Introduction


Web RA supports granular Role Based Access Control (RBAC) management along with their fine grained authorization, i.e. read, add/ edit, and delete access on different Admin modules/ sub modules. Based on the administration requirements, you can create multiple roles that contain modular access and may assign them to Admin RAOs and Enterprise RAOs accordingly to share restricted access in the system.

How it Works?


  1. In a production environment, only the following modules should be allowed to the Enterprise Operator in its role:
    • Enterprises
    • Users
    • Vetting & Approvals
    • Certificates
  1. When creating an Enterprise Operator, assign the role created for it and only allow the Enterprise(s) that he is supposed to manage
  2. An Enterprise Operator can only see the enterprises that are assigned to him
  3. An Enterprise Operator can only see the vetting requests, users and certificates of the enterprise(s) that are assigned to him
  4. If Vetting is enabled and some ADSS Profiles exist with option "Only admins can vet certificate requests for this profile" then the following rules are applicable:
    • An Admin RAO can see:
      • List of all enterprises
      • List of all users regardless their affiliation to any enterprise
      • Only high assurance certificate requests (for which "Only Admins can vet certificate request..." is enabled in the ADSS Profile)
      • List of all certificates regardless of the enterprise affiliation
    • An Enterprise RAO can see:
      • Only enterprises assigned to him
      • Only users that belong to his enterprises
      • Only certificate requests submitted by his enterprise users
      • Only certificates issued by his enterprises

Here are the steps to configure role:

Create a Role


  1. Click Access Control from the left-panel
  2. Click  to add a new Role


The configuration items are as follows:


Field

Description

Name

A friendly identifier for the new role

Description

A brief text to explain the characteristics of the role

Allowed Modules

Select the required modules and sub modules to include in this role and set their permissions (i.e. Read, Add/Edit, and Delete) accordingly. The administrators with this role would be able to access the allowed (selected) modules only along with the respective fine grained authorization.

 

The Administrator can Edit/Delete (options available by pressing the  button) an existing role from the Access Control screen.

Create an Operator


  1. Click Access Control from the left-panel
  2. Click  to add an Operator


Field

Description

Name

Full name of the operator

Email

Official email address of the operator

Mobile Number

Mobile number for the SMS alerts

Authentication Certificate

Admin must upload the operator's TLS client authentication certificate. This certificate is used to identify the user in the Web RA application. The user of this certificate must present the related key to login the Admin portal. 

Role

Assigned role of the operator (Admin, Enterprise RAO, Auditor etc.)

Type

There are three supported types while creating an Operator in Web RA Admin. 

Administrator - It's a super admin role, who can perform any action across the application whether it's a user management, certificate management, configurations or service plans settings.

Admin RAO - Admin RAO is restricted to manage any configurations but can only manage certificate requests or users that he is allowed to do so by the Administrator.

Enterprise RAO - Enterprise RAO is restricted to manage only the certificate requests or users for the enterprises to whom he belongs to.

Status

Active or inactive


  • The Administrator can Edit/Delete (options available by pressing the  button) an existing role from the Operators screen.



  • A new role details screen is added to manage access control of HMAC reports.



  • A new section will be added in the role under configurations with the name of Data Archiving to manage access control.



An operator can now manage Enterprise. To do so, the operator needs to navigate through Enterprises > Registered > Manage 





For an enterprise user, the left menu will contain the items shown in the image below: (This menu can be navigated from role to manage the operator's access control)





From the 'Profile' menu in the above image, an operator can update the information of enterprises that are allowed and its relevant owner information too. He can update information (example displayed below)




An operator can also change the account owner information as required. 


The second item on the left side of the menu is the 'Users' section, which allows an operator to manage enterprise users. It contains two items:


  • Registered Users
  • User Invitations





  • An administrator can invite users only as an 'Applicant Representative' role. 
  • An Admin RAO can manage only an 'Applicant Representative' role and users of this role.
  • Enterprise RAO can manage only 'Enterprise Users' role. 





Rekey Requests 


  • Under the Requests module, a user can find 'Rekey Requests' that will allow him to handle rekey requests for each administrator. 



  • This section will appear only when the 'Rekey' policy is enabled in Configurations > Policy settings. 



  • The “Rekey Requests” listing will only show if Administrator, Enterprise RAO, Admin RAO has role rights.