Understanding administrators

Depending on their role, administrators in Sectigo Certificate Manager (SCM) are responsible for certificate lifecycle management, policy enforcement, access control, and ensuring organizational compliance. They ensure certificates are managed securely, issued accurately, and are aligned with industry standards and regulations.

The primary administrator privileges and restrictions are divided as follows:

MRAO administrator — A Master Registration Authority Officer (MRAO) administrator can make changes across all organizations and departments in an enterprise account without any restrictions.
RAO administrator — A Registration Authority Officer (RAO) administrator can perform operations on specific organizations and departments and for specific certificate types.
DRAO administrator — A Department Registration Authority Officer (DRAO) can only perform operations on specific departments and for specific certificate types.

Administrators can be managed on the Settings Admins page.

The following table describes the settings and controls of the Admins page.

Column	Description
Name	The administrator’s full name.
Email	The administrator’s email address used for notifications and certificate issuance.
Username	The Standard or API administrator’s user name.
Type	The type of administrator: Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access. IdP Template — IdP templates are used in the auto-creation of IdP type admins. IdP — IdP administrators can only log in to SCM through a configured IdP. Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account. API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI. Dynamic IdP Template — Dynamic IdP templates are used in the auto-creation of IdP type admins that are automatically assigned to organizations/departments based on IdP attributes.
Role	The specific role of the administrator: MRAO Admin RAO Admin-SSL RAO Admin-Client Certificate RAO Admin-Code Signing RAO Admin-Device Certificate DRAO Admin-SSL DRAO Admin-Client Certificate DRAO Admin-Code Signing DRAO Admin-Device Certificate
Template	Indicates the IdP and dynamic IdP templates used to create the IdP user.
Active	Indicates whether the administrator account is active and able to access SCM.
Table controls
Filter	Enables you to sort the table information using custom filters.
Group	Enables you to sort the table information using predefined groups.
Refresh	Refreshes the information presented in the table.
Manage Columns	Enables you to select which table columns to display.
Admin controls
Add	Opens the Add Admin dialog where you can add a new administrator account.
Delete	Removes the selected administrator profile.
Edit	Opens the Edit Admin dialog where you can manage an existing certificate profile.
API Keys	Opens the API Keys dialog where you can add or edit admin API keys.
Change Type	Opens the Edit Admin Type dialog where you can change the administrator from one type to another.
Send IdP Invitation	Sends an email to the administrator that they can use to connect their SCM account to an available IdP.
Resend IdP Invitation	Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP.
View Audit	Opens the Profile Audit dialog where you can view or download audit logs.
Activate/Deactivate	Located in the Active column, the selector enables you to switch administrators between active and inactive status.

Column

Description

Name

The administrator’s full name.

The administrator’s email address used for notifications and certificate issuance.

Username

The Standard or API administrator’s user name.

Type

The type of administrator:

Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access.
IdP Template — IdP templates are used in the auto-creation of IdP type admins.
IdP — IdP administrators can only log in to SCM through a configured IdP.
Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account.
API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI.
Dynamic IdP Template — Dynamic IdP templates are used in the auto-creation of IdP type admins that are automatically assigned to organizations/departments based on IdP attributes.

Role

The specific role of the administrator:

MRAO Admin
RAO Admin-SSL
RAO Admin-Client Certificate
RAO Admin-Code Signing
RAO Admin-Device Certificate
DRAO Admin-SSL
DRAO Admin-Client Certificate
DRAO Admin-Code Signing
DRAO Admin-Device Certificate

Template

Indicates the IdP and dynamic IdP templates used to create the IdP user.

Active

Indicates whether the administrator account is active and able to access SCM.

Table controls

Filter

Enables you to sort the table information using custom filters.

Group

Enables you to sort the table information using predefined groups.

Refresh

Refreshes the information presented in the table.

Manage Columns

Enables you to select which table columns to display.

Admin controls

Add

Opens the Add Admin dialog where you can add a new administrator account.

Delete

Removes the selected administrator profile.

Edit

Opens the Edit Admin dialog where you can manage an existing certificate profile.

API Keys

Opens the API Keys dialog where you can add or edit admin API keys.

Change Type

Opens the Edit Admin Type dialog where you can change the administrator from one type to another.

Send IdP Invitation

Sends an email to the administrator that they can use to connect their SCM account to an available IdP.

Resend IdP Invitation

Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP.

View Audit

Opens the Profile Audit dialog where you can view or download audit logs.

Activate/Deactivate

Located in the Active column, the selector enables you to switch administrators between active and inactive status.

Comparing administrator roles

Administrators can be configured with specific privileges as needed. The privileges available for selection are determined by the administrator’s role and the certificate types that they are authorized to manage.

The following table lists all potential privileges for the various administrative roles.

Privilege	MRAO	RAO	DRAO
General privileges
Add peer administrator	✓	✓	✓
Edit peer administrator	✓	✓	✓
Delete peer administrator	✓	✓	✓
Automatically approve certificate requests	✓	✓	✓
MS agent management	✓	✗	✗
Download keys from Sectigo Key Vault	✓	✓	✓
Domain privileges
Manage domain validations	✓	✓	✓
Manage domains	✓	✓	✓
Approve domain delegations	✓	✓	✗
SSL certificate privileges
Request SSL certificates	✓	✓	✓
Renew SSL certificates	✓	✓	✓
Replace SSL certificates	✓	✓	✓
Revoke SSL certificates	✓	✓	✓
Manage SSL certificate requests	✓	✓	✓
Manage SSL certificates	✓	✓	✓
Client certificate privileges
Request client certificates	✓	✓	✓
Revoke client certificates	✓	✓	✓
Manage client certificates	✓	✓	✓
Code signing certificate privileges
Request code signing certificates	✓	✓	✓
Revoke code signing certificates	✓	✓	✓
Manage code signing certificates	✓	✓	✓
Device certificate privileges
Request device certificates	✓	✓	✓
Renew device certificates	✓	✓	✓
Replace device certificates	✓	✓	✓
Revoke device certificates	✓	✓	✓
Manage device certificate requests	✓	✓	✓
Manage device certificates	✓	✓	✓
Organizational privileges
Add organizations & departments	✓	✗	✗
Edit organizations & departments	✓	✗	✗
Add departments	✗	✓	✗
Edit departments	✗	✓	✗
Manage organization validations	✓	✓	✗

Privilege

MRAO

RAO

DRAO

General privileges

Add peer administrator

✓

Edit peer administrator

✓

Delete peer administrator

✓

Automatically approve certificate requests

✓

MS agent management

✓

✗

Download keys from Sectigo Key Vault

✓

Domain privileges

Manage domain validations

✓

Manage domains

✓

Approve domain delegations

✓

✗

SSL certificate privileges

Request SSL certificates

✓

Renew SSL certificates

✓

Replace SSL certificates

✓

Revoke SSL certificates

✓

Manage SSL certificate requests

✓

Manage SSL certificates

✓

Client certificate privileges

Request client certificates

✓

Revoke client certificates

✓

Manage client certificates

✓

Code signing certificate privileges

Request code signing certificates

✓

Revoke code signing certificates

✓

Manage code signing certificates

✓

Device certificate privileges

Request device certificates

✓

Renew device certificates

✓

Replace device certificates

✓

Revoke device certificates

✓

Manage device certificate requests

✓

Manage device certificates

✓

Organizational privileges

Add organizations & departments

✓

✗

Edit organizations & departments

✓

✗

Add departments

✗

✓

✗

Edit departments

✗

✓

✗

Manage organization validations

✓

✗