Introduction

A Web RA subscription that is acquired for any group of people (team) or organization is called an enterprise account. These accounts are registered by admin operators. An enterprise account has three type of users, i.e. Enterprise Owner, Enterprise Admin (RAO) and Enterprise User:

  • Enterprise Owner: While registering an Enterprise in Web RA, a user is also registered who owns this enterprise. This user cannot invite, register the delete user if he is not additionally assigned the Enterprise Admin role. An Enterprise Owner could be the CEO of the company who requests to register an enterprise in the Web RA. Any change made in the enterprise account should be initiated from him.
  • Enterprise Admin/ Enterprise RAO/ LRA Admin: These terms/ role names are used interchangeably but all refers to the same role. An Enterprise Admin is allowed to manage the users and certificate's vetting on behalf of his enterprise. An enterprise admin can invite the users from his organization to get the certificates. If self registration is disabled in the application then only the invited users via email can register their accounts in an enterprise. The enterprise admin can additionally vet a certificate request, revoke a certificate, delete a user etc.
  • Enterprise User: An Enterprise RAO may send invitations to the organisational staff members of their associated enterprise(s) to bring them under their enterprise umbrella(s). The invitees who accept these invitations become the enterprise users. An enterprise user may have the restricted access on Web RA and will have to abide by the rules, as configured by their Enterprise RAO. An enterprise user can be a part of multiple enterprises.

Terminologies

  • Low Assurance Certificates: These certificates are issued to individuals e.g. email signing, authentication, encryption certificates
  • High Assurance Certificates: These certificates that are issued to organizations or websites e.g. TLS server authentication, code signing, eSeal or legal person certificates
  • Multi tenancy: when an RAO or user is part of multiple enterprises, it is called multi tenancy in Web RA. The Web RA supports the multi tenancy and a user can be part of the multiple enterprises but at a time, he can see the certificates/requests of the one enterprise

How it Works?

  • The Web RA must be configured for the High Assurance Certificates to be vetted by the Admin RAO
  • The Enterprise RAO can be configured to vet the Low Assurance Certificates
  • An enterprise can have one or more Enterprise RAOs who can manage and vet the low assurance certificates
  • High assurance certificate should always be vetted by the Admin RAO because they bear more responsibility and requires more rigorous verification
  • The Enterprise RAOs can invite the users in the Web RA from where they can submit the certificate issuance requests. The Enterprise RAOs vet the requests and either approve or reject the requests
  • An Enterprise RAO can be a RAO for one of more enterprises. Similarly, a user can be registered in one or more enterprises using the same email address. Note that when an RAO or user is part of multiple enterprises, it can see the requests or certificates from the selected enterprise only. In short, at a time only one enterprise's data will be shown to the RAO or user
  • An Enterprise RAO can see the activities of an enterprise user by clicking the more options button
  • An enterprise can have the following statuses, the detailed actions are described in the table below:
    • Active - users are allowed to login the system and submit the new certificate requests
    • Suspended - the enterprise is temporarily suspended. The users of this enterprise can login the system but cannot submit the new requests 
    • Blocked - when you need to permanently block an enterprise. When blocked, neither users can login nor can they submit the request
  • A user can also have the following statuses similar to an enterprise.
    • Active - users are allowed to login the system and submit the new certificate requests
    • Suspended - the user is temporarily suspended. The users can login the system but cannot submit the new requests 
    • Blocked - when you need to permanently block the user. When blocked, neither users can login nor they can submit the request


Delete an Enterprise


  1. Enterprise Owners should not be allowed to delete an enterprise in their role
  2. Deleting an enterprise is a very sensitive operation and application administrators should perform this activity using four eyes principal
  3. If an enterprise is deleted, the certificates issued by/ against any user of this organization will be permanently revoked and you cannot reinstate these certificate


The following are the steps to delete an enterprise:


  1. Click Enterprises from the left menu.
  2. Click the  adjacent to the enterprise in question.
  3. Select Delete.
  4. A confirmation dialog will appear. Click Yes.


Access Control Information


There are some certain rules that will be followed while managing or viewing enterprises list and it's related information. These rules are based on the user's type which includes Enterprise RAOs, Admin RAOs or Administrators.


Roles

Allowed Features

Enterprise RAO

Web RA stores the all activities of the user and an Admin or Enterprise Admin can view that from More Options () > User Activity

  • An enterprise RAO can manage only those users, which are either registered or invited by the enterprise RAO within the assigned enterprises.
  • An enterprise RAO once invites a user, that user will be treated as a user who is registered by an enterprise RAO and can be managed by the same enterprise RAO.
  • A user who is part of multiple enterprises, there is a possibility that the user managed by the enterprise RAO in one enterprise and managed by the admin RAO in other enterprise. 
  • User invitation list for enterprise RAO shows all the invitations; sent by enterprise RAO’s / Admin RAO’s / Administrators.
  • Security validations will be validated upon resending of an invitation, and the same enterprise RAO can resend invitation only who originally initiated the invitation request for that intended user. 
  • Security validations will be validated upon deletion of an invitation, and the same enterprise RAO can delete the user invitation only who originally initiated the invitation request for that intended user.
  • User registration list for enterprise RAO will show all the registered users for related enterprises.
  • Enterprise RAO will be able to delete / edit those users, which are registered by enterprise RAO only.

Admin RAO / Administrators
  • User registration list for admin RAO will show only those registered users, which were registered by admin RAO’s, administrator users that are registered in the enterprise, or the users that were invited by admin RAO’s/ administrator.
  • Users invited in the enterprise by admin RAO / administrator can be managed by the admin RAO/ administrator.
  • A user who is part of multiple enterprises, there is a possibility that the user managed by the enterprise RAO in one enterprise and managed by the admin RAO in other enterprise.
  • User invitation list for admin RAO’s/ administrators will show all the invitations send by admin RAO’s /administrator’s.
  • Security validations will be validated upon resending of an invitation and the same admin RAO’s / administrator can resend invitation only who originally initiated the invitation request for that intended user.
  • Security validations will be validated upon deletion of an invitation, and the same admin RAO’s / administrator can delete the user invitation only who originally initiated the invitation request for that intended user.
  • Security validations will be validated upon deletion of a registered user, and the same admin RAO’s / administrator can delete the user only who originally registered that intended user.
  • Enterprise registered by the admin RAO’s / administrators (if allowed in roles), then that enterprise can be managed by that admin RAO’s/ administrator.