Introduction

A Web RA subscription that is acquired for any group of people (team) or organization is called an enterprise account. These accounts are registered by admin operators. An enterprise account has three type of users, i.e. Enterprise Owner, Enterprise Admin (RAO) and Enterprise User:

  • Enterprise Owner: While registering an Enterprise in Web RA, a user is also registered who owns this enterprise. This user cannot invite, register the delete user if he is not additionally assigned the Enterprise Admin role. An Enterprise Owner could be the CEO of the company who requests to register an enterprise in the Web RA. Any change made in the enterprise account should be initiated from him.
  • Enterprise Admin/ Enterprise RAO/ LRA Admin: These terms/ role names are used interchangeably but all refers to the same role. An Enterprise Admin is allowed to manage the users and certificate's vetting on behalf of his enterprise. An enterprise admin can invite the users from his organization to get the certificates. If self registration is disabled in the application then only the invited users via email can register their accounts in an enterprise. The enterprise admin can additionally vet a certificate request, revoke a certificate, delete a user etc.
  • Enterprise User: An Enterprise RAO may send invitations to the organisational staff members of their associated enterprise(s) to bring them under their enterprise umbrella(s). The invitees who accept these invitations become the enterprise users. An enterprise user may have the restricted access on Web RA and will have to abide by the rules, as configured by their Enterprise RAO. An enterprise user can be a part of multiple enterprises.

Terminologies

  • Low Assurance Certificates: these are the certificates that are issued to individuals e.g. email signing, authentication, encryption certificates
  • High Assurance Certificates: these are the certificates that are issued to organizations or websites e.g. TLS server authentication, code signing, eSeal or legal person certificates
  • Multitenancy: when an RAO or user is part of multiple enterprises, it is called multi tenancy in Web RA. The Web RA supports the multi tenancy and a user can be part of the multiple enterprises but at a time, he can see the certificates/requests of the one enterprise

How it Works?

  • The Web RA must be configured for the High Assurance Certificates to be vetted by the Admin RAO
  • The Enterprise RAO can be configured to vet the Low Assurance Certificates
  • An enterprise can have one or more Enterprise RAOs who can manage and vet the low assurance certificates
  • High assurance certificate should always be vetted by the Admin RAO because they bear more responsibility and requires more rigorous verification
  • The Enterprise RAOs can invite the users in the Web RA from where they can submit the certificate issuance requests. The Enterprise RAOs vet the requests and either approve or reject the requests
  • An Enterprise RAO can be a RAO for one of more enterprises. Similarly, a user can be registered in one or more enterprises using the same email address. Note that when an RAO or user is part of multiple enterprises, it can see the requests or certificates from the selected enterprise only. In short, at a time only one enterprise's data will be shown to the RAO or user
  • An Enterprise RAO can see the activities of an enterprise user by clicking the more options button
  • An enterprise can have the following statuses, the detailed actions are described in the table below:
    • Active - users are allowed to login the system and submit the new certificate requests
    • Suspended - the enterprise is temporarily suspended. The users of this enterprise can login the system but cannot submit the new requests 
    • Blocked - when you need to permanently block the enterprise. When blocked, neither users can login nor they can submit the request
  • A user can also have the following statuses similar to an enterprise.
    • Active - users are allowed to login the system and submit the new certificate requests
    • Suspended - the user is temporarily suspended. The users can login the system but cannot submit the new requests 
    • Blocked - when you need to permanently block the user. When blocked, neither users can login nor they can submit the request

Register an Enterprise

  1. Click Enterprises from left menu.
  2. Click  from the grid header.
  3. A screen will appear with three navigation tabs, i.e. Organization Information, User Information, Advanced Settings and Vetting Form (if Vetting is enabled in enterprise registration section under Service Plans and a vetting form is also selected). The configuration details are explained in the below table:
  4. Click Finish. A new enterprise will be saved and displayed in the list. See the below table for fields description.

1) An enterprise registration request must be approved by an Admin RAO while registering an enterprise account from WEB RA Admin, if vetting is enabled for enterprise registration under Service Plan. The enterprise account must be shown with Approved status under Enterprises > Requests and with Active status under Enterprises > Registered, once it's approved by an Admin RAO.

2) An enterprise account while signing up through Web RA Web, this shows as Pending status under Enterprises > Requests, and once it is approved by an Admin RAO this shows as Approved status under Enterprises > Requests and also appears under Registered enterprises list with an Active status under Enterprises > Registered.

3) If vetting for enterprise registration is not enabled under service plan, then all the new enterprises registrations will be auto approved and no vetting required for new enterprises.

4) If vetting on new enterprises registration is configured but None is selected under Vetting Form list, then no vetting form appears to be filled and only the new enterprise registration has to be approved by Admin RAO.

