000034639 - RSA Authentication Manager Prime Help Desk Admin Portal Unlock User option grayed out

Document created by RSA Customer Support Employee on Mar 1, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034639
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime
IssueDifferent levels of support staff use the Authentication Manager Prime Help Desk Admin Portal website to administer RSA users. One group requires access that allows them to unlock a user's account after it locks. This option was enabled via the Security Console and it can be verified that that role does have the requested permission; but when one of the users in the role tries to access the option, it is grayed out.
User-added image
CauseRSA Authentication Manager Prime permissions are set in the Prime Help Desk server configuration file.
ResolutionEdit the lapProto.xml file (sample attached), located in the default directory path.  For Windows this is C:\RSA\hdap\config.  For Linux, go to \RSA\hdap\config.
Note:  Permissions for users of RSA Authentication Manager Prime are not made in the Authentication Manager.
  1. Edit the lapProto.xml with a text editor and locate the group name of the role you want to modify. In this case, the group name is Group-Help-2.
  2. Add the claim value of unlock:user as seen below.  
<group name="Group-Help-2">
                <claim value="token:disable" />
                <claim value="token:edit-destination" />
                <claim value="token:odt-enroll" />
                <claim value="token:regenerate" />
                <claim value="token:lost-emergency-ott" />
                <claim value="token:resync" />
                <claim value="token:pin-new" />
                <claim value="user:disable" />
                <claim value="rba:disable"/>
                <claim value="unlock:user" />

  1. Save the file.
  2. Restart the Tomcat-HDAP service.