Token restrictions
On the SAS console, the Token Restrictions section displays the account inventory, all token types, and which token types are allowed to be provisioned.
Access to this section is governed by the Policy - Token Policies settings described in Operator roles and permissions.
By default, all token types, except Google Authenticator, are available for assignment and provisioning.
If you restrict password provisioning, passwords can still be assigned as a temporary token replacement for a user.
You can restrict the availability of tokens regardless of the account inventory so that operators cannot erroneously assign a token type that is incompatible with the organization’s security policies.
Manage token availability for assignment and provisioning
-
On the SAS Token Management console, select Policy > Token Policies > Token Restrictions.
-
Set availability as follows:
-
Select Allowed for a token type to make it available.
If no capacity is available for a token type that is allowed, it cannot be selected during provisioning.
-
Deselect Allowed for a token type to make it unavailable.
Token types that are unavailable:
-
Can be searched but cannot be selected.
-
Do not display during provisioning.
-
Cannot be enrolled using BSIDCA.
-
If you deselect Allowed for a token type:
-
Tokens that have already been provisioned continue to function.
-
The system stops applying provisioning rules for the token type and deselects the corresponding option for self-service.
-
You cannot create new provisioning rules for the token type.
-