If you want to allow your users to manage their own tokens in the Self-Service Console, then you can define user permissions by customizing the Self-Service policy.
There are 2 policy options that are relevant to DeviceCert. Token Permissions and Token Activation Code:
Token Permissions define what actions or operations that users are allowed to take on tokens. (In DualShield, DeviceCert a type of token.).
The Activation Code option decided whether an addtional activation code is required when users attempt to activate a token, e.g. DeviceCert.