...

In the SCM, there are basically only Administrator level users. In fact, the SCM does not talk about users, it talks about admins. That means that you cannot have users logging in to the SCM who can only request certificates. See below under "SSL certificates" for solutions to this.

Departments

The SCM lets you create Departments under Organizations. Just like the Organization name is what goes into the O= of a certificate, the Department name is what goes into the OU= of a certificate. You can use Departments in two ways:

• Just as a tool to sort certificates and get the correct OU= set, but it will still be the Organization's admins doing the approval.
• To delegate approval of certificates to department admins for their department. In most(?) cases that would be combined with registering a subdomain (or a completely difffent domain) and restrict the department to that.

MRAO, RAO, DRAO!

There are three levels of admins in the SCM, all called something with RAO (Registration Authority Officer) in the name:

• MRAO: the "superuser level" for SUNET people that can work with all organizations, departments, domain, certificates, admins, etc.
• RAO: the admin level for working with an organization and the departments, domains, certificates, admins etc that belong to that organization.
• DRAO: the admin level for working with a department, and the domains, certificates, admins etc that belong to that department.

It is a bit more complicated than that: a RAO is connected to one or more organizations, and a DRAO to one or more departments, and there is also the possibility to only have the right for SSL certificates, client certificates and/or code signing certificates. Thus, an admin could be "RAO - SSL Certificates" and "RAO - client certificates" for Organization A, while also being "DRAO - SSL Certificates" for a department belonging to another organization.

The first admin you will get when joining with your organization will be RAO for all certificate types and for your organization.