13.3. Disabling Multi-Roles Support

By the default, users can belong to more than one subsystem group at once, allowing the user to act as more than one role. For example, John Smith could belong to both an agent and an administrator group. However, for highly secure environments, the subsystem roles should be restricted so that a user can only belong to one role. This can be done by disabling the multirole attribute in the instance's configuration.


Multi-roles are only supported for Java subsystems.
For CA, DRM, TKS, and OCSP subystems:
  1. Stop the server:
    service pki-ca stop
  2. Open the CS.cfg file:
    vim /var/lib/pki-ca/conf/CS.cfg
  3. Change the multiroles.enable parameter value from true to false.
  4. Restart the server:
    service pki-ca restart