Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Sv translation


Access control mechanisms in the QR-CERT system are responsible for the identification (recognition) and confirmation of the user identity (in case if it is an authorized user – if the user has an account on the system), and determining the role within which the user will interact with the system. Identification and authentication of the user is carried out using the mechanisms, by which a user directly or indirectly proves that he/she is who he/she claims to be. The access control system determines the user role based on group membership or based on explicitly specified attributes describing the role. The following roles are implemented in the QR-CERT system:

Initiating Administrator (InitAdmin) – The role allows to create the Administrator account which is used for further system configuration. The main window of the operator application for the Initiating Administrator role enables only the management of the accounts of the Administrators.

Main Auditor (MainAuditor) – The role allows to export security records, activity records and network activity logs to files. In also enables viewing the contents of the VSPACE (virtual space) objects, system user accounts and HSM module objects.

Administrator – The role has permissions to:

Auditor – The role allows to export security records, activity records and network activity logs to files. It also enables displaying the contents of the VSPACE virtual space objects, system operator accounts and HSM modules objects.

Administrator VSPACE – The role can install, configure and manage the system executing the certification centre functionality, create and manage user accounts, configure profiles and audit parameters and generate modules keys.

Audytor VSPACE – The role can browse and manage event logs (including security events log).

VSPACE Operator – The role can approve requests for certificates and requests for revocation or suspension of the certificate.

Safety Inspector – The role allows to confirm the request for revocation of a CA certificate.


The QR-CERT system distinguishes 4 levels of permissions. At each level, you can create accounts with permissions to the lower-level accounts. Apart from accounts, users from different levels can also create other objects in the system.

At the first level of permissions there may be only two accounts:

  • Initiating Administrator
  • Main Auditor

Both accounts are created during the system instance creation (they cannot be created from the operator’s application).

Initiating Administrator allows to create the Administrator account, which is used for further configuration of the system. Main Auditor can view security events and objects from the entire QR-CERT system installation.

At the second level of permissions using the created Administrators accounts the structures of the operating system are created: the creation of virtual spaces, creation of administrator accounts of these spaces, assigning HSMs to individual spaces. Administrator can create the Auditor account, who has access to the system operation and security reports and objects accounts, and HSMs.

The third level of permissions occurs at the level of virtual spaces. Within these spaces VSPACE Administrators can configure target CA systems: create CAs, configure certificates and CRLs issuing policies, define X.509 profiles, create accounts for VSPACE Operators and VSPACE auditors.

The fourth level permissions are for VSPACE Operators, who carry out standard works related with the operation of the system: handling of requests for certification, issuing certificates to subscribers, manually generating CRLs, editing tokens, etc.

Image Removed

Figure Hierarchy of permission levels

List of specific permissions

All the permissions used in the system are listed below.

Permissions for the Subscriber

Creating accounts for new customers
Modification of existing customer accounts
Activation of customer accounts
Blocking customer accounts
Searching and browsing customer accounts

Permissions for the registration of the CA/RA requests

Registration of the request for a certificate
Requesting for generating CRL on demand
Searching and browsing registered requests

Permissions for handling requests

Handling requests for issuing subscriber’s certificate
Handling requests for revocation of certificate suspension

Permissions regarding subscriber’s certificates

Revoking subscribers’ certificates
Suspending subscribers’ certificates
Revoking the suspension of subscribers’ certificates
Exporting subscribers’ certificates
Searching and browsing subscribers’ certificates

Permissions regarding CA certificates

Searching and browsing data on CA certificates
Exporting CA certificates

Permissions regarding tokens

Personalization of tokens
Changing the status of tokens
Searching and browsing tokens data

Permissions for CRL

Searching and browsing CRLs data
Exporting CRLs

Permissions for documents

Registration of documents
Searching and browsing data on created documents
Reprinting documents

Other permissions

Searching for and exporting subscribers’ private keys
Fixing incorrect uniqueness links
Quantitative report about the created objects

Permissions for cards warehouse

Importing data to tokens warehouse
Searching and browsing content of tokens warehouse
Changing the status of tokens in the token warehouse
Access to sensitive data in the tokens warehouse
Access to sensitive data during tokens editing

Other permissions

Downloading customer data from external systems
Access to certificate authentication codes
Access to sensitive data in documents

Views in CAO

View – registration of requests
View – external customers
View – customers
View – documents
View – e-mail
View – subscribers’ certificates
View – CA certificates
View – CRLs
View – CA/RA requests
View – tokens
View – CHIP
View – card warehouse
View – CA/RA requests handling
View – token issuing requests
View – bulk processes handling
View – system messages
View – reports

Token issue requests

Registration of requests for central issuing of a card by an operator
Processing of centralized card issuing requests made by the subscriber
Processing of self-service card issuing requests made by the subscriber
Handling requests for a card for the card production process – only in CAO
Taking cards for production and distribution of the request handling status after the production
Card personalization for individual customers – only in CAO

Issuing certificates

Issuing a certificate based on PKCS#10 request
Issuing a certificate based on the public key
Generating key and issuing a certificate

Scroll Ignore
titleOn this page

Table of Contents
excludeSearch documentation

Search documentation

placeholderSearched phrase