There are three levels of admins: Dashboard Admin, Authority Admin, and Provisioner Admin.

Dashboard Admin:

Can access the UI dashboard for Certificate Manager via password or SSO. Able to create and delete authorities, update team settings, enable notifications, check logs, etc.

There is a secondary type called Super Admin which is able to update settings on other Admin users.

Dashboard Admins can be added via the dashboard in Settings > ADD ADMIN.

Authority Admin:

Able to update settings on a given certificate authority via the step CLI. Must authenticate to Certificate Manager to make “admin-level” changes.

Authority Admins can be added and managed via the step CLI with the admin commands.

$ step ca admin add

Provisioner Admin

Able to update “admin-level” configurations on certificates generated via the given provisioner (eg. requesting SSH certificates with custom principals). Can use the given provisioner for authentication to “admin-level” commands.

Provisioner Admins can be added and removed via the step CLI with the update commands.

# Adding an admin
step ca provisioner update <provisioner> --admin

# Removing an admin
step ca provisioner update <provisioner> --remove-admin