An officer can have constraints so that the officer may only issue and revoke end user certificates with a certain subject name space. This means, for example, that an officer can be restricted to issuing certificates only for a specific issuer (that is, for a specific Certificate Authority, CA).
The issuing constraints for an officer may consist of one or more rules and each rule, in turn, consists of one or more attribute values. To grant the officer issuing rights, (that is, access to a token procedure), at least one of the rules must be fulfilled. For a rule to be fulfilled, all attribute values of that rule must match the corresponding attributes of the issuer subject name.
Example:
Rule 1: C=DE O=Org1 OU=QC Root CA
Rule 2: C=DE O=Org2 L<>Location A L<>Location B
Rule 3: C=SE O=Nexus
Rules and permissions:
- Rule number 1 gives permission to use all issuers that have a subject name containing
C=DE, O=Org1 and OU=QC Root CA. - Rule number 2 gives permission to use all issuers that have a subject name containing
C=DE and O=Org2 and does not have L=Location A nor L=Location B. - Rule number 3 gives permission to use all issuers that have a subject name that contains
C=SE and O=Nexus.
Examples of issuers:
- An issuer with subject
OU=CA4, O=Org2, and C=DE will work due to rule number 2. - An issuer with subject
OU=QC Root CA, O=Org1, and C=SE will not work because none of the rules gives permission
You can add, delete, and modify rules for each officer profile in the Administrator's workbench (AWB) (AWB) and you can add, delete, and modify attribute values for each rule. For more information, see Officer profile tasks in Certificate Manager.
