An operator can manage enterprise roles from left menu by navigating Enterprise > Manage > Roles.


  1. Click "Enterprises" from left menu, a sub-menu will appear in the drop-down. Navigate to "Registered" and click it to move to the next screen. 
  2. Click on the button against a specific enterprise and click "Manage" to manage its configurations. Then click "Roles". 


Two roles with the following titles will be added when a new enterprise is registered:


  1. Enterprise Users
  2. Applicant Representative


Create a new role:

  1. The operator can add a role by clicking on the button. 
  2. The operator then needs to enter the name and description, and can also set that role as default by ticking the check box "Default". 


 


Once an operator Adds or Edits a role, the module section form will appear with all allowed modules. It is on the discretion on the operator to allow read, add/edit and delete options against the allowed modules. The operator can set the role as 'Default'. 



An operator can add, update and delete enterprise roles. By default, only one role is created when an enterprise is registered. 


   

Click and then the Edit button to find the following sections on this screen:


  1. Modules - When an operator creates a new role, all options to "Read, Add/Edit and Delete" against the allowed modules are unchecked. He can choose from these options to assign it with the role for allowed modules. Two screenshots are added below to display all the modules ( including Windows Enrolment):






  1. Certificate Management - A user can create specific certificates by using different configurations and will be able to manage certificate key generation for the following:


  • Key Stores
    • Server-side keys and certificates 
    • Certificates with CSR
    • Keys on Smart card/ Token 
  • Device Enrolment
    • SCEP
    • CMP
    • ACME
    • EST
  • Windows Enrolment 
    • WIndows User Enrolment 
    • Windows Device Enrolment 




Certificate Details


An administrator can control SDNs and SAN extensions for certificate requests in the "Role" section from the admin portal. This is based on the mechanism selected from the "Certificate Details" drop down. 


An operator can choose one of the following three mechanisms from the "Certificate Detail Provider" drop down: 


  1. None
  2. Operator
  3. Authentication 


Click "Roles", then click the tab "Certificate Management".


From the "Certificate Details" drop down you can define the SDNs and SANs.


If an operator selects "Authentication", the following items will appear on the screen:



If an operator selects "Operator", the following items will appear on the screen: 



If an operator selects "None", the following items will appear on the screen:



Certificate Detail Provider 

Field

Description 

Authentication Scheme

 If Authentication is selected from the drop down then SDNS values will be filled by the user login authentication mechanism. Currently ADSS WebRA is supporting the following login mechanisms:


  • User name /Password
  • SAML
  • Active Directory
  • Azure Active Directory 


Note:


  • In authentication, the system will not allow an operator to control SAN values. 
  • If any information (Name, Job title, etc.) is not present in the authentication scheme then user will be able to add manually while creating a new certificate request.

Operator 

 An administrator will control the values of SDNs.

None 

 If None is selected from the drop down then users can fill the SDN values manually.


Certificate Sharing 


Sharing certificates between users of the same organisation is important when one of the users who was managing legal certificates leaves the organisation or is no longer available. In such situation, the other users may not be able to manage certificates. The certificate sharing feature is available so that certificate management of SSL certificates is made easier between the users of the same organisation. 

All profiles that are set in the service plan will be listed except the ones with Document Signing purpose. 


This section will be visible to the persons with the same roles and if "Share Certificate" is enabled in role. 



Tick this checkbox to allow a user to share certificate with other user/users belonging to the same enterprise. This drop down will list the certificate profiles to share certificates that a user will be able to use in the ADSS Web RA web portal. 

Select the profiles to share certificates from the drop down. Then select an option from the filter drop down to share selected certification profiles for Windows enrolment. You can select on the basis of various attributes i.e. Common Name, First Name, Last Name, All, etc. 


  1. Login Authentications - An operator can configure primary authentication and secondary authentication for login using roles as displayed below:


(If Secondary Authentication is enabled in the service plan, it will also appear in the same section)



Click "Save".