CertificateManagers restrict access to many of the features they provide. These restrictions are described either by referring to well-known Roles which a Session must have access to or by referring to Privileges which are assigned to Sessions using mechanisms other than the well-known Roles. The well-known Roles used for CertificateManagers are listed in Table 18.

Table 18 – Well-known Roles for a CertificateManager

Name

Description

CertificateAuthorityAdmin

This Role grants rights to request or revoke any Certificate, update any TrustList or assign CertificateGroups to OPC UA Applications.

RegistrationAuthorityAdmin

This Role grants rights to approve Certificate Signing requests or NewKeyPair requests.

SecurityAdmin

This Role grants the right to change the security configuration of a CertificateManager.

The well-known Roles for Server managed by a CertificateManager are listed in Table 19.

Table 19 – Well-known Roles for Server managed by a CertificateManager

Name

Description

SecurityAdmin

For PushManagement, this Role grants the right to change the security configuration of a Server managed by a CertificateManager.

The Privileges used in for CertificateManagers are listed in Table 20.

Table 20 – Privileges for a CertificateManager

Name

Description

ApplicationSelfAdmin

This Privilege grants an OPC UA Application the right to renew its own Certificate or read its own CertificateGroups and TrustLists.

The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application.

ApplicationAdmin

This Privilege grants rights to request or renew Certificates, read TrustLists or CertificateGroups for one or more OPC UA Applications.

The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application and the set of OPC UA Applications that it is authorized to manage.