured role-based authentication options.

    Back Next
On this page