In EJBCA, a role is assigned certain access rules, and users are assigned a role. All users assigned to a role will have the access privileges defined by the access rules in the role.

The EJBCA Role and Rule handling has been improved as of 6.8.0 with simplified rules administration and clearer role capabilities.

EJBCA Access Rules inherit the state from their parent rule by default, unless individually specified. Each access rule consists of the states Allow, Deny and Inherit.

The following sections cover a listing of available access rules, provide an overview of default Role Templates, and include a step-by-step guide on creating a new Administrator:

Default Super Administrator Role

The default Super Administrator Role, created during EJBCA installation, has the following access rights:

Has overall access to EJBCA
Can edit system configuration
Can manage CAs
Can manage publishers (LDAP, AD, custom)
Can create CA administrators

Advanced Access Rules

When editing access rules, select Advanced mode to access the advanced access rule configuration. The Advanced mode displays all available access rules and allows you to accept or reject specific rules for the role you are editing. By using advanced access rules you can define you own roles and construct a role set suitable for most auditing schemes.

Note that rules not available to the current Administrator will be disabled and rules pertaining to CA's and Crypto Tokens that the Administrator does not have access to will be hidden.