Predefined Role Templates

EJBCA provides default Role Templates designed to cover most use cases and be easily extendable. If none of these fit your needs, you can create a custom role using the Custom template and manually configure the role in Advanced Mode.

For a full list of access rules, see Access Rules.

Role Template NameRights
Super Administrator
  • Has overall access to EJBCA
  • Can edit system configuration
  • Can manage CAs
  • Can manage publishers (LDAP, AD, custom)
  • Can create CA administrators

CA Administrator

  • manages certificate profiles
  • manages end entity profiles
  • manages log configuration
  • manages publishers
  • manages key validators
  • can create RA administrators
  • can renew a CA using an existing key
  • can have full read access to the audit log

CA Administrators are not authorized to generate new keys, only renew using existing ones.


RA Administrator

  • can create end entities
  • can modify end entities
  • can revoke end entities
  • can delete end entities
  • can view existing end entities and their history
  • can have full read access to the audit log

Supervisor

  • has full read access to the Audit log
  • can search for and view end entities
  • can view certificates

Auditor

  • has full read access to the Audit Log
  • has full read access to authorized CAs
  • has full read access to authorized Certificate Profiles
  • has full read access to Crypto Tokens and keys
  • has full read access to authorized Publishers
  • has full read access to authorized End Entities
  • has full read access to authorized End Entity Profiles
  • has full read access to authorized Key Validators
  • has limited read access to Roles and Access Rules
  • has full read access to Internal Key Bindings
  • has full read access to Peer Systems
  • has full read access to Services
  • has full read access to SCEP aliases and authorized CMP aliases
  • has full read access to all system configuration