Understanding administrators

Depending on their role, administrators in Sectigo Certificate Manager (SCM) are responsible for certificate lifecycle management, policy enforcement, access control, and ensuring organizational compliance. They ensure certificates are managed securely, issued accurately, and are aligned with industry standards and regulations.

The primary administrator privileges and restrictions are divided as follows:

  • MRAO administrator — A Master Registration Authority Officer (MRAO) administrator can make changes across all organizations and departments in an enterprise account without any restrictions.

  • RAO administrator — A Registration Authority Officer (RAO) administrator can perform operations on specific organizations and departments and for specific certificate types.

  • DRAO administrator — A Department Registration Authority Officer (DRAO) can only perform operations on specific departments and for specific certificate types.

Administrators can be managed on the Settings  Admins page.

Admins page

The following table describes the settings and controls of the Admins page.

Column Description

Name

The administrator’s full name

Email

The administrator’s email address used for notifications and certificate issuance

Username

The Standard or API administrator’s user name

Type

The type of administrator:

  • Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access

  • IdP Template — IdP templates are used in the auto-creation of IdP type admins

  • IdP — IdP administrators can only log in to SCM through a configured IdP

  • Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account

  • API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI

Role

The specific role of the administrator:

  • MRAO Admin

  • RAO Admin-SSL

  • RAO Admin-Client Certificate

  • RAO Admin-Code Signing

  • RAO Admin-Device Certificate

  • DRAO Admin-SSL

  • DRAO Admin-Client Certificate

  • DRAO Admin-Code Signing

  • DRAO Admin-Device Certificate

Template

Indicates the IdP template used to create the IdP user

Active

Indicates whether the administrator account is active and able to access SCM

Table controls

Filter

Enables you to sort the table information using predefined groups and custom filters

Group

Enables you to sort the table information using predefined groups

Refresh

Refreshes the information presented in the table

Manage Columns

Enables you to select which table columns to display

Admin controls

Add

Opens the Add Admin dialog where you can add a new administrator account

Delete

Removes the selected administrator profile

Edit

Opens the Edit Admin dialog where you can manage an existing certificate profile

Change Type

Opens the Edit Admin Type dialog where you can change the administrator from one type to another

Send IdP Invitation

Sends an email to the administrator that they can use to connect their SCM account to an available IdP

Resend IdP Invitation

Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP

View Audit

Opens the Profile Audit dialog where you can view or download audit logs

Activate/Deactivate

Located in the Active column, the selector enables you to switch administrators between active and inactive status

Comparing administrator roles

Administrators can be configured with specific privileges as needed. The privileges available for selection are determined by administrator’s role.

An administrator can be assigned more than one sub-role.

The following table lists all potential administrative privileges and for which roles they can be enabled.

Privilege MRAO RAO DRAO

SSL

Client

Code Signing

Device

SSL

Client

Code Signing

Device

Allow creation of peer admin users

Allow editing of peer admin users

Allow deleting of peer admin users

Allow DCV

Allow SSL details changing

Automatically approve certificate requests

MS AD Discovery

Allow certificate revocation

Allow download keys from Key Vault

Approve domain delegation

Allow to manage organizations/departments