Administration of the user attributes used for smart card authentication should be restricted to administrators who are enrolling smart cards for users.
When matching by subject names, the attributes are:
sasAllowableSubjectNames
nclTmpCertSubject
nclTmpCertExpiration
When matching by certificates, the attributes are:
userCertificate
nclTmpCert
nclTmpCertExpTime