Versions Compared

Old Version 3

changes.mady.by.user Ann Base

Saved on

compared with

New Version 4

changes.mady.by.user Josefin Klang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes the constraints that can be set for an officer in Smart ID Certificate Manager (CM). An officer is assigned roles, which allow them to perform various tasks, and constraints can also be set.

The following can be set for the officer:

  • Issuer constraints
  • Name constraints
  • Officer role(s)
Expand
titleIssuer constraints

An officer can have constraints so that the officer may only issue and revoke end user certificates with a certain subject name space. This means, for example, that an officer can be restricted to issuing certificates only for a specific issuer (that is, for a specific Certificate Authority, CA).

The issuing constraints for an officer may consist of one or more rules and each rule, in turn, consists of one or more attribute values. To grant the officer issuing rights, (that is, access to a token procedure), at least one of the rules must be fulfilled. For a rule to be fulfilled, all attribute values of that rule must match the corresponding attributes of the issuer subject name.

Example:

Panel
titleExample of issuer constraints

Rule 1: C=DE O=Org1 OU=QC Root CA
Rule 2: C=DE O=Org2 L<>Location A L<>Location B
Rule 3: C=SE O=Nexus

Rules and permissions:

  • Rule number 1 gives permission to use all issuers that have a subject name containing C=DEO=Org1 and OU=QC Root CA.
  • Rule number 2 gives permission to use all issuers that have a subject name containing C=DE and O=Org2 and does not have L=Location A nor L=Location B.
  • Rule number 3 gives permission to use all issuers that have a subject name that contains C=SE and O=Nexus.

Examples of issuers:

  • An issuer with subject OU=CA4O=Org2, and C=DE will work due to rule number 2.
  • An issuer with subject OU=QC Root CAO=Org1, and C=SE will not work because none of the rules gives permission

You can add, delete, and modify rules for each officer profile in the Administrator's workbench (AWB) (AWB) and you can add, delete, and modify attribute values for each rule. For more information, see Officer profile tasks in Certificate Manager.


Expand
titleName constraints

Name constraints can be set for an officer. All end-user certificates will automatically contain the organization, organization unit and directory management domain specified in the officer profile name constraints.


Expand
titleRoles

The role performed by an officer can be limited to specific functions, such as issuing, publishing or revoking certificates, working with batches, managing PIN letters, or recovering keys from the key archiving function. The role privileges given to any particular officer are determined by the officer profile that is assigned to the officer in the Create officer profile in Certificate Manager request dialog.

Related information