Introduction


Web RA supports granular Role Based Access Control (RBAC) management along with their fine grained authorization, i.e. read, add/ edit, and delete access on different Admin modules/ sub modules. Based on the administration requirements, you can create multiple roles that contain modular access and may assign them to Admin RAOs and Enterprise RAOs accordingly to share restricted access in the system.

How it Works?


  1. In a production environment, only the following modules should be allowed to the Enterprise Operator in its role:
    • Enterprises
    • Users
    • Vetting & Approvals
    • Certificates
  2. When creating an Enterprise Operator, assign the role created for it and only allow the Enterprise(s) that he is supposed to manage
  3. An Enterprise Operator can only see the enterprises that are assigned to him
  4. An Enterprise Operator can only see the vetting requests, users and certificates of the enterprise(s) that are assigned to him
  5. If Vetting is enabled and some ADSS Profiles exist with option "Only admins can vet certificate requests for this profile" then the following rules are applicable:
    • An Admin RAO can see:
      • List of all enterprises
      • List of all users regardless their affiliation to any enterprise
      • Only high assurance certificate requests (for which "Only Admins can vet certificate request..." is enabled in the ADSS Profile)
      • List of all certificates regardless of the enterprise affiliation
    • An Enterprise RAO can see:
      • Only enterprises assigned to him
      • Only users that belong to his enterprises
      • Only certificate requests submitted by his enterprise users
      • Only certificates issued by his enterprises

Here are the steps to configure role:

Create a Role


  1. Click Access Control from the left-panel
  2. Click  to add a new Role

The configuration items are as follows:


Field

Description

Name

A friendly identifier for the new role

Description

A brief text to explain the characteristics of the role

Allowed Modules

Select the required modules and sub modules to include in this role and set their permissions (i.e. Read, Add/Edit, and Delete) accordingly. The administrators with this role would be able to access the allowed (selected) modules only along with the respective fine grained authorization.

 

The Administrator can Edit/Delete (options available by pressing the  button) an existing role from the Access Control screen.

Create an Operator


  1. Click Access Control from the left-panel
  2. Click  to add an Operator


Field

Description

Name

Full name of the operator

Email

Official email address of the operator

Mobile Number

Mobile number for the SMS alerts

Authentication Certificate

Admin must upload the operator's TLS client authentication certificate. This certificate is used to identify the user in the Web RA application. The user of this certificate must present the related key to login the Admin portal. 

Role

Assigned role of the operator (Admin, Enterprise RAO, Auditor etc.)

Type

There are three supported types while creating an Operator in Web RA Admin. 

Administrator - It's a super admin role, who can perform any action across the application whether it's a user management, certificate management, configurations or service plans settings.

Admin RAO - Admin RAO is restricted to manage any configurations but can only manage certificate requests or users that he is allowed to do so by the Administrator.

Enterprise RAO - Enterprise RAO is restricted to manage only the certificate requests or users for the enterprises to whom he belongs to.

Status

Active or inactive


The Administrator can Edit/Delete (options available by pressing the  button) an existing role from the Operators screen.