The Global Cardholder Synchronizer (GCS) role ensures the two-way synchronization of shared cardholders and their related entities between the local system (sharing guest) where it resides and the central system (sharing host).
The GCS role runs on the sharing guest system. It requires a dedicated user on the sharing host system to connect to it. The dedicated user should not be an administrator of the entire system. Instead, grant minimum required privileges and access rights to the user dedicated to run the GCS role.
Minimum privilege requirements
- Global Cardholder Synchronizer
- (Mandatory) This application privilege is needed for the sharing guest to connect to the sharing host.
- Convert global entities to local entities
- Grant this administrative privilege to allow the sharing guest to
convert global entities to local entities. The conversion is done by
removing an entity from the global partition that you are sharing. You
also need the Delete privilege for the entity types you allow the
sharing guest to remove.CAUTION:Removing a global entity from a global partition deletes it from all other systems that might be sharing it, even from the sharing host.
- Privileges over the global entities
- The entities you can share are the cardholder groups, cardholders,
credentials, and badge templates. Grant the administrative privileges
according to the operations that you allow users on the sharing guest
system to perform on global entities:
- View <entity> properties
- Allow the sharing guest to view the global entity properties in Config Tool. You do not need this privilege if all you want is to sync the global entities in the sharing guest. However, you need to enable the View privilege to enable the child privileges such as Modify, Add, and Delete.
- Modify <entity> properties
- Allow the sharing guest to synchronize with the sharing host, changes made on global entities. Security Center gives you granular control over what the user can modify. After granting the Modify privilege, you can deny specific privileges if you do not allow certain operations on the sharing guest. For example, to prevent changing the cardholder name and picture on the sharing guest.
- Add <entity>
- Allow the sharing guest to transfer local entities to the sharing host.
- Delete <entity>
- Allow the sharing guest to remove or delete entities from the global partition.
Custom field requirements
To allow users on the sharing guest system to see global custom fields, you must grant them access to the global custom fields after synchronizing the sharing guest with the sharing host.
To allow the sharing guest to modify global custom fields, you must grant the Modify custom fields privileges to the dedicated user on the sharing host. If the dedicated user does not have the Modify custom fields privilege, changes made to global custom fields on the sharing guest cannot be synced with the sharing host.