Administration Web Roles

There are four pre-defined roles within the Administration Web for managing and deploying SignServer.

Pre-defined Roles in SignServer

The four roles included with SignServer are:

1. Admin Role: Admins have configuration access excluding audit log and archive auditor permissions. Admins are responsible for creating and maintaining SignServer configurations, including global properties, workers, and authorizations. See Administrators Page.

2. Auditor Role: Auditors have access to the audit log, which maintains information related to system configuration, worker creation, removal, and modifications. See Audit Log Page.

3. Archive Auditor Role: Archive Auditors have access to the archive log, which contains information about which worker was used to sign an artifact. The log maintains the original and signed documents, which can be optionally downloaded. See Archive Page.

4. Peer System Role: Peer Systems allow for remote operation from an EJBCA instance, acting as an RA for signing certificates and one-time keys and certificates using OneTimeCryptoWorker. It enables automatic renewal of SignServer keys and certificates using the EJBCA peering protocol.

Permissions Overview

The table outlines the default permissions by role and function:

The Peer System is a special role that allows certificates generated by an EJBCA CA, and is used in a SignServer environment to be updated automatically on the SignServer instance.

Assigning Roles

To assign roles to users:

1. Create a Certificate: This can be done using EJBCA or any other CA.

2. Load the Certificate: This involves identifying the certificate serial number and issuer DN.

3. Identify the SignServer Role: Choose one to four roles. The role can have multiple values, meaning an individual can be assigned as both an Admin and an Auditor.