Constraints and roles for officers in Certificate Manager
This article describes the constraints that can be set for an officer in Smart ID Certificate Manager (CM). An officer is assigned roles, which allow them to perform various tasks, and constraints can also be set.
The following can be set for the officer:
Issuer constraints
Name constraints
Officer role(s)
Issuer constraints
An officer can have constraints so that the officer may only issue and revoke end user certificates with a certain subject name space. This means, for example, that an officer can be restricted to issuing certificates only for a specific issuer (that is, for a specific Certificate Authority, CA).
The issuing constraints for an officer may consist of one or more rules and each rule, in turn, consists of one or more attribute values. To grant the officer issuing rights, (that is, access to a token procedure), at least one of the rules must be fulfilled. For a rule to be fulfilled, all attribute values of that rule must match the corresponding attributes of the issuer subject name.
Example of issuer constraints |
---|
Rule 1: C=DE O=Org1 OU=QC Root CA |
Rules and permissions:
Rule number 1 gives permission to use all issuers that have a subject name containing
C=DE
,O=Org1
andOU=QC Root CA
.Rule number 2 gives permission to use all issuers that have a subject name containing
C=DE
andO=Org2
and does not haveL=Location A
norL=Location B
.Rule number 3 gives permission to use all issuers that have a subject name that contains
C=SE
andO=Nexus
.
Examples of issuers:
An issuer with subject
OU=CA4
,O=Org2
, andC=DE
will work due to rule number 2.An issuer with subject
OU=QC Root CA
,O=Org1
, andC=SE
will not work because none of the rules gives permission
You can add, delete, and modify rules for each officer profile in the Administrator's workbench (AWB) (AWB) and you can add, delete, and modify attribute values for each rule. For more information, see Officer profile tasks in Certificate Manager.
Name constraints
Name constraints can be set for an officer. All end-user certificates will automatically contain the organization, organization unit and directory management domain specified in the officer profile name constraints.
Roles
The role performed by an officer can be limited to specific functions, such as issuing, publishing or revoking certificates, working with batches, managing PIN letters, or recovering keys from the key archiving function. The role privileges given to any particular officer are determined by the officer profile that is assigned to the officer in the Create officer profile in Certificate Manager request dialog.