Skip to main content

CertCentral: Roles and account access

You don’t need to assign individual permissions to each user in CertCentral. Instead, you assign each user a role that determines what features they can access in CertCentral. The role may also limit what the user can do in CertCentral.

  • CertCentral administrators can add users and assign them roles.

  • CertCentral administrators and managers can change the role assigned to a user. They can’t change their role.

CertCentral Subscription accounts

A CertCentral Subscription account includes two roles: Administrator and Finance Manager. Upgrade to a CertCentral Enterprise to get the Manager, Standard, and Limited User roles. Learn how to identify your CertCentral account.

Table 1. CertCentral roles

Role

CertCentral access

Administrator

(unrestricted)

Full CertCentral account access with these permissions:

  • Access and manage Discovery.

  • Manage divisions (create and update) and account users (create, delete, and update).

  • Manage organizations (add new organizations), domains (add or deactivate), guest requests, and API access.

  • View all certificate requests and certificate orders, request certificates, approve certificate requests, and generate order reports.

  • Manage account finance settings and finances (view balance history, generate spending reports, deposit funds, and more).

  • Manage account settings (authentication settings, IP access restrictions, product restrictions, and more), audit settings, and Audit logs.

Administrator

(restricted)

Full access to the divisions they’re assigned to and these permissions:

  • Access and manage Discovery.

  • Manage their divisions.

  • Manage their division users (create, delete, and update).

  • View domains assigned to their divisions and manage guest requests and API access.

  • View their division certificate requests and certificate orders, request certificates, approve certificate requests, and generate order reports.

  • Manage their division finances (view balance history, generate spending reports, deposit funds, and more).

Administrators

(all)

By default, they don’t have permissions to approve EV TLS, EV Code Signing, or Code Signing certificate requests. To approve these types of requests, they must have the appropriate subroles. Learn more about CertCentral subroles.

Standard User

(unrestricted)

Account users with these permissions:

  • Request certificates.

  • Monitor certificate requests and orders (their own and others).

  • A manager or administrator must approve changes.

Standard User

(restricted)

Limited division user with these permissions:

  • Request certificates for the divisions to which they’re assigned.

  • Monitor certificate requests and orders (their own and others) for the divisions to which they’re assigned.

  • A manager or administrator must approve changes.

Limited User

(unrestricted)

You can remove permission from the Standard user role to create a second user role: Limited User.

(Standard User + Limit to placing and managing their own orders)

Account users with these permissions:

  • Request certificates.

  • Monitor their own certificate requests and orders.

  • A manager or administrator must approve changes.

Limited User

(restricted)

Division users with these permissions:

  • Request certificates for the divisions to which they’re assigned.

  • Monitor their own certificate requests and orders.

  • A manager or administrator must approve changes.

Finance Manager

(unrestricted)

Limited account users whose primary role is to manage account finances with these permissions:

  • View balance history, spending reports, and account pricing.

  • Manage purchase orders and deposit funds.

  • Manage order reports.

  • Request certificates.

  • Monitor their own certificate requests and orders.

Finance Manager

(restricted)

Limited division users whose primary role is to manage their division finances with these permissions:

  • View their division’s balance history, spending reports, and account pricing.

  • Manage their division’s purchase orders and deposit funds.

  • Manage their division’s order reports.

  • Request certificates for the divisions to which they’re assigned.

  • Monitor their own certificate requests and orders.

Manager

(unrestricted)

Limited account users whose primary role is to help manage the account with these permissions:

  • Access and manage Discovery.

  • View divisions and manage account users (update).

  • View organizations and manage domains (add or deactivate).

  • View all certificate requests and certificate orders, request certificates, approve certificate requests, and generate order reports.

  • Manage account finance settings and finances (view balance history, generate spending reports, deposit funds, and more).

  • Manage audit settings and Audit logs.

Manager

(restricted)

Limited division users whose primary role is to help manage their divisions with these permissions:

  • Access and manage Discovery.

  • View divisions and manage account users (update).

  • View their division’s certificate requests and certificate orders, request certificates, approve certificate requests, and generate order reports.

  • Manage division finances (view balance history, generate spending reports, deposit funds, and more).

Manager

(all)

By default, they don’t have permissions to approve EV TLS, EV Code Signing, or Code Signing certificate requests. To approve these types of requests, they must have the appropriate subroles. Learn more about CertCentral subroles.


In this section: