Using dedicated users with restricted privileges for Global Cardholder Synchronizer roles (Basic) - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

The Global Cardholder Synchronizer (GCS) role ensures the two-way synchronization of shared cardholders and their related entities between the local system (sharing guest) where it resides and the central system (sharing host).

The GCS role runs on the sharing guest system. It requires a dedicated user on the sharing host system to connect to it. The dedicated user should not be an administrator of the entire system. Instead, grant minimum required privileges and access rights to the user dedicated to run the GCS role.

Tip: To configure the dedicated user, start with a new user. Grant it access to the global partition you want to share and all custom fields. Then, grant it the privileges needed by the users on the sharing guest system.

Minimum privilege requirements

The privileges you need to consider are:
Global Cardholder Synchronizer
(Mandatory) This application privilege is needed for the sharing guest to connect to the sharing host.
Convert global entities to local entities
Grant this administrative privilege to allow the sharing guest to convert global entities to local entities. The conversion is done by removing an entity from the global partition that you are sharing. You also need the Delete privilege for the entity types you allow the sharing guest to remove.
CAUTION:
Removing a global entity from a global partition deletes it from all other systems that might be sharing it, even from the sharing host.
Privileges over the global entities
The entities you can share are the cardholder groups, cardholders, credentials, and badge templates. Grant the administrative privileges according to the operations that you allow users on the sharing guest system to perform on global entities:
View <entity> properties
Allow the sharing guest to view the global entity properties in Config Tool. You do not need this privilege if all you want is to sync the global entities in the sharing guest. However, you need to enable the View privilege to enable the child privileges such as Modify, Add, and Delete.
Modify <entity> properties
Allow the sharing guest to synchronize with the sharing host, changes made on global entities. Security Center gives you granular control over what the user can modify. After granting the Modify privilege, you can deny specific privileges if you do not allow certain operations on the sharing guest. For example, to prevent changing the cardholder name and picture on the sharing guest.
Add <entity>
Allow the sharing guest to transfer local entities to the sharing host.
Delete <entity>
Allow the sharing guest to remove or delete entities from the global partition.

Custom field requirements

IMPORTANT: If custom fields are in use on the sharing host system, you need to grant access to all of them to the dedicated user, even the custom fields that are not for global entities. Otherwise, the sharing guest cannot synchronize with the sharing host.
To grant the dedicated user access to custom fields, you must add the dedicated user to the custom fields' Security list in the Edit custom field dialog box.
Granting the dedicated user access to a custom field in the Edit custom field dialog box.

To allow users on the sharing guest system to see global custom fields, you must grant them access to the global custom fields after synchronizing the sharing guest with the sharing host.

To allow the sharing guest to modify global custom fields, you must grant the Modify custom fields privileges to the dedicated user on the sharing host. If the dedicated user does not have the Modify custom fields privilege, changes made to global custom fields on the sharing guest cannot be synced with the sharing host.

NOTE: Do not grant the Security Desk or the Config Tool privilege to the dedicated user. It helps prevent anyone using the dedicated user credentials to log on to the sharing host. For more information on Global Cardholder Management, see Rules and restrictions for Global cardholder management.