subject: How An Operating System Administrator Can Enable Ca Role Separation [print this page] The operating system administrator can enable CA role separation by removing operating system administrators from CA administration roles and separating CA Administrator and Certificate Manager roles so that no single account can hold both titles free test questions. To do this, the administrator must perform'the following steps:
1. Create two custom groups CA Admin and Certificate Managers one for each role.
2. Assign the Manage CA permission on the CA node in the Certification Authority
console to the CA Admin group.
3. Assign the Issue And Manage Certificates permission on the CA node in the Certification Authority console to the Certificate Manager group 70-620 Exam.
4. Assign appropriate users to each group.
5. Use the following command to apply role separation
6. Stop and then start Certificate Services.
Caution Make sure to create the roles prior to applying role separation. Otherwise, no one will have the ability to manage the CA. The administrator would then have to remove role separation and start over.
Role Assignment vs. Role Separation
There are several processes embodied in CA role management:
Assigning the roles of CA Administrator and CA Manager
Removing the operating systems administrators CA administration rights Enforcing role separation
Assigning different groups to each role and removing CA administration privileges from the computer administrator results in better security. This fulfills the "separation of duties" dictum. However, there is nothing in place, with simple role assignment, to prevent one individual from being assigned both roles. If an individual is assigned both rolesMCTS Certification, you have lost as much as you have gained. The only role separation is that of separating the computer administrator from the CA managers.
However, if a second step role separation is taken, security is greatly improved. If CA role separation is in place, a user must only be assigned a single CA role, If multiple role assignments are made, the user will not be able to perform any operation on the CA. Care needs to be taken to ensure that a user is not assigned to both the CA Administrator and CA Manager role when role separation is enforced. If an individual has both roles, she will be unable to do any of the duties of either. To enable correct assignment of her role, role separation will have to be removed, group membership will have to be adjusted, and then role separation will need to be re-enabled.
