Operation permissions

The Operation permissions button on the ADMINISTRATION tab provides the following three commands:

  • Operation permissions – the interface where you can view, grant and remove individual permissions. Described in subchapter Operation permissions.

  • New object permissions – the interface where you can view, grant and remove individual permissions to new objects. Described in subchapter New object permissions.

Permission categories

For the list of existing permissions and their brief descriptions, see chapter List of operation permissions.

There are three different permissions to be granted for each of the listed system operations:

  • EXECUTE – the permission to perform the action;

  • GRANT – the permission to grant the execution permission to other users;

  • REVOKE – the permission to remove the execution permission from other users.

For some operations that apply to certain objects (such as users), you can also decide whether to grant the permission to a specific object type only (such as users in a certain domain) or to all of them. Furthermore, the permission can be granted separately “for new objects”, meaning objects that do not exist yet (such as users in domains that will be created in the future).

The default system setting contains four administrator roles and the various permission areas are distributed among them:

  • Security Administrator – may grant and revoke other users' permissions but does not execute anything.

  • Entity Administrator – user, group and role administration (adding, deleting and editing their properties), domain management.

  • Membership Administrator – assigning users and groups to groups and roles.

  • Configuration Administrator – general server settings.

To view specific permission assignment, see chapter List of operation permissions.

For the remote signing feature, note the operation permission remote signing administrationRSM_SIGNING_ADMINISTRATOR. In the default setting, this permission is granted to the role of Security Administrator, Configuration Administrator and also user ffs_system_account.

  • User with operation permission RSM_SIGNING_ADMINISTRATOR are authorized to approve and manage signature certificates from both certification authorities – PostSignum and SignMaster. In the case of SignMaster CA, the signature certificate is generated as soon as the issue request is approved.

  • Users with permission RSM_SIGNING_USER are authorized to use remote signing – the permission gives access to the GUI ribbon / Signature certificates (does not authorize certificate issue requests, but if the user has a certificate already, they can use it)

  • Users with permission RSM_SIGNING_USER_POSTSIGNUM are authorized to request to be issued a certificate from PostSignum, a qualified certification authority.

  • Users with permission RSM_SIGNING_USER_SIGNMASTER are authorized to request to be issued a certificate from SignMaster CA, a non-qualified certification authority.