Skip to content

Enrollment Portal

ABS Enrollment Portal is a web-based solution for managing the biometric-based authentication enrollment process. The portal can be accessed by users based on their roles.

Portal Menu

  1. Users: This tab and its page are visible only to the ABS Admin, Enroller & Approver. This page shows the ABS user list, including user status. ABS admin, Enroller, & Approver can use this page to perform various operations on ABS users.

  2. Capture Policies: This tab and its pages are visible only to the ABS Admin as it contains a set of policies for which the user is enrolled. These policies are simple LDAP queries that return user/users and the related hierarchies according to the query written. Users added to these policies will have the right to enroll in the system. The self-enroll option is also available, providing the right to enroll.

  3. Approval Policies: This tab and its pages are visible only to the ABS Admin as it contains a set of policies through which the user is given rights to authorize another user into the system. These policies are simple LDAP queries that return user/users and the related hierarchies according to the query written. Users added to these policies will have the right to approve enrolled users. The auto-approve option is also available, providing the right to approve enrolled users who belong to this policy automatically.

  4. Configurations: This tab and its pages containing critical ABS settings are visible only to the admin.

  5. Audit Logs: This page is for Audit purposes through which the admin can track the user's activities. It contains the Activity logs of different users.

User Directory

ABS is integrated with the user directory to get users and their properties from the specified standard servers. It can be integrated with Active Directory, LDAP, and Radius Server.

  1. ABS Admin Role

    • Add, Remove, and Edit capture policy to enroll new users on ABS.

    • Add, Remove, and Edit approval policy to approve the enrolled users.

    • Enable or disable a user.

    • Enroll or Unenroll a user.

    • ABS admin can check policies applicable to another user.

    • Export different user lists from the server in CSV format.

    • ABS admin can enroll itself and any other user in the directory.

    • Admin can access audit logs to track the user’s activity.

    • Admin can only access configurations and make changes.

    • ABS admin is the highest-privilege user on ABS.

    • Admin is auto-approved over enrollment by default.

  2. Enroller Role

    • An enroller can access and log into the Enrollment portal and Users menu with restricted access.

    • An enroller can search for unenrolled users defined in the capture policy.

    • This is a user that can capture the biometrics (fingerprint or face) of another user according to the capture policy.

  3. Approver Role

    • Approver can approve enrolled users who have not been approved yet.

    • Approver can review pending requests of users assigned to them.

    • Approver can approve or reject the user’s approval request post review.

    • Approver can also enable or disable users based on policies.

    • Approver can access the Enrollment portal and Users menu with restricted access.

  4. ABS User Role

    • ABS users are required to enroll in biometrics with the help of an enroller to complete the enrolment process.

    • Only user profile page access is given to the ABS user on the ABS web console without access to any other menu.

Note

All user roles can use registered Biometric for MFA post-approval.

ABS User Status Workflow

Types of ABS user status

  1. Pending Approval

  2. Approved

  3. Unenrolled

  4. Rejected

  5. Disabled

ABS Admin can view all the users based on their status by selecting check boxes like Approved, Unenrolled/ rejected, disabled, and Pending Approval. ABS also allows the list of users by selecting multiple filters. Admin can export these users in CSV format.

Note

The unenrolled users cannot be exported because they are not in the ABS Users Database.

The ABS admin can disable approved users based on organization requirements. Once a user is disabled, it cannot use its biometric for MFA and becomes inactive. This facility allows the admin to restrict the use of user biometrics for MFA.

ABS User State Table

The user state table has the following details.

Current State Options Desire (Next) State
Pending Approval Accept Approved
Reject Rejected
Approved Disable Disabled
Unenroll Unenrolled
Disabled Enable Approved
Unenroll Data delete
Rejected Capture Pending Approval
Unenrolled Capture Pending Approval

ABS User state flow Diagram

  1. Pending Approval

    • They are the users whose biometric capture is completed and awaiting approval.

    • Admin or Approver can review and approve or reject users with pending approvals.

    • Approve: After the user's approval, the Enrollment process is completed, and the user can now use their biometric for MFA (Multi-Factor Authentication).

    • Reject: When an approval request is rejected, the associated biometric data is deleted, requiring the user to repeat the enrollment process.

  2. Approved

    • Approved users are enrolled in the system and part of ABS. These users can use their Biometrics for MFA.

  3. Unenrolled/Rejected

    • This option will list down Users who are not enrolled in the system, which means they are users in the Users Directory but not in the ABS. These users cannot perform any operations or use biometric services.

    • User ‘abca142’ was rejected by its approver during the Enrollment process. Once the approval request is rejected, the user’s Biometric details are deleted, and its status is changed from Pending approval to Rejected, as shown in the figure.

  4. Disabled

    • The admin can, on request, disable specific enrolled users in ABS; this feature allows the admin to block users from using the biometric-based MFA.

Check Policies

This option shows the Enroller and Approver details of a user who can enroll or approve the targeted user. Refer to the screenshot for more information on how it works.

Capture Policy

Capture policy defines how a user or group of users can be enrolled.

An Admin is responsible to create and define these policies:

  • Whether users can self-enroll.

