Local Access Control

Local Access Control mechanism defines how to do authorization locally beside or beyond remote RAS/RSS server. It's typically used for the case when Internet connection is not available.

In case of customer administrator want fully control over the SyncOffice/SyncOS authorization on a certificate, he can forcibly apply Local Access Control attribute on this certificate. Once this attribute activated, whether or not RAS/RSS remote server is available or not, the authorization process will create a real time random AccessCode and prompt the end-user to get its buddy Access Passcode from his administrator. Getting from end-user his real time random AccessCode, the administrator uses SyncOffice Authenticator to populate its companion Access Passcode and then inform the end-user to input it to finish the authorization process.

There are two attribute data related to Local Access Control: certbuf_accesscontrol and certbuf_acvalidtime.

certbuf_accesscontrol

certbuf_accesscontrol is a bitmap attribute data contains several logic switch options including the follows:

  • Use Time Of Day Constraint
  • Use Asymmetric Style Key
  • Allow Runtime Config

Time Of Day option defines which hour and which day of the week is valid. From Monday to Sunday, administrator can specify two periods for each day.

Asymmetric Style Key option defines to use Asymmetric Style Key for document password key storage. In an ordinary case, a document password key is stored in a certificate as a whole string. Though it's encrypted, it is not so safe. Better to activate Asymmetric Style Key feature to let RAS/RSS store part of it. Activating Asymmetric Style Key option presumes the Internet/RAS/RSS be always available for support.

Runtime Config provides to the end-user to use a runtime realm which is not the default realm defined in the certificate. Typically this runtime realm is his private personal realm.

certbuf_acvalidtime

When applied Local Access Control, a local real time AccessCode is generated and if its Passcode is passed, a managed work session is started.

In many cases, the end-user may close the SyncOffice and soon after, re-launch SyncOffice again. If every time launching SyncOffice all need to phone call the administrator, it's awkward and not practical.

So it's need to define a valid time period for a generated AccessCode. There are three options: valid for current hour, current day, or current month.

In a practice to common sense, you can assign a valid time of a AccessCode's PassCode to current Month. So once you calculated a PassCode and informed your end-user, it won't bother to call you again in the current month. On the other side, the end-user gains the access authority for the current month, and therefore escapes out of your control in the meantime.