Looking at the code, getCertificatesByExpirationTimeAndType does a normal getAdmin, which throws an AuthorizationDeniedException(msg); if the admin does not have /administrator.
The issue here seems to be that the three methods:
Swallows AuthorizationDeniedException silently. Which seems like a strange thing to do? It should probably be logged there?