External operators
Virtual servers are managed by operators, of which there are two types:
-
Internal Operators—User accounts in the virtual server that have been promoted to operator status.
-
External Operators—Operator accounts created for the service provider, allowing service provider management access to the virtual server.
Both types of operators are managed from the Operators tab on the STA Token Management console.
An external operator is an account that is automatically created for the service provider when the virtual server is created. It is through this account that account managers are able to access the account’s virtual server (via the Virtual Servers tab).
-
As with internal operators, external operators have an assigned role, which by default is operator, allowing access to all of the virtual server tabs, modules, and actions.
-
A role other than operator can be assigned to an external operator. By applying a different role, the account can limit the functionality available to the service provider through the consoles, including denying access to the virtual server. To prevent this, the service provider must modify all internal operator roles to deny access to the external operator module.
-
All external operator activity is recorded in the virtual server for audit and reporting purposes.
-
An additional external operator account is created for each service provider account to which management of the virtual server has been delegated. External operator accounts can have different roles.
In the External Operator list:
-
Account—This is the name of the Service Provider account.
-
Primary Contact—This field is populated using information provided in the Primary Contact field in the Services module on the On-Boarding tab.
-
Telephone—This field is populated using information provided in the Primary Contact field in the Services module on the On-Boarding tab.
-
Role—This is the role assigned to the External Operator account.
-
Realming—Empty field indicates the external operator has not been added to the realm.
-
Enabled indicates the external operator has been added to the realm and can authenticate. Clicking the link allows the status to be changed to Disabled.
-
Disabled indicates the external operator has been added to the realm but is not allowed to authenticate. Clicking the link allows the status to be changed to Enabled.
-
-
Edit—Allows an Internal or External Operator with sufficient rights to modify the role assigned to this account.
-
Remove—Allows an Internal or External Operator with sufficient rights to modify the role assigned to this account.
Operators cannot modify or delete their own role.
Delegate an external operator
Delegation is most commonly used in a multi-tier sales and service model, where the intermediary sales channel on-boards the account but does not have the capacity or business interest to manage the account’s virtual server. If the delegation option is selected in the Services module (On-Boarding tab), then two external operator accounts are automatically created, one for the service provider and one for the delegated service provider.
An external operator account can be created for each service provider to which management of the virtual server should be delegated. Each service provider account must provide a delegation code. This code will be used to create an external operator account for their exclusive use.
-
On the STA Token Management console, select Operators > External Operator.
-
Click New.
-
Enter the delegation code provided by the service provider.
See Delegate account management and Account management groups for more information about delegation codes and management groups.
-
Click Verify to confirm the service provider name in the Managing Account field.
-
Click Next to continue.
-
Select the Role to be applied to this account, and then click Next.
-
Select the containers to which this role should have access, and then click Next.
-
To limit when the service provider can log in and manage the virtual server, turn on access restrictions, and configure the conditions where:
-
Enable Restrictions—If checked, restrictions are enabled. If cleared, no time, day, or date range restrictions are applied.
-
Start Date—Console logon is denied before this date.
-
End Date—Console logon is denied after this date.
-
Start Time—Console logon is denied before this time.
-
End Time—Console logon is denied after this time.
-
On the following days—Console logon is permitted on checked days only.
Account manager restrictions apply only to account manager logins to the consoles. It does not affect any login by the user.
-
-
Click Finish.
The new external operator account is added to the list.
The account's virtual server displays in the accounts list on their Virtual Servers tab.