Certificate System users can be assigned to groups, and they then have the privileges of whichever group they are members. A user only has privileges for the instance of the subsystem in which the user is created and the privileges of the group to which the user is a member.
The Certificate System provides an authorization framework for creating groups and assigning access control to those groups. The default access control on preexisting groups can be modified, and access control can be assigned to individual users and IP addresses. Access points for authorization have been created for the major portions of the system, and access control rules can be set for each point. Additional access points and access control lists (ACLs) can be created through the CS SDK.
The Certificate System is configured by default with four user types with different access levels to the system:
Administrators , who can perform any administrative or configuration task.
Agents , who can edit and approve requests.
Auditors , who can view and configure audit logs.
Trusted managers , which are subsystems with trusted relationship with another subsystem.
Additionally, when a security domain is created, the CA subsystem which hosts the domain is automatically granted the role of Security Domain Administrator, which gives the subsystem the ability to manage the security domain and the subsystem instances within it. Other security domain administrator roles can be created for the different subsystem instances. These roles are described in Section 5.4.2, “Security Domain Roles”.