Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

Operators and roles

Operators

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
Operators and roles
Operators

Operators

Virtual Servers are managed by Operators, of which there are two types:

Internal Operators—User accounts in the Virtual Server that have been promoted to Operator status.
External Operators—Operator accounts created for the service provider, allowing service provider management access to the Virtual Server.

Both types of Operators are managed from the Operators tab.

alt_text

Internal Operators

Any user who has been added to a Virtual Server and who has been assigned a token or password can be promoted to Internal Operator, allowing them to log in and perform management functions. These Operators appear on the SAS console in the Internal Operator list. Operators cannot modify their own role, scope, or access restrictions.

alt_text

Each row in the list displays:

User ID - This is the User ID of the Operator. Click the user id hyperlink to reveal additional user details.
Role Name—This is the role that is assigned to the Operator. Roles determine what an Operator is able to do through the management UI.
State—There are three possible states:
- Pending Validation - The user has not yet validated their email address.
- Active - The Operator is able to log on to the management UI. Click the State link to suspend the Operator account.
- Suspended - The Operator account has been suspended. Click the State link to reactivate the Operator account.
Edit - Click this link to edit the Operator’s role, scope, and access restrictions.
Remove - Click this link to remove this user as an Operator.

Add an Internal Operator

On the SAS console, select the Operators tab, and then select Internal Operator.
Click New.

The users who are eligible for promotion to Operator status are listed. Only users with active tokens appear in the search results.
To refine the list, use the Last Name or UserID criteria and click Search.
Select the check box for each user that you want to promote to Operator.

You can select multiple users for promotion, bearing in mind that the same role, scope, and access restrictions apply to all selected users.
Click Next to assign a role.

Roles determine the task an Operator can perform.
Select a role and click Next to define the scope for the Operators.

Containers define an Operator’s scope, which is what they can manage. If a container is not in an Operator’s scope, then all of the objects in the container are also not in scope and consequently cannot be viewed or managed by the Operator.
Select one or more containers from the list, and then click Next to set access restrictions.

Access restrictions are used to limit when an Operator is allowed to log in to the SAS console.
To enable restrictions, select the Enable Restrictions option, and then select the restrictions to apply:
- Start Date - Operator cannot log in to the SAS console prior to this date.
- End Date - Operator cannot log into the SAS console after this date.
- Start Time - Operator cannot log into the SAS console prior to this time of day.
- Stop Time - Operator cannot log into the SAS console after this time of day.
- On the following days - Operator login is restricted to the selected days of the week.
Click Finish.

Example - Operator email validation and login screen

Operators log in to the SAS console using the email address that associated with their UserID. Before an Operator can log in, they must confirm that they own the email account to which the validation message is sent.

The following example shows the customizable validation email that is sent to Operators:

alt_text

If the email address that associated with the Operator's UserID changes, the validation message is resent.

The following example shows the Operator login screen for the SAS console:

alt_text

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com