Understanding administrators

Depending on their role, administrators in Sectigo Certificate Manager (SCM) are responsible for certificate lifecycle management, policy enforcement, access control, and ensuring organizational compliance. They ensure certificates are managed securely, issued accurately, and are aligned with industry standards and regulations.

The primary administrator privileges and restrictions are divided as follows:

MRAO administrator — A Master Registration Authority Officer (MRAO) administrator can make changes across all organizations and departments in an enterprise account without any restrictions.
RAO administrator — A Registration Authority Officer (RAO) administrator can perform operations on specific organizations and departments and for specific certificate types.
DRAO administrator — A Department Registration Authority Officer (DRAO) can only perform operations on specific departments and for specific certificate types.

Administrators can be managed on the Settings Admins page.

The following table describes the settings and controls of the Admins page.

Column	Description
Name	The administrator’s full name
Email	The administrator’s email address used for notifications and certificate issuance
Username	The Standard or API administrator’s user name
Type	The type of administrator: Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access IdP Template — IdP templates are used in the auto-creation of IdP type admins IdP — IdP administrators can only log in to SCM through a configured IdP Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI
Role	The specific role of the administrator: MRAO Admin RAO Admin-SSL RAO Admin-Client Certificate RAO Admin-Code Signing RAO Admin-Device Certificate DRAO Admin-SSL DRAO Admin-Client Certificate DRAO Admin-Code Signing DRAO Admin-Device Certificate
Template	Indicates the IdP template used to create the IdP user
Active	Indicates whether the administrator account is active and able to access SCM
Table controls
Filter	Enables you to sort the table information using predefined groups and custom filters
Group	Enables you to sort the table information using predefined groups
Refresh	Refreshes the information presented in the table
Manage Columns	Enables you to select which table columns to display
Admin controls
Add	Opens the Add Admin dialog where you can add a new administrator account
Delete	Removes the selected administrator profile
Edit	Opens the Edit Admin dialog where you can manage an existing certificate profile
API Keys	Opens the API Keys dialog where you can add or edit admin API keys
Change Type	Opens the Edit Admin Type dialog where you can change the administrator from one type to another
Send IdP Invitation	Sends an email to the administrator that they can use to connect their SCM account to an available IdP
Resend IdP Invitation	Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP
View Audit	Opens the Profile Audit dialog where you can view or download audit logs
Activate/Deactivate	Located in the Active column, the selector enables you to switch administrators between active and inactive status

Column

Description

Name

The administrator’s full name

The administrator’s email address used for notifications and certificate issuance

Username

The Standard or API administrator’s user name

Type

The type of administrator:

Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access
IdP Template — IdP templates are used in the auto-creation of IdP type admins
IdP — IdP administrators can only log in to SCM through a configured IdP
Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account
API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI

Role

The specific role of the administrator:

MRAO Admin
RAO Admin-SSL
RAO Admin-Client Certificate
RAO Admin-Code Signing
RAO Admin-Device Certificate
DRAO Admin-SSL
DRAO Admin-Client Certificate
DRAO Admin-Code Signing
DRAO Admin-Device Certificate

Template

Indicates the IdP template used to create the IdP user

Active

Indicates whether the administrator account is active and able to access SCM

Table controls

Filter

Enables you to sort the table information using predefined groups and custom filters

Group

Enables you to sort the table information using predefined groups

Refresh

Refreshes the information presented in the table

Manage Columns

Enables you to select which table columns to display

Admin controls

Add

Opens the Add Admin dialog where you can add a new administrator account

Delete

Removes the selected administrator profile

Edit

Opens the Edit Admin dialog where you can manage an existing certificate profile

API Keys

Opens the API Keys dialog where you can add or edit admin API keys

Change Type

Opens the Edit Admin Type dialog where you can change the administrator from one type to another

Send IdP Invitation

Sends an email to the administrator that they can use to connect their SCM account to an available IdP

Resend IdP Invitation

Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP

View Audit

Opens the Profile Audit dialog where you can view or download audit logs

Activate/Deactivate

Located in the Active column, the selector enables you to switch administrators between active and inactive status

Comparing administrator roles

Administrators can be configured with specific privileges as needed. The privileges available for selection are determined by administrator’s role.

An administrator can be assigned more than one sub-role.

The following table lists all potential privileges for the various administrative roles.

Privilege	MRAO	RAO	DRAO
	SSL	Client	Code Signing	Device	SSL	Client	Code Signing	Device
Allow creation of peer admin users	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow editing of peer admin users	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow deleting of peer admin users	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow DCV	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow SSL details changing	✓	✓				✓			✓
Automatically approve certificate requests	✓	✓			✓	✓			✓
MS AD Discovery	✓
Allow certificate revocation	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow download keys from Key Vault	✓		✓				✓
Approve domain delegation	✓	✓	✓	✓	✓
Allow to manage organizations/departments	✓	✓	✓	✓	✓	✓	✓	✓	✓

Privilege

MRAO

RAO

DRAO

SSL

Client

Code Signing

Device

SSL

Client

Code Signing

Device

Allow creation of peer admin users

✓

Allow editing of peer admin users

✓

Allow deleting of peer admin users

✓

Allow DCV

✓

Allow SSL details changing

✓

Automatically approve certificate requests

✓

MS AD Discovery

✓

Allow certificate revocation

✓

Allow download keys from Key Vault

✓

Approve domain delegation

✓

Allow to manage organizations/departments

✓