Using role separation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using role separation

Role separation enforces the separation of the certification authority (CA) roles that are defined in role-based administration. When enabled, role separation enforces that a user with more than one CA role cannot perform any CA operation. Without enabling role separation, a single user can be assigned multiple CA roles. For more information on role-based administration, see Role-based administration.

In large enterprises, there may be many groups assigned CA roles on a CA. If a user belonging to these groups is assigned multiple CA roles and the user's account is compromised, then the operation of the CA may also be compromised. Enforcing the separation of CA roles so that each user holds only a single role ensures that if one user's account is compromised, then the operation of the entire CA is not compromised.


  • Before role separation is enabled, each user assigned a CA role on the CA must only be assigned a single CA role on that CA. If a user is assigned more than one CA role, when role separation is enabled, the Certificate Services service will detect that a user has more than one role and deny the user's attempts to operate the CA.

Enabling role separation

You must enable role separation on each CA to enforce the separation of roles. Only members of the local Administrators security group on a CA can enable and disable role separation. Enabling role separation requires editing the registry of the Windows Server 2003, Enterprise Edition running the Certificate Services service. Once this registry setting is edited to enable role separation, any assigned roles are in effect until the local Administrator of the server disables role separation through the registry. For more information, see Enable role separation.

CA roles can be assigned and changed by the CA Administrator while role separation is enabled or disabled. While role separation is enabled the CA Administrator cannot assign a user to more than one CA role. If the CA Administrator attempts to assign a user to a second CA role, the operation is refused.

Role separation concerns

It is possible for a user assigned a role to become locked out of administering a CA when role separation is enabled if the user is also assigned to a second CA role. If the CA Administrator assigns himself or another role holder to a second role, then the CA Administrator violates the rules of role separation by allowing a user to have two roles. Once the user is assigned to two roles, role separation will not allow that user to perform any activity on the CA, including, in the case of the CA Administrator, the activity of removing himself from one of the roles.

To correct this configuration, the local Administrator of the server must disable role separation, remove the CA Administrator from the second role, and then restart the Certificate Services service. Following these steps, role separation can be enabled again.

Windows 2000 and Windows Server 2003 role-based administration

During the upgrade from a Windows 2000 CA to a Windows Server 2003 CA, Windows 2000 CA permissions are upgraded to Windows Server 2003 CA roles according to the rules listed in the following table.

Windows 2000 permission Windows Server 2003 role or permission

Manage CA permission

CA Administrator and Certificate Manager

Revoke Certificate permission

Certificate Manager

Approve Certificate permission

Certificate Manager

Enroll permission

Enroll permission

Read permission

Read permission

All other permissions listed in the Windows 2000 CA advanced security settings.

Read permission


  • Role separation is only available on servers running Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition, including the 64-bit versions of Windows Server 2003, Enterprise Edition and 64-bit versions of Windows Server 2003, Datacenter Edition. Role-based administration is available on servers running any version of the Windows Server 2003 family.