Officers and roles in Certificate Manager
This article includes updates for Certificate Manager 8.10.
This article provides an overview of the officers, roles, and officer profiles in Smart ID Certificate Manager (CM).
Certificate Manager users are known as officers. CM enables configuration of officer roles on a fine-grained level for restricting officers to perform specific tasks only, for example as prescribed by the CA operational policies.
To simplify the administration of officers, officer profiles are configured to predefine a number of permitted roles and other constraints. A unique officer is then created by associating an officer profile either to a certificate issued by CM, to a system unique subject, or to a token serial number.
The following general officer types are available, to separate administrative from operational duties and for establishing a secure connection from client to server:
Administration officers
Registration officers
The available roles for each officer type are listed below.
Administration Officers are responsible for administrating security policies, setting up CA Policies, auditing, and so on, whereas Registration Officers are responsible for registering users, issuing certificates, and so on.
Administration officer roles
Administration officers are responsible for administering the security policies of CM, for example setting up CA policies and auditing. The following administration roles are available in the Administrator's workbench (AWB) client:
Use AWB
Manual build of CRL and CIL
Audit tasks
Domain tasks
CA and Key tasks
Policy tasks
Officer tasks
Profile tasks
Configuration tasks
Signing Authority and SA Key tasks
Registration officer roles
Registration officers are responsible for tasks such as registering users and issuing, activating, and revoking certificates. Registration officers work in the Certificate Manager clients: Registration Authority (RA), Certificate Controller (CC) and Secure Printer (SP).
The following roles are available:
Use Clients
Issue certificate
Issue attribute certificate
Recover key
Manage OCSP Activation
Manage Revocation password
Manage user data retention
Publish certificate
Republish failed distribution
Revoke certificate
Revoke certificate with password
Revoke attribute certificate
Revoke attribute certificate with password
Export search results
Create batch
Claim batch
Manage PIN letters
Signing Authority Requests
The previous role Publish certificate with password has been replaced by the combined roles Publish certificate and Manage revocation password.
Authentication officer roles
Authentication officers have restricted rights, not permitting an unattended service to do other tasks than establishing the TLS connection between the client application and the CM server, listing of certificates, and the forwarding of certification requests signed by a registration officer.
The following role is available:
Use clients
Read-only officer roles
Read-only officers access is restricted to viewing inside the AWB client. They cannot perform operations such as manual building of CRLs and CILs, configuring CA Policies or auditing. This officer type has only the Use AWB role:
Use AWB
Supplementary roles
It is also possible to define supplementary roles. These customer specific roles will appear in the list of available roles only if this feature has been configured. CM SDK is required to make use of supplementary roles. See the Developer's Guide for more details.
Additional constraints
In addition to the roles, there are several other constraints that can be used to limit officer permissions, for example that an officer is only allowed to handle specific CAs, CA policies, and certificate content, for example only certificates for a certain organization.