Page tree

Do you want an overview on Nexus' solutions, customer cases, contact information and more?


Skip to end of metadata
Go to start of metadata

This article describes the roles that are available in the Digital ID module of Nexus Smart ID

Specific roles for Digital ID

The following roles are available in the Smart ID Digital ID module:

RoleDescriptionTechnical reference

Mobile ID user

Self-service role for persons to activate their own mobile IDs.


Mobile ID administrator

Enables users for self-service and locks profiles.PcmRolePersonalMobileOfficer

Software token administrator

Enables self-service role for employees, and starts software token requests.

Software token userSelf-service role for persons to request, recover and revoke their own software tokens.PstmRoleSelfServiceUser
Virtual smart card userSelf-service role for persons to request, provision certificates, reset PIN and lock their own virtual smart cards.PcmRoleVSCEntitledUser
Server certificate approverApproves server and server certificates requests.ScmRoleApproverOfficer
Server administrator

Manages server and server certificates

  • Server registration
  • Server certificate requests
Server certificate registration officer

Manages server certificates


Standard roles in PRIME

The standard package of Nexus PRIME provides a set of predefined standard roles that can be used as is or adapted to your requirements. This table lists the standard roles and what rights they have in PRIME Designer and PRIME Explorer respectively. 

RoleDescriptionRightsTechnical reference
Bootstrap administratorDoes the initial configuration of PRIME.

PRIME Designer: All
PRIME Explorer: Admin

Policy administratorA user in Designer.

PRIME Designer: All
PRIME Explorer: No

Service administrator

Makes configurations in Explorer, such as:

  • Start, restart and stop services
  • Create tenant
  • Configure connector
  • Audit the system log and the process lists
  • Kill processes

PRIME Designer: No
PRIME Explorer: Admin

Registration officerManages “target” users and identities, who are targets (or objects) of credential management actions.

PRIME Designer: No
PRIME Explorer: All

ApproverApproves card production.

PRIME Designer: No
PRIME Explorer: Open Tasks

Card production administrator
  • Produces cards
  • Repeats production

PRIME Designer: No
PRIME Explorer: Extended Search, Batch Orders

Issuing authorityActivates and issues card to requester/user.

PRIME Designer: No
PRIME Explorer: Extended Search

User administrator
  • Manages users and identities
  • Assigns and de-assigns roles to users

PRIME Designer: Roles, User Administration
PRIME Explorer: Extended Search

  • Resets passwords
  • Activates and reactivates PRIME users

PRIME Designer: No
PRIME Explorer: Extended Search, Open Tasks

Self-service user
  • Registers and deregisters herself in the system
  • Registers security password
  • Resets her own password
  • Changes pin
  • Unblocks pin
  • Renews her own card
  • Locks her own card

PRIME Designer: No
PRIME Explorer: No


Self-service visitor

  • Accepts or denies meeting invitation
  • Invites further participant to an existing meeting
PRIME Designer: No
PRIME Explorer: No


Batch sync

A role used for automatic batch synchronization of identities with external sources such as Active Directory. This role can not be assigned to persons, but only used for this purpose.

For the batch synchronization to work, the following entry must be set in the file of the prime explorer: 

PRIME Designer: No
PRIME Explorer: No