Click the thumbnail view, to open the picture at full size.
The Crypto Officer and Crypto User roles, described on the right-hand side
of the diagram (above) exist only for Luna HSM with Trusted Path Authentication.
They don't exist for a Luna HSM with Password Authentication.
In addition to providing the Crypto User password,
a Client application must also pass the user type CKU_RESTRICTED_USER
(or the alias CKU_CRYPTO_USER).
To work with a Partition as Crypto Officer,
OR for applications that use the
existing standard, your application must pass the user type CKU_USER (along
with the Crypto Officer / Partition Owner password). However, this type
now has an alias CKU_CRYPTO_OFFICER, which you might prefer to use for
reasons of clarity. (This concerns you only if you are an application
developer.)