A Certificate Lifecycle Manager (CLM) extended permission in Active Directory that allows a user or group to perform certificate requests on behalf of another user. The issued certificate’s subject will contain the target user’s name, rather than the requestor’s name.