An EJBCA Administrator is identified by information in the client SSL certificate. The information is validated in the following steps:
During the TLS handshake with the application server, the issuer of the client certificate is verified with a list of trusted CA certificates known as the 'truststore'.
EJBCA verfies that the client certificate exists in the database and that it's not revoked. (Configurable in web.properties.)
EJBCA tries to match the information in the certificate with any of the matching criterias found in the different roles. Matching rules are evaluated separately so matching with both CN and OU would match all CN matched certificates and also all OU matched certificates.
If a match is found, the access rules for this group is given to the administrator.
Administrator privileges is configured through Edit Administrator Privileges in the Admin GUI or by using the CLI. If you have locked yourself out of the GUI, the CLI can add another admin certificate to allow continued operations.