CertificateManagersrestrict access to many of the features they provide. These restrictions are described either by referring to well-known Roleswhich a Sessionmust have access to or by referring to Privilegeswhich are assigned to Sessionsusing mechanisms other than the well-known Roles. The well-known Rolesused for CertificateManagersare listed in Table 18.
Table 18– Well-known Roles for a CertificateManager
Name |
Description |
CertificateAuthorityAdmin |
This Role grants rights to request or revoke any Certificate, update any TrustListor assign CertificateGroupsto OPC UA Applications. |
RegistrationAuthorityAdmin |
This Rolegrants rights to approve CertificateSigning requests or NewKeyPair requests. |
SecurityAdmin |
This Rolegrants the right to change the security configuration of a CertificateManager. |
The well-known Rolesfor Servermanaged by a CertificateManagerare listed in Table 19.
Table 19– Well-known Roles for Server managed by a CertificateManager
Name |
Description |
SecurityAdmin |
For PushManagement, this Rolegrants the right to change the security configuration of a Servermanaged by a CertificateManager. |
The Privilegesused in for CertificateManagersare listed in Table 20.
Table 20– Privileges for a CertificateManager
Name |
Description |
ApplicationSelfAdmin |
This Privilegegrants an OPC UA Applicationthe right to renew its own Certificateor read its own CertificateGroupsand TrustLists. The Certificateused to create the SecureChannelis used to determine the identity of the OPC UA Application. |
ApplicationAdmin |
This Privilegegrants rights to request or renew Certificates, readTrustLists orCertificateGroupsfor one or more OPC UA Applications. The Certificateused to create the SecureChannelis used to determine the identity of the OPC UA Application and the set of OPC UA Applications thatit is authorized to manage. |