Understanding administrators

Depending on their role, administrators in Sectigo Certificate Manager (SCM) are responsible for certificate lifecycle management, policy enforcement, access control, and ensuring organizational compliance. They ensure certificates are managed securely, issued accurately, and are aligned with industry standards and regulations.

The primary administrator privileges and restrictions are divided as follows:

MRAO administrator — A Master Registration Authority Officer (MRAO) administrator can make changes across all organizations and departments in an enterprise account without any restrictions.
RAO administrator — A Registration Authority Officer (RAO) administrator can perform operations on specific organizations and departments and for specific certificate types.
DRAO administrator — A Department Registration Authority Officer (DRAO) can only perform operations on specific departments and for specific certificate types.

Administrators can be managed on the Settings Admins page.

The following table describes the settings and controls of the Admins page.

Column	Description
Name	The administrator’s full name.
Email	The administrator’s email address used for notifications and certificate issuance.
Username	The Standard or API administrator’s user name.
Type	The type of administrator: Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access. IdP Template — IdP templates are used in the auto-creation of IdP type admins. IdP — IdP administrators can only log in to SCM through a configured IdP. Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account. API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI. Dynamic IdP Template — Dynamic IdP templates are used in the auto-creation of IdP type admins that are automatically assigned to organizations/departments based on IdP attributes.
Role	The specific role of the administrator: MRAO Admin RAO Admin-SSL RAO Admin-Client Certificate RAO Admin-Code Signing RAO Admin-Device Certificate DRAO Admin-SSL DRAO Admin-Client Certificate DRAO Admin-Code Signing DRAO Admin-Device Certificate
Template	Indicates the IdP and dynamic IdP templates used to create the IdP user.
Active	Indicates whether the administrator account is active and able to access SCM.
Table controls
Filter	Enables you to sort the table information using custom filters.
Group	Enables you to sort the table information using predefined groups.
Refresh	Refreshes the information presented in the table.
Manage Columns	Enables you to select which table columns to display.
Admin controls
Add	Opens the Add Admin dialog where you can add a new administrator account.
Delete	Removes the selected administrator profile.
Edit	Opens the Edit Admin dialog where you can manage an existing certificate profile.
API Keys	Opens the API Keys dialog where you can add or edit admin API keys.
Change Type	Opens the Edit Admin Type dialog where you can change the administrator from one type to another.
Send IdP Invitation	Sends an email to the administrator that they can use to connect their SCM account to an available IdP.
Resend IdP Invitation	Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP.
View Audit	Opens the Profile Audit dialog where you can view or download audit logs.
Activate/Deactivate	Located in the Active column, the selector enables you to switch administrators between active and inactive status.

Column

Description

Name

The administrator’s full name.

The administrator’s email address used for notifications and certificate issuance.

Username

The Standard or API administrator’s user name.

Type

The type of administrator:

Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access.
IdP Template — IdP templates are used in the auto-creation of IdP type admins.
IdP — IdP administrators can only log in to SCM through a configured IdP.
Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account.
API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI.
Dynamic IdP Template — Dynamic IdP templates are used in the auto-creation of IdP type admins that are automatically assigned to organizations/departments based on IdP attributes.

Role

The specific role of the administrator:

MRAO Admin
RAO Admin-SSL
RAO Admin-Client Certificate
RAO Admin-Code Signing
RAO Admin-Device Certificate
DRAO Admin-SSL
DRAO Admin-Client Certificate
DRAO Admin-Code Signing
DRAO Admin-Device Certificate

Template

Indicates the IdP and dynamic IdP templates used to create the IdP user.

Active

Indicates whether the administrator account is active and able to access SCM.

Table controls

Filter

Enables you to sort the table information using custom filters.

Group

Enables you to sort the table information using predefined groups.

Refresh

Refreshes the information presented in the table.

Manage Columns

Enables you to select which table columns to display.

Admin controls

Add

Opens the Add Admin dialog where you can add a new administrator account.

Delete

Removes the selected administrator profile.

Edit

Opens the Edit Admin dialog where you can manage an existing certificate profile.

API Keys

Opens the API Keys dialog where you can add or edit admin API keys.

Change Type

Opens the Edit Admin Type dialog where you can change the administrator from one type to another.

Send IdP Invitation

Sends an email to the administrator that they can use to connect their SCM account to an available IdP.

Resend IdP Invitation

Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP.

View Audit

Opens the Profile Audit dialog where you can view or download audit logs.

Activate/Deactivate

Located in the Active column, the selector enables you to switch administrators between active and inactive status.

Comparing administrator roles

Administrators can be configured with specific privileges as needed. The privileges available for selection are determined by administrator’s role.

An administrator can be assigned more than one sub-role.

The following table lists all potential privileges for the various administrative roles.

Privilege	MRAO	RAO	DRAO
	SSL	Client	Code Signing	Device	SSL	Client	Code Signing	Device
Allow creation of peer admin users	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow editing of peer admin users	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow deleting of peer admin users	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow DCV	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow SSL details changing	✓	✓				✓			✓
Automatically approve certificate requests	✓	✓			✓	✓			✓
MS AD Discovery	✓
Allow certificate revocation	✓	✓	✓	✓	✓	✓	✓	✓	✓
Allow download keys from Key Vault	✓		✓				✓
Approve domain delegation	✓	✓	✓	✓	✓
Allow to manage organizations/departments	✓	✓	✓	✓	✓	✓	✓	✓	✓

Privilege

MRAO

RAO

DRAO

SSL

Client

Code Signing

Device

SSL

Client

Code Signing

Device

Allow creation of peer admin users

✓

Allow editing of peer admin users

✓

Allow deleting of peer admin users

✓

Allow DCV

✓

Allow SSL details changing

✓

Automatically approve certificate requests

✓

MS AD Discovery

✓

Allow certificate revocation

✓

Allow download keys from Key Vault

✓

Approve domain delegation

✓

Allow to manage organizations/departments

✓