Dual Authorization

In addition to supporting profiles and permissions for viewing and managing devices and VMS functionality, XProtect Corporate also offers an additional layer of security via the Dual Authorization feature.

Dual Authorization is a feature whereby a user or administrator wishing to log in to the VMS must be authorized manually by a second privileged user or administrator.

Dual authorization has been implemented as a role setting and is supported for both the XProtect Smart Client and for the XProtect Management Client. If the XProtect Mobile client, the XProtect Web Client or MIP SDK integrations are used for a role that requires dual authorization, access will be denied as these clients and MIP SDK integrations do not support dual authorization.

Configuration

Dual authorization is enabled for a role by checking the ‘Login authorization required‘ checkbox on the role’s ‘Info‘ tab. When this is done, all users with this role will be prompted to have a second privileged user authorize their login to the VMS.

‘Login authorization required ‘ enabled for the defined “Security Operators” role in XProtect Management Client

Permission to authorize login is configured by enabling ‘Authorize users’ in a second role. This second role does not need to be an administrator role with management permissions. Any role with ‘Authorize users’ permission can authorize login. It could for instance be enabled for a “Supervisors” role that otherwise just has access to viewing cameras in the XProtect Smart Client. With ‘Authorize users’ enabled for this role, the “Supervisors” can authorize user login - even for administrators using the XProtect Management Client.

Note: The Dual Authorization function is not supported for the built-in ‘Administrators’ role. Members of this role will always be able to log in without any further authorization. Therefore, if the Dual Authorization should be used for administrators of the VMS, a new administrator role must be created and configured with the right set of permissions.

The ‘Authorize users’ permission is found under the ‘Management Server‘ node in the ‘Overall Security ‘ tab.

‘Authorize users’ enabled for the defined “Security Supervisors” role in XProtect Management Client

Login authorization

When a user or administrator, who is a member of a role that requires authorization, tries to log in with the XProtect Smart Client or the XProtect Management Client, the user is authenticated as usual. However, once successfully authenticated, the user is presented with a second login dialog prompting for login authorization by another user. The second user must enter his or her username and password to authorize the login.

In both XProtect Smart Client and XProtect Management Client, the user authorizing the login can see who is requesting to be authorized as the name of the user is displayed in the authorization dialog.

Initial user authentication using the XProtect Management Client or the XProtect Smart Client.

Second user authentication and authorization using the XProtect Management Client or the XProtect Smart Client.

Authorization dialog shown after initial login in XProtect Management Client

Authorization dialog shown after initial login in XProtect Smart Client

When the second user has been authenticated, the login is authorized and the normal client interface is shown. The client can now be used as usual until closed or logged out.

Audit log

When Dual Authorization is used, several audit log entries are registered describing the sequence of actions made by the two users.

Reading the audit logs from the bottom up the following is documented:

Adam got authenticated by the Identity Provider in the VMS
Using the authorization dialog, James got authenticated by the Identity Provider in the VMS
Having been authenticated, James authorized Adam’s login
Login for Adam was completed and Adam got access to the VMS with the client used

Audit log – showing the Dual Authorization flow in XProtect Management Client