  • If a user cannot self-enroll, then which set of users can act as enrollers for such users?

Add new policy

To add a new policy, click Add; a new page will open to create a new Capture policy.

Name: Specify any name for the policy. It’s a mandatory field that cannot be kept blank.

Description: It is an optional field where the admin can define a brief description of the policy.

Enrolment Candidates: An LDAP query can list a set of users. This field allows the directory admin to write a single query to retrieve users with some common attributes.

Enroller: An enroller refers to the set of users responsible for capturing biometric details of directory users to start the enrollment process.

Can enroll self: This is a special flag in ABS policy creation that allows users to capture their biometrics independently. In this case, the user visits the enrollment portal and lands directly on the biometric capture page, where they can capture their fingerprint and start the enrollment process.

Note

The enrollment process is not finished until its Approval request is approved.

Approval Policies

Approval policy defines how a user or group of users can be approved in the ABS System for availing of biometric services.

Admin creates these policies, and generally, they define:

  • Whether a user is approved automatically in the system after biometric capture.

  • If the user is not approved automatically, then which set of users can act as an approver for such users?

Add Approval Policy

  1. Select ‘Add’ to create a new approval policy on ABS.

  2. Name: This is a mandatory text field where the admin must specify a unique name for the policy.

  3. Description: This field provides brief information about the policy; it’s an optional field.

  4. Approval Candidates: This field refers to users whose biometric details are to be approved by their approver.

  5. Approver: This refers to user/s who can approve the pending approval request of users whose biometric details are captured successfully.

  6. Approval Not Needed: This flag allows users to get approved automatically after successful biometric capture.

Configurations

This is an ABS configuration page where the admin can change the Biometric server's workings and functions. It is further divided into the modules below.

  • Workflow Configurations

  • General Configurations

  • Fingerprint capture configurations

Note

These configurations should be managed by the admin only.

Workflow Configurations

Workflow configuration defines the overall biometric enrolment procedure, which includes:

  • Capturing biometric

  • Approving biometrics for availing biometric services

Save Enrolment Data: When enabled, the system is configured to save captured biometric data. If Disabled, only biometric-extracted information is saved as templates. The extracted information cannot be converted back to enrolment data, so the configuration must be chosen according to the requirement.

Workflow allows the configuration of the following key behaviors:

  • Enforces biometric verification of enroller or approver at the time of various enrolment processes or activities

  • The administrator can also set the enforcement rules for only specific enrolment processes or activities as per the requirement

  • The administrator can define the frequency of enforcing biometric verification. The rules can be per user, per session, or never.

The verification Enroller or Approver can be configured per user or session, as shown in the figure.

  • Per User: When configured, the mode will ask for biometric verification of the enroller or approver before capture or approval. This feature provides extra checkpoints in the system, as it facilitates the fact that only authorized users can allow various enrolment process steps or activities.

  • Per Session: This option allows the approver or enroller to be verified once. Thus, they can perform operations for multiple users in a single session without further biometric verification. In every new session, the Enroller or Enroller must verify itself before performing any operation on any user.

Matching Threshold: The setting is the minimum score that biometric verification and identification functions accept to assume that the compared biometric data belongs to the same person.

The matching threshold is linked to the matching algorithm's False Acceptance Rate (FAR, different subjects erroneously accepted as of the same). The higher the threshold, the lower the FAR, the higher the FRR (false rejection rate, same subjects erroneously accepted as different), and vice versa.

ABS admin set the matching setting. This field sets FAR (false acceptance rate) values for the biometric. The default is 0.01%. The matching threshold score for 0.01% is 36. A higher match threshold reduces the false match rate. This will increase security and the chances of rejecting valid user biometrics.

Maximum Result Count: Maximum number of matching results returned. The default value is 1000.

Note

These settings should be managed by the admin only.

Fingerprint Capture Configurations

Template Size: It Can be used as a Compact, Small, Medium, or large template. A large template size is recommended for better accuracy. But you can choose a compact to medium template if you need a higher speed. In this case, accuracy decreases. The default value is large.

Matching Speed: Matching speed can be chosen as Low, Medium, or High. Selecting a low speed when matching accuracy is the most important. When high speed is chosen, matching accuracy will decrease. The default value is low.

Maximal Rotation: It defines the maximal rotation allowed between two matched fingerprints. The default value is 180. (Note: the allowed range is 0 to 360)

Quality threshold: If the fingerprint’s quality threshold is less than the specified value, the fingerprint will be rejected. So, the fingerprint quality value must be greater than the value specified here. The value for the quality threshold can be set from the range of 0 to 100. The default value is 40.

Fast Extraction: The extraction feature will be performed faster with decreased accuracy, reducing ABS's operation time. By default, this check is not selected.

Return Binarized Image:

Determine Pattern Class: Selecting the Determine Pattern Class reduces fingerprint storage data and speeds up processing by identifying available fingerprint class patterns.

Note

Since as many different patterns of fingerprints exist as individuals, identifying samples may involve vast amounts of data. Dividing fingerprints into classes of patterns greatly reduces the necessary size of the database. While many subclasses of fingerprint patterns exist, the three main classes of fingerprints are whorls, arches, and loops.

