Understanding administrators

Depending on their role, administrators in Sectigo Certificate Manager (SCM) are responsible for certificate lifecycle management, policy enforcement, access control, and ensuring organizational compliance. They ensure certificates are managed securely, issued accurately, and are aligned with industry standards and regulations.

The primary administrator privileges and restrictions are divided as follows:

  • MRAO administrator — A Master Registration Authority Officer (MRAO) administrator can make changes across all organizations and departments in an enterprise account without any restrictions.

  • RAO administrator — A Registration Authority Officer (RAO) administrator can perform operations on specific organizations and departments and for specific certificate types.

  • DRAO administrator — A Department Registration Authority Officer (DRAO) can only perform operations on specific departments and for specific certificate types.

Administrators can be managed on the Settings  Admins page.

Admins page

The following table describes the settings and controls of the Admins page.

Column Description

Name

The administrator’s full name.

Email

The administrator’s email address used for notifications and certificate issuance.

Username

The Standard or API administrator’s user name.

Type

The type of administrator:

  • Standard — Standard administrators can log in to SCM with username/password, authentication certificate, or IdP and can be used for SCM API access.

  • IdP Template — IdP templates are used in the auto-creation of IdP type admins.

  • IdP — IdP administrators can only log in to SCM through a configured IdP.

  • Sectigo Authentication Service — Sectigo Authentication Service (SAS) administrators can log in to SCM using their SAS account.

  • API — API administrators can access SCM APIs with their username/password or authentication certificate but they cannot access the SCM UI.

  • Dynamic IdP Template — Dynamic IdP templates are used in the auto-creation of IdP type admins that are automatically assigned to organizations/departments based on IdP attributes.

Role

The specific role of the administrator:

  • MRAO Admin

  • RAO Admin-SSL

  • RAO Admin-Client Certificate

  • RAO Admin-Code Signing

  • RAO Admin-Device Certificate

  • DRAO Admin-SSL

  • DRAO Admin-Client Certificate

  • DRAO Admin-Code Signing

  • DRAO Admin-Device Certificate

Template

Indicates the IdP and dynamic IdP templates used to create the IdP user.

Active

Indicates whether the administrator account is active and able to access SCM.

Table controls

Filter

Enables you to sort the table information using custom filters.

Group

Enables you to sort the table information using predefined groups.

Refresh

Refreshes the information presented in the table.

Manage Columns

Enables you to select which table columns to display.

Admin controls

Add

Opens the Add Admin dialog where you can add a new administrator account.

Delete

Removes the selected administrator profile.

Edit

Opens the Edit Admin dialog where you can manage an existing certificate profile.

API Keys

Opens the API Keys dialog where you can add or edit admin API keys.

Change Type

Opens the Edit Admin Type dialog where you can change the administrator from one type to another.

Send IdP Invitation

Sends an email to the administrator that they can use to connect their SCM account to an available IdP.

Resend IdP Invitation

Resends the email to the administrator that they can use to complete the connection of their SCM account to an available IdP.

View Audit

Opens the Profile Audit dialog where you can view or download audit logs.

Activate/Deactivate

Located in the Active column, the selector enables you to switch administrators between active and inactive status.

Comparing administrator roles

Administrators can be configured with specific privileges as needed. The privileges available for selection are determined by administrator’s role.

An administrator can be assigned more than one sub-role.

The following table lists all potential privileges for the various administrative roles.

Privilege MRAO RAO DRAO

SSL

Client

Code Signing

Device

SSL

Client

Code Signing

Device

Allow creation of peer admin users

Allow editing of peer admin users

Allow deleting of peer admin users

Allow DCV

Allow SSL details changing

Automatically approve certificate requests

MS AD Discovery

Allow certificate revocation

Allow download keys from Key Vault

Approve domain delegation

Allow to manage organizations/departments