CertificateManagersrestrict access to many of the features they provide. These restrictions are described either by referring to well-known Roleswhich a Sessionmust have access to or by referring to Privilegeswhich are assigned to Sessionsusing mechanisms other than the well-known Roles. The well-known Rolesused for CertificateManagersare listed in Table 18.

Table 18– Well-known Roles for a CertificateManager

Name

Description

CertificateAuthorityAdmin

This Role grants rights to request or revoke any Certificate, update any TrustListor assign CertificateGroupsto OPC UA Applications.

RegistrationAuthorityAdmin

This Rolegrants rights to approve CertificateSigning requests or NewKeyPair requests.

SecurityAdmin

This Rolegrants the right to change the security configuration of a CertificateManager.

The well-known Rolesfor Servermanaged by a CertificateManagerare listed in Table 19.

Table 19– Well-known Roles for Server managed by a CertificateManager

Name

Description

SecurityAdmin

For PushManagement, this Rolegrants the right to change the security configuration of a Servermanaged by a CertificateManager.

The Privilegesused in for CertificateManagersare listed in Table 20.

Table 20– Privileges for a CertificateManager

Name

Description

ApplicationSelfAdmin

This Privilegegrants an OPC UA Applicationthe right to renew its own Certificateor read its own CertificateGroupsand TrustLists.

The Certificateused to create the SecureChannelis used to determine the identity of the OPC UA Application.

ApplicationAdmin

This Privilegegrants rights to request or renew Certificates, readTrustLists orCertificateGroupsfor one or more OPC UA Applications.

The Certificateused to create the SecureChannelis used to determine the identity of the OPC UA Application and the set of OPC UA Applications thatit is authorized to manage.