Calculate NFIQ (NIST Finger Image Quality): If the check mark is selected, then the ABS will calculate the quality of a given fingerprint image.

Checking for duplicates when capturing: This feature allows ABS to verify fingerprints across every database while capturing. This feature is to restrict users from enrolling their Biometric against multiple users.

Minimum required finger count: This text field accepts 1 to 10 as a value, which defines the minimum number of fingers to be captured during enrolment; the user must specify the minimum fingerprint configured by the admin. Failing this will not allow the user to enroll in the biometric database.

Audit logs

The concept of audit logs is simple. When a change is applied to a system, it correlates with a change in its behavior, which should be documented in an audit log.

An audit log provides basic information to backtrack through the entire trail of events to its origin or start point. This may include user activities, policy details, access to data, login attempts, and ABS admin activities. The audit log provides a “baseline” for analysis or an audit of a system or solution when initiating an investigation.

ABS has the facility to generate event logs. The logs are stored in a tabular format and include a timestamp, Logged user, IP Address of the host machine, Event, Target user, and details about the activity and changes in ABS.

Datetime: The date & time stamp by the ABS for every event.

Logged in user: This tab shows the user ID registered against the user attempting an event.

IP Address: The tab shows the IP Address of the host machine from where the event occurs

Target user: Every event is related to the user; if the event occurs for the user by the approval/enroller/ABS admin, then the user ID is mentioned in the target user field.

Details: This field shows details of the event that occurred.

Event Name: ABS has different events classified as " Events.” For example, see below how the audit log depicts the policy details applied for a particular user. Internally, the policy is processed using the Policy ID generated by the ABS system internally.

The policy ID can be viewed inside audit logs. The policy Audit log is given below,

{“Id”:28,“Name”:“abca30 self appr”,“Description”:“”,“IsAutoApproved”:true,“Approver”:null,“Approved”:“(&(objectClass=user)(SAMAccountName=abca30))”}

How to read the policy

ID: 20 (Denote the policy Identity number) Name: abca30 self appr (Policy name) Auto Approved: True (auto-approved is selected, so the Approved field is not required).

List of Events which are logged in Audit logs:

Event Name Description Event Type
UserEnrolled New user biometrics have been captured. Information
UserApproved The user was either auto-approved by the system or approved by the approver. Information
UserRejected The approver rejects the user with a reason while reviewing. Process of the pending approval status
IdentificationSucceeded Biometric identification of users was successful. Information
IdentificationFailed The user is trying to Access ABS, whose identification has failed. Information
VerificationSucceeded User biometric verification succeeded Information
VerificationFailed User biometric verification failed. Information
CapturePolicyAdded ABS Admin added a new capture policy. Success Audit
CapturePolicyUpdated The ABS admin edited the capture policy. Success Audit
CapturePolicyDeleted The ABS admin deleted the capture policy. Success Audit
ApprovalPolicyAdded ABS admin added an approval policy. Success Audit
ApprovalPolicyUpdated ABS admin edited & saved the change in the approval policy. Success Audit
ApprovalPolicyDeleted The ABS admin deleted the approval policy. Success Audit
UserEnabled ABS admin or Approver user enabled the disabled user. Success Audit
AppConfigurationUpdated Application configurations updated. Success Audit
UserUnauthorizedForSelfEnrollment The user is not authorized for self-enrolment. Error
UserAlreadyExists User enrollment was attempted for an already enrolled user. Error
EnrollerNotAuthorizedToEnrollUser The logged-in user is not authorized to enroll the said user. Error
EnrollerNotEnrolled Enroller is not enrolled Error
ApproverNotEnrolled The approver has yet to enroll in the system. Error
ApproverNotApproved approver is not yet approved. Error
UnapprovedUserAttemptingVerification The user whose status is pending approval is trying to log into the ABS. Error
UnapprovedUserAttemptingIdentification The user whose status is pending approval is trying to attempt biometric identification. Error
BiometricAlreadyExists Biometrics supplied while enrolling a new user matches with an already enrolled user. Failure Audit
EnrollerNotApproved The new user is trying to enroll, but the enroller for the new user has not yet been approved in ABS. The enroller status is pending approval. Failure Audit
ApproverNotAuthorizedToApproveUser The user is not configured as an approver for the user whose status is pending approval. Failure Audit
UserDoesNotExistInDirectory The user is not part of ABS or is not imported from LDAP as an unenrolled user. The user is not found in the user directory. Failure Audit
UserDisabled ABS admin or user approver disabled user. Failure Audit
UserUnenrolled ABS admin user unenrolls approved user. Failure Audit
DisabledUserAttemptingVerification The user whose status is disabled is trying to access ABS for biometric verification. Failure Audit
DisabledUserAttemptingIdentification The user whose status is disabled is trying to access ABS for biometric identification. Failure Audit
SameFingerprintScannedForMultipleFingers The single fingerprint was used for multiple fingers during enrollment Failure Audit
UnenrolledUserAttemptingVerification The user whose status is unenrolled is trying to access ABS for verification. Failure Audit