DAs always have administrative privileges within the SED, but with the exception of the first DA of an SED, they may or may not have encryption and decryption privileges over the data within an SED.

When a new SED is created—either at installation time or subsequently—each SED is created by default with a new DA username of administrator1. The password for this DA is chosen at creation time by the individual executing the domain creation wizard. This DA (administrator1) not only has administrative privileges over the new SED, but also cryptographic service privileges. Using the EncryptionService web services the primary DA can encrypt and decrypt any object within the SED over which they have administrative privileges.

To prevent DAs from having such encryption and decryption privileges over the SED while giving them administrative privileges, create additional DA credentials within the SED using the DACTool and restrict the new DAs' privileges. The credential of administrator1 should be locked away in a secure location so it cannot be used, except as a backup credential during disaster recovery.

Every DA must have a digital certificate with its corresponding EC keys to strongly authenticate to SAKA for executing administrative commands. The certificate and keys are typically stored on a USB flash drive so they may be portable and can be kept off the machines likely to be used by the DA.

NOTE: SAKA comes with five (5) color-coded USB flash drives; the yellow token is designated for the DA. Sites are free to use any flash drive, as long as they maintain control over its contents.

The SED's first DA keys and certificate are generated on this token during the creation of the new domain; subsequent DA keys and/or certificates can either be generated using DACTool or supplied to DACTool if they are generated/created using another tool (such as keytool, OpenSSL, Mozilla, etc.).