Create officer profile in Certificate Manager
This article describes how to create an officer profile, used within Smart ID Certificate Manager (CM). An officer profile can be seen as a template, where roles for an officer are enabled or disabled. This task is done in Administrator's workbench (AWB).
Prerequisites
The following prerequisites apply:
Two administration officers must sign the request.
Both officers must have the following roles
Use AWB
Profile tasks
Create officer profile
Clicking Save at any time during the creation of the officer profile, before clicking OK, will save the data and place the incomplete request in the Officer Profiles sub-group.
To complete the creation of the officer profile at a later stage:
Highlight the officer profile in the explorer bar.
Select Modify from the Edit menu, the toolbar, or the right-click shortcut menu.
To create an officer profile:
In AWB, select New > Officer Profile or select Officer Profile in the shortcut menu.
In the Create Officer Profile dialog, in Profile Name, enter a descriptive name.
Show affected officers is used in Modify officer profile in Certificate Manager.
Set State to Active or Closed as required.
In Domain, browse for the domain under which the officer profile will be located.
In Entity Type, select the scope of the officer definition.
Subject - The officer is connected to the subject of a certificate. New certificates that are issued to the same subject can be used as officer credentials.
Dynamic token - The officer is connected to a card or soft token. The card can be updated with new certificates that can be used as officer credentials.
Static token - The officer is connected to a card or soft token but it is not possible to update the card with new certificates as long as the officer connection exists. If the officer certificate is not connected to any card serial number, only that certificate can be used as officer credential.
Note: When changing the officer entity type to Subject where any of the affected officers are created in CM version 7.15 or older, then these officers must be re-signed with the Modify command to be connected with the subject of the officer certificate.
In Issuer name constraints, set any restrictions on the issuing rights of an officer to a particular CA, organization, or organizational unit, etc. For more information, see Constraints and roles for officers in Certificate Manager. Multiple issuer constraints can be added to the officer profile.
To add an issuer constraint:Click + to add a constraint.
In the Create New Constraint Rule window, click + to add an attribute you want to include. Several attributes can be added to the same issuer constraint.
In the Add New Attribute window, select the required Type of attribute, select an Operation (= or <>), enter a Value, and click OK.
Example: Issuer constraint
TEXTOrganization = Nexus, Organization Unit = R&D
When all the desired attributes are added to the constraint, click OK in the Create New Constraint Rule window.
In Subject name constraint, the officer can be restricted when issuing end-user certificates.
For example, if the Subject name constraint is Country = SE, the Officer can only issue certificates that contain Sweden as the country. The constraints are used in the RA to prefill the appropriate fields of certificates issued by the officer.
Multiple subject name constraints can be added.
To add a subject name constraint:Click +.
In the Select constraint window, select the required Type of constraint, enter the required Value and click OK.
In Procedure Filter, configure filters for how to display procedures and certificates in the RA and CC clients. Multiple procedure filters can be added. Logical OR operations are applied to all specified strings.
To add a procedure filter:Click +.
In the Procedure filter window, enter a string that is common in all names of token and certificate procedures that should be made available to the new officer when issuing tokens and certificates in the RA and CM SDK clients. The filter will also restrict which certificates the officer can see, revoke and reinstate.
Note: One or more consecutive words from a token procedure name can be specified.Example: if the procedure name is Omnibus for Berlin, then Omnibus, Omnibus for, for Berlin and Omnibus for Berlin would be accepted strings, while bus would not.
In the table, check the boxes in Enabled to enable the applicable Roles for officers assigned to this officer profile.
Click OK and sign the request. See Sign tasks in Certificate Manager for more information.