-
Onboarding (company side)
Asset Manager issues permission (e.g., via classic directory servicesa) -
Onboarding (worker side)
Worker (internal or external) receives work order including credentialsb and/or permissionsc. -
Receive work order
Worker authenticates themselves at a kiosk system placed at the gate or plant lobby area using their P3KI Authenticator mobile app.
Afterwards, they proceed through the gatesd to the DCS control roomd. -
Cross air-gap & self-provision account
Worker presents their phone to the air-gapped kiosk system in the DCS network and receives credentials to a temporary, personalized account. -
Local provisioning
The kiosk system provisions a temporary account in the local directory servicee. -
Work as usual
Worker logs into the operator station using their temporary, personalized accounte. -
Automatic cleanup
Accounts automatically expire and get deactivated, e.g., at the end of the shift. Reactivation of accounts works for as long as the worker holds a valid permission to do so.
a) Classic Directory Services are supported for systems that want to make use of established processes. Contact us to learn what systems we can support.
b) Credentials based authentication (username & password) is supported for legacy processes. Direct, password-less and account-less onboarding using P3KI Permission Delegation Technology is also available.
c) Existing permission models can be mapped to P3KI Permission Delegation Technology.
d) P3KI's Authenticator App combined with P3KI's Permission Delegation Technology can be adapted to also enable seamless physical access without any additional on-boarding steps, reducing required personnel and speeding up processes.
e) P3KI can interact with local directory services to provision temporary, personalized accounts. Direct support to log into workstations without account provisioning is being developed.