Creating and Configuring a Credential Policy
Credential types enable organizations to map users to specific certificates and card policies within the CMS. Additionally, organizations can specify qualification rules to ensure users meet certain business rules before they can be assigned to a specific credential type.
The feature is useful if the organization wants to segment different users for different types of credentials. For example, users within a general access group may receive credentials with low assurance certificates whereas users within an administrator group could receive high assurance certificates.
Prerequisites
Before assigning a credential type, a card policy must exist within the CMS.
There is a one-to-one relationship between the IDMS credential type and the CMS card policy. Therefore, the IDMS credential types cannot share CMS card policies.
System Administrator role required. Role Definitions
Creating a New Credential Policy
The steps below provide the procedure for creating a new credential policy:
Item | Procedure | Example |
|---|---|---|
1 | Go to Administration, and then click on the Credential Types button. |  |
2 | When the Credential Policy Management window appears, press + Credential Policy to add a new policy. |  |
3 | Enter the following information:
|  |
4 | Select the Add button to add the new policy. Then, you can configure the policy using the following settings in the table below. |
Once you setup the new credential policy, then you can configure the policy using the following settings listed in the tables below.
Configuring the New Credential Policy
The following settings allow for customization of the credential policy to meet organizational security and management needs.
Item | Description | Example |
|---|---|---|
Navigation to Access Configuration | ||
To configure an existing policy:
Note: the majority of configuration options listed in this document are under the Identity Proofing, Attestation, and the Device Issuance tabs. |  top navigation  select and configure policy  Credential Policy Configuration Screen | |
Configuration Settings | Navigate to Admin > Credential Types > Configure Policy > | |
1 | Subscriber Agreement: The Microsoft RTF document listing the subscriber agreement text. This document will be downloaded the workstation clients. Note: this can also be uploaded or pasted within the web tool. | Go to Policy > Attestation tab  |
2 | CMS Card Policy: The CMS card policy this credential type maps to. | Go to Policy > Device Issuance tab |
3 | CMS Server Key: The DNS Name of the CMS Server. | Go to Policy > Device Issuance tab |
4 | ID Verification Attestation Text: This is the text the operator will agree to when they are credentialing a user. Example: When the ID Verification Attestation Text is set in the IDMS, the text will appear for the operator to read and agree to. Note: this can be uploaded or pasted within the web tool. | Go to Policy > Attestation tab |
5 | Require Subscriber Agreement: This specifies whether the cardholder (not operator) will perform a digital signature after their credential has been issued. | Go to Policy > Attestation tab |
6 | Require Operator Digital Signature: This specifies whether the operator will perform a digital signature during the credential issuance process. | Go to Policy > Attestation tab |
7 | Require operator verify documents during Issuance: This specifies whether the operator will verify documents during the issuance of a credential. | Go to Policy > Attestation tab |
8 | Credential Type Enforcement Rules: The IDMS can be configured to query additional user information to ensure an applicant qualifies for a credential. For example, if an organization has a rule that the applicant must be the “ACCOUNTING” department, the IDMS can query the LDAP Attribute ‘department’ to verify the value is set to “ACCOUNTING” before the credentialing process can continue. | Go to Policy > Identity Proofing tab > 3rd Party Credential Enrollment section
|
9 | Credential Printing Rules: The following configurations determine whether the credential should be physically printed.
| Go to Policy > Identity Proofing tab > Badge Printing section  |
10 | Name Change Rules: To allow the operator to perform a name change, select YES. To prevent the operator from performing a name change, select NO. | Go to Policy > Identity Proofing tab |
Completing Updates: Once the information has been entered and verified, press Save Changes. You will be prompted to Confirm to apply the changes. The operat or will be notified that the credential policy has been updated. |  |
Additional Advanced Configuration Capabilities
The following are additional capabilities that can be configured for a given policy.
Item | Procedure | Example |
|---|---|---|
1 | Data Validation Rules The data validation rules specify the criteria an applicant must meet in ordered to quality for the credential type. The rule syntax is: Data attribute condition Data value separated by the “|” character.
|  |
2 | Credential Policy In-Use Status: This defines whether the credential will be enabled or disabled. | Go to Policy > Credential Policy Configuration  |
3 | Certificate Authorities for derived credentials: When issuing derived credentials, determines which certificate authority will be used to generate the certificate for the derived credential. | Go to Policy > Derived Credentials  |
4 | 3rd Party Credential Enrollment: These security options enable a 3rd party credential holder to authenticate to the system. The configurations are below:
| Go to Policy > Identity Proofing tab > 3rd Party Credential Enrollment section Tip: Setting the External Credential Issuing Certificate: This configuration requires that there be a space after the comma. The configuration also requires no space between the equal sign.  |
5 | Background Investigation Service: The configurations enable a 3rd party background investigation service to enroll and verify the user's identity.
|  |