Organization Information

Field

Description

Legal Name

Legal Name is the official name of the organization under which the organization is registered with the government and it the name that is used when submitting the tax to the government e.g. Ascertia Limited

Assumed Name

It could be the name of the organization that is commonly used e.g. Ascertia

Organization Phone Number

Official phone number of the organization that is registered in the government documents

Address

Complete address of the organization as it was provided to government at the time of company registration. The following fields should be filled as part of Address:

  • Address 1
  • Address 2
  • City
  • State
  • Postal Code
  • Country

Status

An enterprise can have the following statuses:

  • Active - when an enterprise is registered, its status is set to Active by default.
  • Suspended - The following restrictions are applied on a suspended enterprise and it will be applicable for both Admin and Web portals:
    • users will be allowed to login the system
    • revoke requests can be submitted
    • new users cannot be invited/ registered
    • new certificate requests cannot be submitted but the existing requests will be processed
    • renew requests cannot be initiated
    • can download the existing certificates
  • Blocked - The following restrictions are applied on a blocked enterprise and it will be applicable for both Admin and Web portals:
    • users will not be allowed to login the system
    • revoke requests cannot be submitted
    • new users can not be invited/ registered
    • new certificate requests cannot be submitted
    • existing certificate requests cannot be processed
    • renew requests cannot be initiated
    • cannot download the existing certificates

  

Account Owner

Field 

Description

Name

Name of the enterprise owner. It could be any representative of the organization but ideally it should be the CEO. Any change request in the enterprise should be initiated by the enterprise owner

Email

Email address of the enterprise owner. An email will be sent to this email address to create an account on the Web RA Web

Mobile Number

Mobile number of the enterprise owner to send the OTP code if enabled in the profile 

Job Title

The role of the enterprise owner in his organization 


Advanced Settings

Field

Description

 Service Plan

Select the service plan for this enterprise. You can use a shared service plan or create a separate plan for each enterprise depending on the certificate issuance of each organization


Delete an Enterprise


  1. Enterprise Owners should not be allowed to delete an enterprise in their role
  2. Deleting an enterprise is a very sensitive operation and application administrators should perform this activity using four eyes principal
  3. If an enterprise is deleted, the certificates issued by/ against any user of this organization will be permanently revoked and you cannot reinstate these certificate


The following are the steps to delete an enterprise:


  1. Click Enterprises from the left menu
  2. Click the  adjacent to the enterprise in question
  3. Select the Delete option from the list
  4. A confirmation dialog will appear. Click Yes


Access Control Information


There are some certain rules that will be followed while managing or viewing enterprises list and it's related information. These rules are based on the user's type which includes Enterprise RAOs, Admin RAOs or Administrators.


Roles

Allowed Features

Enterprise RAO

Web RA stores the all activities of the user and an Admin or Enterprise Admin can view that from More Options () > User Activity

  • An enterprise RAO can manage only those users, which are either registered or invited by the enterprise RAO within the assigned enterprises.
  • An enterprise RAO once invites a user, that user will be treated as a user who is registered by an enterprise RAO and can be managed by the same enterprise RAO.
  • A user who is part of multiple enterprises, there is a possibility that the user managed by the enterprise RAO in one enterprise and managed by the admin RAO in other enterprise. 
  • User invitation list for enterprise RAO shows all the invitations; sent by enterprise RAO’s / Admin RAO’s / Administrators.
  • Security validations will be validated upon resending of an invitation, and the same enterprise RAO can resend invitation only who originally initiated the invitation request for that intended user. 
  • Security validations will be validated upon deletion of an invitation, and the same enterprise RAO can delete the user invitation only who originally initiated the invitation request for that intended user.
  • User registration list for enterprise RAO will show all the registered users for related enterprises.
  • Enterprise RAO will be able to delete / edit those users, which are registered by enterprise RAO only.

Admin RAO / Administrators
  • User registration list for admin RAO will show only those registered users, which were registered by admin RAO’s, administrator users that are registered in the enterprise, or the users that were invited by admin RAO’s/ administrator.
  • Users invited in the enterprise by admin RAO / administrator can be managed by the admin RAO/ administrator.
  •  A user who is part of multiple enterprises, there is a possibility that the user managed by the enterprise RAO in one enterprise and managed by the admin RAO in other enterprise.
  • User invitation list for admin RAO’s/ administrators will show all the invitations send by admin RAO’s /administrator’s.
  • Security validations will be validated upon resending of an invitation and the same admin RAO’s / administrator can resend invitation only who originally initiated the invitation request for that intended user.
  • Security validations will be validated upon deletion of an invitation, and the same admin RAO’s / administrator can delete the user invitation only who originally initiated the invitation request for that intended user.
  • Security validations will be validated upon deletion of a registered user, and the same admin RAO’s / administrator can delete the user only who originally registered that intended user.
  • Enterprise registered by the admin RAO’s / administrators (if allowed in roles), then that enterprise can be managed by that admin RAO’s/ administrator.