The concept is rather simple: say that we have a PKI organization containing a relatively flat structure, simple three administrators:
For the sake of argument, let's presume that these three are all equal, but their policies require that none of them be able to perform any enrollment actions without the cooperation of at least one of the other. To do so, we can set up the following Accumulative Approval Profile:
