Documentation Suite v25.2

Submit Search

Security Role Permissions

The Security Role Permissions that are available to be assigned to security roles within Keyfactor Command are documented below. Beginning with release 11.0 of Keyfactor Command, a new permission structure was introduced. Users of Keyfactor Command through the Management Portal will not see much difference between the older model and the newer model, as the changes are largely behind the scenes. Users of Keyfactor Command through the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will need to understand the new model. Some Keyfactor API endpoints (e.g. v1 Security Roles endpoints) still use the older permission model. Other Keyfactor API endpoints (e.g. v2 Security Roles endpoints) use the newer permission model.

Version Two Permission Model

The version two permission model was introduced in Keyfactor Command 11.0 and is used when setting security permissions in the Management Portal, with v2 Security Roles Keyfactor API endpoints, and with Keyfactor API Permission Set endpoints.

In the new model, permissions are built from access control strings, which are structured to support permission inheritance. Generally speaking, the more you add to an access control string, the less privilege you are granting to a user in that area of the product. For example, the following access control string grants full control to the entire product:

Add a certificates level to this, and now you’ve limited this to full control of just functions related to certificates in the product (which would include enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., for example):

/certificates/

Add a collections level to this, and now you’ve limited this further to full control of just options that can be found on the Certificates menu item in the Management Portal, including certificates both in collections and found by direct search, certificate import, and certificate collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). management:

/certificates/collections/

Add a read to this, and now you’ve limited this to just read for items on the Certificates menu:

/certificates/collections/read/

Add a certificate collection ID to this, and now you’ve locked this down to just read on just the certificates in the certificate collection with ID 5:

/certificates/collections/read/5/

When you apply permissions through the Management Portal, these access control strings are applied for you based on the selections you make in the Role Information dialog when assigning permissions to a role (see Security Role Operations). When you apply permissions through the Keyfactor API using a newer endpoint An endpoint is a URL that enables the API to gain access to resources on a server. (e.g. v2 Security Roles endpoints), you need to specify these access control strings.

Access control strings that are shown below with a # refer to a specific granular ID to which permissions should be granted. When used, they must be specified with an integer in place of the #. For example, use:

/certificate_stores/read/4/

To refer to the certificate store container with ID 4, not:

/certificate_stores/read/#/

Note: Access control strings always begin and end with a /. If you specify an access control string in the Keyfactor API without the leading or trailing slash, it will not be recognized.

Agents

Table 34: Agents Security Role Permissions v2

Note: The Keyfactor Mac Auto-Enroll Agent was deprecated as of Keyfactor Command version 11. Any Mac Auto-Enrollment tools and configurations in the product should not be used.

Permission Tab	Portal Permission	API Permission	Description
Global	Agents	/agents/	Users can view and modify orchestrator management and jobs.
Global	Agents > Management	/agents/management/	Users can view and modify orchestrator management and jobs.
Global	Agents > Management > Modify	/agents/management/modify/	Users can access the Management Portal areas and API endpoints to: Manage orchestrators, including approving and disapproving them Unschedule and reschedule orchestrator jobs
Global	Agents > Management > Read	/agents/management/read/	Users can access the Management Portal areas and API endpoints to: View orchestrators, including filtering the orchestrator management grid View orchestrator jobs, including status, schedules, failures and warnings
Global	Agents > Management > Mac	/agents/management/mac/	This permission has been deprecated and may be removed in a future release.
Global	Agents > Management > Mac > Auto-enrollment	/agents/management/mac/auto-enrollment/	This permission has been deprecated and may be removed in a future release.
Global	Agents > Management > Mac > Auto-enrollment > Management	/agents/management/mac/auto-enrollment/management/	This permission has been deprecated and may be removed in a future release.
Global	Agents > Management > Mac > Auto-enrollment > Management > Modify	/agents/management/mac/auto-enrollment/management/modify/	This permission has been deprecated and may be removed in a future release.
Global	Agents > Management > Mac > Auto-enrollment > Management > Read	/agents/management/mac/auto-enrollment/management/read/	This permission has been deprecated and may be removed in a future release.

Application Settings

Table 35: Application Settings Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Application Settings	/application_settings/	Users can view and modify the application settings.
Global	Application Settings > Modify	/application_settings/modify/	Users can modify the application settings.
Global	Application Settings > Read	/application_settings/read/	Users can view the application settings.

Auditing

Table 36: Auditing Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Auditing	/auditing/	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.).
Global	Auditing > Read	/auditing/read/	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.).

Certificate Authorities

Note: This permission was previously bundled together with certificate template

A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. permissions and known as PKI

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Management.

Table 37: Certificate Authorities Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Certificate Authorities	/certificate_authorities/	Users can view and modify certificate authority records. Users can view, test, and modify revocation monitoring settings.
Global	Certificate Authorities > Modify	/certificate_authorities/modify/	Users can modify certificate authority and revocation monitoring settings to: Import, add, edit, and delete certificate authorities. Configure CA health monitor and threshold alert recipients. Import CAs. Add, edit, delete, and test revocation monitoring endpoints. For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission. Configure revocation monitoring schedules and recipients. For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.
Global	Certificate Authorities > Read	/certificate_authorities/read/	Users can view certificate authority records. Users can view revocation monitoring settings, CA health monitoring and threshold alert recipients and schedules.

Permission Tab

Portal Permission

API Permission

Description

Global

Certificate Authorities

/certificate_authorities/

Users can view and modify certificate authority records. Users can view, test, and modify revocation monitoring settings.

Global

Certificate Authorities > Modify

/certificate_authorities/modify/

Users can modify certificate authority and revocation monitoring settings to:

Import, add, edit, and delete certificate authorities.
Configure CA health monitor and threshold alert recipients.
Import CAs.
Add, edit, delete, and test revocation monitoring endpoints.

For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.
Configure revocation monitoring schedules and recipients.

For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.

Global

Certificate Authorities > Read

/certificate_authorities/read/

Users can view certificate authority records. Users can view revocation monitoring settings, CA health monitoring and threshold alert recipients and schedules.

Certificate Stores

Table 38: Certificate Stores Security Role Permissions v2

See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.

Permission Tab	Portal Permission	API Permission	Description
Global	Certificate Stores	/certificate_stores/	Users can view and manage all certificate stores and add certificates to certificate stores, renew/reissue certificates, and remove certificates from certificate stores for all certificate stores. Users can manage certificate store containers. Users can initiate certificate store discovery jobs and manage the resulting certificate stores.
Global	Certificate Stores > Modify	/certificate_stores/modify/	Users with the Modify role permission for either Certificate Stores or a container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages (in addition to those available with Read and Schedule permissions): Add (Certificate Stores tab): Add new certificate stores. Edit (Certificate Stores tab): Edit existing certificate stores. Delete (Certificate Stores tab): Delete certificate stores. Set New Password (Certificate Stores tab): For certificate stores with a store password, set a new store password. Assign Container (Certificate Stores tab): Assign a certificate store to a certificate store container. Add (Containers tab): Add a new certificate store container. This permission cannot be granted at the container level. Edit (Containers tab): Edit a certificate store container. Delete (Containers tab): Delete a certificate store container. Permissions (Containers tab): View and modify certificate container permissions from the containers tab. Keyfactor recommended best practice is to manage permissions as part of the overall permission configuration on the Security Roles and Claims page, as additional system-wide configuration settings are available there that cannot be viewed or modified from this page. Discover tab: View certificate store discover job results on the Discover tab. Schedule discovery jobs. Approved or delete discovered certificate stores. This permission cannot be granted at the container level. Important: Scheduling discovery jobs also requires Agents > Management > Read (see Agents). Note: This permission does not control additions of certificates to certificate stores (see Certificate Stores > Schedule and Certificates).
Container	Certificate Stores > Modify	/certificate_stores/modify/#/	See description above. Users with permissions at only the container level can act only on certificates stores within the specified container. For example: Add (Certificate Stores tab): When a new certificate store is added, only containers on which the user has Modify permissions will appear in the container dropdown and the newly created certificate store must be added to one of these if the user does not have global certificate store management permissions. Edit (Certificate Stores tab): Only certificate stores in containers on which the user has Modify permissions will be editable. Delete (Certificate Stores tab): Only certificate stores in containers on which the user has Modify permissions will be available for deletion. Set New Password (Certificate Stores tab): Only certificate stores in containers on which the user has Modify permissions will be available for password reset. Assign Container (Certificate Stores tab): A certificate store can only be assigned to a container or moved from one container to another if the user has Modify permissions on both the source (if applicable) and target containers. Edit (Containers tab): Only containers on which the user has Modify permissions will be available for editing. Delete (Containers tab): Only containers on which the user has Modify permissions will be available for deletion. Permissions (Containers tab): Only containers on which the user has Modify permissions will be available for permission management.
Global	Certificate Stores > Read	/certificate_stores/read/	Users with the Read global role permission for either Certificate Stores or a specific container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages: View (Certificate Stores tab): For users without the Modify permission, see a read-only view of the certificate store configuration details. Important: This option also requires Agents > Management > Read (see Agents). View Inventory (Certificate Stores tab): Open a subpage under Certificate Stores to view all certificates found in the certificate store on an inventory job. Query Certificate Store (Certificate Stores tab): Redirect to Certificate Search to view all certificates found in the certificate store on an inventory job. The search is opened in a new tab. Important: This option also requires global Certificates > Read (see Certificates). View (Containers tab): For users without the Modify permission, see a read-only view of the container configuration details. Users can perform no operations on the certificate stores or containers.
Container	Certificate Stores > Read	/certificate_stores/read/#/	See description above. Users with permissions at only the container level can act only on certificates stores within the specified container. For example: View (Certificate Stores tab): Only certificate stores in containers on which the user has Read permissions will appear in the certificate stores grid. View Inventory (Certificate Stores tab): Only certificate stores in containers on which the user has Read permissions will appear in the certificate stores grid. Query Certificate Store (Certificate Stores tab): Only certificate stores in containers on which the user has Read permissions will appear in the certificate stores grid. View (Containers tab): Only containers on which the user has Read permissions will appear in the containers grid.
Global	Certificate Stores > Schedule	/certificate_stores/schedule/	Users with the Schedule and Read role permission for either Certificate Stores or a container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages: ODKG (Certificate Stores tab): For certificate store types that support it, perform a certificate enrollment using on-device key generation (formerly reenrollment). Important: This option also requires CSR enrollment permissions (Certificates > Enrollment > Csr). Schedule Inventory (Certificate Stores tab): On the Certificate Stores tab, set an inventory job for a certificate store. Schedule Inventory (Containers tab): On the Container tab, set an inventory job for a container. Add to Certificate Store (Certificate Search page): On the Certificate Search page or in a certificate collection, add a certificate to the certificate store. Important: To use the add, remove, and renew/reissue certificate options, users must have either global Certificates > Collections > Read or have been granted access to one or more certificate collections via collection-level permissions (see Certificate Collection Permissions). Remove from Certificate Store (Certificate Search page): On the Certificate Search page or in a certificate collection, remove a certificate from the certificate store. Renew/Reissue (Certificate Search page): Renew or reissue a certificate and deliver it to the certificate store. Important: To renew/reissue certificates, users must have Certificates > Enrollment permissions (PFX and/or CSR) and Agents > Management > Read (see Certificate Enrollment and Agents).
Container	Certificate Stores > Schedule	/certificate_stores/schedule/#/	See description above. Users with permissions at only the container level can act only on certificates stores within the specified container. For example: ODKG (Certificate Stores tab): Only certificate stores in containers on which the user has Schedule permissions, along with Enroll CSR permissions (see Certificate Enrollment ) will be available for ODKG. Schedule Inventory (Certificate Stores tab): Only certificate stores in containers on which the user has Schedule permissions will be available for scheduling inventory. Schedule Inventory (Containers tab): Only containers on which the user has Schedule permissions will be available for scheduling inventory. Add to Certificate Store (Certificate Search page): Only certificate stores in containers on which the user has Schedule permissions will be available for adding a certificate to in certificate collections or certificate search. Remove from Certificate Store (Certificate Search page): Only certificate stores in containers on which the user has Schedule permissions will be available for removing a certificate from in certificate collections or certificate search. Renew/Reissue (Certificate Search page): Only certificate stores in containers on which the user has Schedule permissions will be available for renewing or reissuing a certificate in certificate collections or certificate search.
Global	Certificate Stores > Change Owner	/certificate_stores/change_owner/	Users with the Change Owner and Read role permission for either Certificate Stores or a container (#) can change the certificate owner (a security role) assigned to a certificate found in a certificate store from the View Inventory subpage to the Certificate Stores page. Users will only be able to change the owner to a security role of which they are a member (see Change Owner). Note: This permission does not apply to operations on the Certificate Search page.
Container	Certificate Stores > Change Owner	/certificate_stores/change_owner/#/	See description above. Users with permissions at only the container level can act only on certificates in certificates stores within the specified container.
Global	Certificate Stores > Private Key Read	/certificate_stores/private_key/read/	Users with the Private Key Read and Read role permission for either Certificate Stores or a container (#) can download a certificate found in a certificate store with its private key from the View Inventory subpage to the Certificate Stores page. Note: This permission does not apply to operations on the Certificate Search page.
Container	Certificate Stores > Private Key Read	/certificate_stores/private_key/read/#/	See description above. Users with permissions at only the container level can act only on certificates in certificates stores within the specified container.
Global	Certificate Stores > Metadata Modify	/certificate_stores/metadata/modify/	Users with the Metadata Modify and Read role permission for either Certificate Stores or a container (#) can edit the metadata fields for a certificate found in a certificate store from the View Inventory subpage to the Certificate Stores page. Note: This permission does not apply to operations on the Certificate Search page.
Container	Certificate Stores > Metadata Modify	/certificate_stores/metadata/modify/#/	See description above. Users with permissions at only the container level can act only on certificates in certificates stores within the specified container.
Global	Certificate Stores > Revoke	/certificate_stores/revoke/	Users with the Revoke and Read role permission for either Certificate Stores or a container (#) can revoke a certificate found in a certificate store from the View Inventory subpage to the Certificate Stores page. Note: This permission does not apply to operations on the Certificate Search page.
Container	Certificate Stores > Revoke	/certificate_stores/revoke/#/	See description above. Users with permissions at only the container level can act only on certificates in certificates stores within the specified container.

Certificate Templates

Note: This permission was previously bundled together with certificate authority

A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. permissions and known as PKI Management.

Table 39: Certificate Templates Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Certificate Templates	/certificate_templates/	Users can view and modify certificate template records.
Global	Certificate Templates > Modify	/certificate_templates/modify/	Users can modify certificate template settings to import, edit, and configure system settings for certificate templates.
Global	Certificate Templates > Read	/certificate_templates/read/	Users can view certificate template records.

Certificates

Table 40: Certificates Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Certificates	/certificates/	Users can view, modify, and act upon everything certificate-related, including certificates in collections, certificates found in a search that are not in a collection, certificate import, certificate enrollment, and pending certificate request management.
Global	Certificates > Expanded Change Owner	/certificates/expanded_change_owner	Users can change the certificate owner to any role within the permission sets of which the acting user is a member. The Change Owner dialog presents a search select list containing all the allowed roles. This list will be disabled if the acting user is not a member of the original certificate owner's security role permission set. This permission setting overrides the Certificates > Collections > Change Owner permission at both the global and collection levels when both permissions are set. To utilize the Expanded Change Owner permission, a user must hold at least one security role within a permission set and have either Security or Security > Read permissions on that role in order to access all security roles within the permission set. For more details, see Change Owner.
Global	Certificates > Import	/certificates/import/	Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate. Note: This permission was controlled at the global certificate collection level in previous versions of Keyfactor Command, but has moved to a higher level separate from collections.
Global	Certificates > Requests Manage	/certificates/requests/manage/	Users can use the Pending CSRs page in the Management Portal and the equivalent API functions.
Global	Certificates > Excluded Certificates > Read	/certificates/excluded_certificates/read	Users can view certificates that have been marked to be deleted and excluded from Keyfactor Command on the Excluded Certificates page (see Excluded Certificates).
Global	Certificates > Enrollment	/certificates/enrollment/	Users can use all the enrollment-related functions, including CSR generation, CSR enrollment, and PFX enrollment.
Global	Certificates > Enrollment > Csr	/certificates/enrollment/csr/	Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions.
Global	Certificates > Enrollment > Csr Generation	/certificates/enrollment/csr_generation/	Users can use the CSR Generation page in the Management Portal and the equivalent API functions.
Global	Certificates > Enrollment > Pfx	/certificates/enrollment/pfx/	Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions.
Global	Certificates > Collections	/certificates/collections/	Users can view, modify, and act upon certificate-related functions including certificates in collections and certificates found in a search that are not in a collection.
Global	Certificates > Collections > Change Owner	/certificates/collections/change_owner	Users can change the certificate owner (a security role) assigned to any certificate (see Change Owner). Users will only be able to change the owner to a security role of which they are a member (see Change Owner).
Collection	Certificates > Collections > Change Owner	/certificates/collections/change_owner/#/	Users can change the certificate owner assigned to certificates in the specified certificate collection. Users will only be able to change the owner to a security role of which they are a member (see Change Owner).
Global	Certificates > Collections > Delete And Exclude	/certificates/collections/delete_and_exclude	Users can delete AND exclude certificates and, if applicable, the private keys of the certificates which will permanently delete a certificate from the Keyfactor Command database, excluding it from all product functionality. Excluded Certificates.
Collection	Certificates > Collections > Delete And Exclude	/certificates/collections/delete_and_exclude/#	Users can delete AND exclude certificates and, if applicable, the private keys of the certificates for any certificates in the specified certificate collection which will permanently delete a certificate from the Keyfactor Command database, excluding it from all product functionality. . Deletion of a certificate from a collection for which a user has permission will also delete it from collections for which the user does not have permissions.
Global	Certificates > Collections > Delete	/certificates/collections/delete/	Users can delete certificates (but not exclude) and, if applicable, the private keys of the certificates from the Keyfactor Command database for any certificates. Only users with both delete, and delete and exclude permissions will be able to delete certificates with or without excluding them.
Collection	Certificates > Collections > Delete	/certificates/collections/delete/#/	Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database for certificates in the specified certificate collection. Only users with both delete, and delete and exclude permissions will be able to delete certificates with or without excluding them.
Global	Certificates > Collections > Metadata Modify	/certificates/collections/metadata/modify/	Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for any certificates (see Certificate Details).
Collection	Certificates > Collections > Metadata Modify	/certificates/collections/metadata/modify/#/	Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for certificates in the specified certificate collection (see Certificate Details).
Global	Certificates > Collections > Modify	/certificates/collections/modify/	Users can add or edit certificate collections. See Certificate Collection Permissions for more information. Note: This permission cannot be applied at the certificate collection level.
Global	Certificates > Collections > Private Key Import	/certificates/collections/private_key/import/	Users can save the private key for the certificate in the Keyfactor Command database. Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature. Note: This permission cannot be applied at the certificate collection level.
Global	Certificates > Collections > Download with Private Key	/certificates/collections/private_key/read/	Users can download a certificate with its private key for any certificate.
Collection	Certificates > Collections > Private Key Read	/certificates/collections/private_key/read/#/	Users can download a certificate with its private key for certificates in the specified certificate collection.
Global	Certificates > Collections > Read	/certificates/collections/read/	Users can view any certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: Add to Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Display Download Get CSV Identity Audit (Also requires the Security > Read permission) Include Revoked checkbox Include Expired checkbox Renew (Also requires the Certificates > Enrollment > Pfx permission and Certificate Stores > Schedule permission at either the global or container level) Remove from Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates.
Collection	Certificates > Collections > Read	/certificates/collections/read/#/	Users can view certificates in the specified certificate collection, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add the certificates in the collection to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: Add to Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Display Download Get CSV Identity Audit (Also requires the Security > Read permission) Include Revoked checkbox Include Expired checkbox Renew (Also requires the Certificates > Enrollment > Pfx permission and Certificate Stores > Schedule permission at either the global or container level) Remove from Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Management). The users will be able to view all the certificates in the collections and open the details of the certificates.
Global	Certificates > Collections > Revoke	/certificates/collections/revoke/	Users can revoke any certificates through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway.
Collection	Certificates > Collections > Revoke	/certificates/collections/revoke/#/	Users can revoke certificates in the specified certificate collection through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway.

Dashboard

Table 41: Dashboard Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Dashboard	/dashboard/	Users can view the panels, including the risk header, on their personalized dashboard and add and remove the customizable panels.
Global	Dashboard > Read	/dashboard/read/	Users can view the panels on their personalized dashboard and add and remove them.
Global	Dashboard > Risk Header	/dashboard/risk_header/	Users can view the risk header at the top of the dashboard.
Global	Dashboard > Risk Header > Read	/dashboard/risk_header/read/	Users can view the risk header at the top of the dashboard.

Enrollment Pattern

Table 42: Enrollment Pattern Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Enrollment Pattern	/enrollment_pattern/	Users can view and modify the enrollment pattern settings.
Global	Enrollment Pattern > Read	/enrollment_pattern/read/	Users can view the enrollment pattern settings.
Global	Enrollment Pattern > Modify	/enrollment_pattern/write/	Users can modify the enrollment pattern settings.

Identity Providers

Table 43: Identity Providers Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Identity Providers	/identity_providers/	Users can view and modify the identity provider settings for identity providers.
Global	Identity Providers > Modify	/identity_providers/modify/	Users can modify the identity provider settings for identity providers.
Global	Identity Providers > Read	/identity_providers/read/	Users can view the identity provider settings for identity providers.
Identity Provider	Identity Providers > Modify	/identity_providers/modify/#	Users can modify the identity provider settings for the selected identity provider.
Identity Provider	Identity Providers > Read	/identity_providers/read/#	Users can view the identity provider settings for the selected identity provider.

Metadata

Table 44: Certificate Metadata Types Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Metadata	/metadata/	Users can view and modify custom metadata attribute definitions.
Global	Metadata > Types	/metadata/types/	Users can view and modify custom metadata attribute definitions.
Global	Metadata > Types > Modify	/metadata/types/modify/	Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.
Global	Metadata > Types > Read	/metadata/types/read/	Users can view custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.

Monitoring

Table 45: Monitoring Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Monitoring	/monitoring/	Users can view, modify, and test the pending, issued, and denied certificate request alerts and the event handler registration settings.
Global	Monitoring > Alerts	/monitoring/alerts/	Users can view, modify, and test the pending, issued, and denied certificate request alerts.
Global	Monitoring > Alerts > Modify	/monitoring/alerts/modify/	Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
Global	Monitoring > Alerts > Read	/monitoring/alerts/read/	Users can view the pending, issued, and denied certificate request alerts.
Global	Monitoring > Alerts > Schedule	/monitoring/alerts/schedule/	Users can schedule the revocation monitoring alerts. Tip: To allow the revocation monitoring alerts page to appear in the Keyfactor Command Management Portal, users also require Read permissions for Certificate Authorities.
Global	Monitoring > Alerts > Schedule > Revocation	/monitoring/alerts/schedule/revocation/	Users can schedule the revocation monitoring alerts. Tip: To allow the revocation monitoring alerts page to appear in the Keyfactor Command Management Portal, users also require Read permissions for Certificate Authorities.
Global	Monitoring > Alerts > Test	/monitoring/alerts/test/	Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts.
Global	Monitoring > Handlers	/monitoring/handlers/	Users can view and modify the event handler registration settings.
Global	Monitoring > Handlers > Registration	/monitoring/handlers/registration/	Users can view and modify the event handler registration settings.
Global	Monitoring > Handlers > Registration > Modify	/monitoring/handlers/registration/modify/	Users can modify the event handler registration settings.
Global	Monitoring > Handlers > Registration > Read	/monitoring/handlers/registration/read/	Users can view the event handler registration settings.

Privileged Access Management (PAM)

Table 46: Privileged Access Management Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Pam	/pam/	Users can view and modify any PAM provider.
Global	Pam > Modify	/pam/modify/	Users can add, edit, and delete any PAM provider.
PAM Provider	Pam > Modify	/pam/modify/#/	Users can add, edit, and delete the specified PAM provider.
Global	Pam > Read	/pam/read/	Users can view any PAM provider. Users can select any PAM providers to provide credentials within Keyfactor Command for: Certificate Stores Certificate Authorities Workflow Definitions
PAM Provider	Pam > Read	/pam/read/#/	Users can view or select the specified PAM provider.

[Management] Portal

Table 47: Management Portal Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Portal	/portal/	Users can access the Management Portal.
Global	Portal > Read	/portal/read/	Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.

Reports

Table 48: Reports Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Reports	/reports/	Users can generate, view, and modify the delivery schedule for reports. Users can add, edit, and delete custom reports.
Global	Reports > Modify	/reports/modify/	Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note: Report scheduling is limited by collection permissions. Users in roles that have Reports > Read and Modify permissions will also need to have either global certificate Read permissions or Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions if permissions are granted at a collection-by-collection level rather than globally.
Global	Reports > Read	/reports/read/	Users can generate and view reports.

Scripts

Table 49: Scripts Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Scripts	/scripts/	Users can view and modify scripts used in alert event handlers and workflows.
Global	Scripts > Modify	/scripts/modify/	Users can add, edit, and delete scripts used in alert event handlers and workflows.
Global	Scripts > Read	/scripts/read/	Users can view scripts used in alert event handlers and workflows.

Security

Note: Users can only edit security settings on security roles that are in a permission set to which they have been mapped. In some environments, there is only one permission set to which all users are mapped. Other environments may have implemented a more privileged access model with multiple permission sets. For more information on permission sets, see Permission Sets.

Table 50: Security Settings Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Security	/security/	Users can view and modify the settings for Security Roles and Security Claims.
Global	Security > Modify	/security/modify/	Users can modify the settings for Security Roles and Security Claims.
Global	Security > Read	/security/read/	Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal.

SSH

Table 51: SSH Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Ssh	/ssh/	Users can use all SSH functions.
Global	Ssh > Enterprise Admin	/ssh/enterprise_admin/	Users can use all SSH functions.
Global	Ssh > Server Admin	/ssh/server_admin/	Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership.
Global	Ssh > User	/ssh/user/	Users can generate their own SSH keys.

SSL

Table 52: SSL Management Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Ssl	/ssl/	Users can view and modify the SSL Discovery settings.
Global	Ssl > Modify	/ssl/modify/	Users can modify the SSL Discovery settings: Create, edit, and delete networks, including scan schedules and notification recipients Add, edit, and delete network ranges for networks Add, edit, and delete agent pools Add and remove discovered endpoints from monitoring
Global	Ssl > Read	/ssl/read/	Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.

Permission Tab

Portal Permission

API Permission

Description

Global

Ssl

/ssl/

Users can view and modify the SSL Discovery settings.

Global

Ssl > Modify

/ssl/modify/

Users can modify the SSL Discovery settings:

Create, edit, and delete networks, including scan schedules and notification recipients
Add, edit, and delete network ranges for networks
Add, edit, and delete agent pools
Add and remove discovered endpoints from monitoring

Global

Ssl > Read

/ssl/read/

Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.

System Settings

Table 53: System Settings Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	System Settings	/system_settings/	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file
Global	System Settings > Modify	/system_settings/modify/	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file
Global	System Settings > Read	/system_settings/read/	Users can view the System Settings for: SMTP Configuration for email delivery of reports and alerts Installed components Licensing General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Permission Tab

Portal Permission

API Permission

Description

Global

System Settings

/system_settings/

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Global

System Settings > Modify

/system_settings/modify/

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Global

System Settings > Read

/system_settings/read/

Users can view the System Settings for:

SMTP Configuration for email delivery of reports and alerts
Installed components
Licensing
General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Workflows

Table 54: Workflows Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Workflows	/workflows/	Users can view and modify the configured workflow definitions and view and manage all initiated workflow instances.
Global	Workflows > Definitions	/workflows/definitions/	Users can view and modify the configured workflow definitions.
Global	Workflows > Definitions > Modify	/workflows/definitions/modify/	Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions.
Global	Workflows > Definitions > Read	/workflows/definitions/read/	Users can view the configured workflow definitions.
Global	Workflows > Instances	/workflows/instances/	Users can view and manage all initiated workflow instances.
Global	Workflows > Instances > Manage	/workflows/instances/manage/	Users can manage initiated workflow instances, including stopping, restarting, and deleting them.
Global	Workflows > Instances > Read	/workflows/instances/read/	Users can view all the workflow instances that have been initiated.
Global	Workflows > Instances > Read > Mine	/workflows/instances/read/mine/	Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate).
Global	Workflows > Instances > Read > Pending	/workflows/instances/read/pending/	Users can view the workflow instances that have been initiated and are awaiting input from them. Tip: There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Workflows > Instances > Read > Pending permission in order to provide the input.

Version One Permission Model

The version one permission model was largely replaced in Keyfactor Command version 11.0, but is retained for backwards compatibility for use with select Keyfactor API endpoints.

Agent Management

Table 55: Agent Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	AgentManagement: Read	Users can: View orchestrators, including filtering the Orchestrator Management grid View orchestrator jobs, including status, schedules, failures and warnings
Modify	AgentManagement: Modify	Users can: Manage orchestrators, including approving and disapproving them Unschedule and reschedule orchestrator jobs

Portal Permission

API Permission

Description

Read

AgentManagement: Read

Users can:

View orchestrators, including filtering the Orchestrator Management grid
View orchestrator jobs, including status, schedules, failures and warnings

Modify

AgentManagement: Modify

Users can:

Manage orchestrators, including approving and disapproving them
Unschedule and reschedule orchestrator jobs

Alerts

Table 56: Alerts Security Role Permissions v1

Portal Permission	API Permission	Description
Read	WorkflowManagement: Read	Users can view the pending, issued, and denied certificate request alerts.
Modify	WorkflowManagement: Modify	Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
Test	WorkflowManagement: Test	Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts.

Application Settings

Table 57: Application Settings Security Role Permissions v1

Portal Permission	API Permission	Description
Read	ApplicationSettings: Read	Users can view the application settings.
Modify	ApplicationSettings: Modify	Users can modify the application settings.

Auditing

Table 58: Auditing Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Auditing: Read	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). The System Settings dropdown menu will display the Audit Log option to users with the Auditing Read permission.

Certificate Collections

Table 59: Certificate Collections Security Role Permissions v1

Portal Permission	API Permission	Description
Modify	CertificateCollections: Modify	Users can add or edit Certificate Collections. See Certificate Collection Permissions for more information.

Certificate Enrollment

Table 60: Certificate Enrollment Security Role Permissions v1

Portal Permission	API Permission	Description
Enroll PFX	CertificateEnrollment: EnrollPFX	Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions.
Enroll CSR	CertificateEnrollment: EnrollCSR	Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions.
CSR Generation	CertificateEnrollment: CsrGeneration	Users can use the CSR Generation page in the Management Portal and the equivalent API functions.
Manage Pending CSRs	CertificateEnrollment: PendingCsr	Users can use the Pending CSRs page in the Management Portal and the equivalent API functions.

Certificate Metadata Types

Table 61: Certificate Metadata Types Security Role Permissions v1

Portal Permission	API Permission	Description
Read	CertificateMetadataTypes: Read	Users can read custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.
Modify	CertificateMetadataTypes: Modify	Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.

Certificate Requests

Table 62: Certificate Requests Security Role Permissions v1

Portal Permission	API Permission	Description
Manage	WorkflowManagement: Participate	Users can participate in the pending, issued, and denied alerts by approving or denying certificate requests from the Certificate Requests page, from the individual pages reached from links included in alerts, or using the Keyfactor API /Workflow/Certificates endpoints. Note: In previous versions of Keyfactor Command, this permission was Workflow Management: Participate.

Certificate Store Management

Table 63: Certificate Store Management Security Role Permissions v1

See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.

UI Permission	API Permission	Description
Read	CertificateStoreManagement: Read	Users can view the certificate stores and containers tabs on the Locations > Certificate Stores menu, and view certificate store types.
Schedule	CertificateStoreManagement: Schedule	Users can add certificates to certificate stores, renew/reissue certificates, schedule and remove certificates from certificate stores.
Modify	CertificateStoreManagement: Modify	Users can manage all operations regarding certificate stores—including the stores, containers, and discovery process—and certificate store types.

Certificates

Table 64: Certificates Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Certificates: Read	Users can view certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: Add to Certificate Store (Also requires the Read and Schedule Certificate Store Management permissions) Edit Download Get CSV Identity Audit (Also requires the Read Security Settings permission) Include Revoked checkbox Include Expired checkbox Renew (Also requires the Read and Schedule Certificate Store Management permissions) Remove from Certificate Store (Also requires the Read and Schedule Certificate Store Management permissions) This permission can be applied at either the global or certificate collect level (see Certificate Collection Permissions. Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates. Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Management). The users will be able to view all the certificates in the collections and open the details of the certificates.
Edit Metadata	Certificates: EditMetadata	Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions. If the users have also been granted global Read permission on Certificates, they can modify the metadata of any certificates within the Keyfactor Command database. If the users have not been granted the global Read permission, they can only modify the certificates found in collections to which they have been granted collection-level Read access. Note: If you plan to edit metadata via the Keyfactor API, the user running the API needs only Edit Metadata permissions. Read permissions are not required.
Import	Certificates: Import	Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate. Note: This permission cannot be applied at the certificate collection level.
Download with Private Key	Certificates: Recover	Users can download the certificates with their private key.
Revoke	Certificates: Revoke	Users can revoke certificates through Keyfactor Command. Users with this role can use the revoke certificate operation on any certificates to which they have been granted access. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway.
Delete	Certificates: Delete	Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database.
Import Private Key	Certificates: ImportPrivateKey	Users can save the private key for the certificate in the Keyfactor Command database. Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature. Note: This permission cannot be applied at the certificate collection level.

Dashboard

Table 65: Dashboard Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Dashboard: Read	Users can view the panels on their personalized dashboard and add and remove them.
Risk Header	Dashboard: RiskHeader	Users can view the risk header at the top of the dashboard.

Event Handler Registration

Table 66: Event Handler Registration Security Role Permissions v1

Portal Permission	API Permission	Description
Read	EventHandlerRegistration: Read	Users can view the event handler registration settings.
Modify	EventHandlerRegistration: Modify	Users can modify the event handler registration settings.

Identity Providers

Table 67: Identity Providers Security Role Permissions v1

Portal Permission	API Permission	Description
Read	IdentityProviders: Read	Users can view the identity provider settings.
Modify	IdentityProviders: Modify	Users can modify the identity provider settings.

Management Portal

Table 68: Management Portal Security Role Permissions v1

Portal Permission	API Permission	Description
Read	AdminPortal: Read	Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.

Monitoring

Table 69: Monitoring Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Monitoring: Read	Users can view the expiration alerts in the Certificate Alerts in the Management Portal and the equivalent API functions, including the alert schedule.
Modify	Monitoring: Modify	Users can modify the expiration alerts, including the alert text, recipients and event handlers. Users can also add new alerts, delete alerts and configure the expiration alert delivery schedule.
Test	Monitoring: Test	Users can test the expiration alerts, including sending email to recipients. Users must also have Read permissions for Monitoring to access this in the Management Portal.

PKI Management

Table 70: PKI Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	PkiManagement: Read	Users can view PKI management settings within: Certificate Authorities Certificate Templates Revocation Monitoring
Modify	PkiManagement: Modify	Users can modify PKI management settings to: Import, add, edit, and delete certificate authorities Import and edit certificate templates Add, edit, delete, and test revocation monitoring endpoints Configure revocation monitoring schedules Configure revocation monitoring recipients

Portal Permission

API Permission

Description

Read

PkiManagement: Read

Users can view PKI management settings within:

Certificate Authorities
Certificate Templates
Revocation Monitoring

Modify

PkiManagement: Modify

Users can modify PKI management settings to:

Import, add, edit, and delete certificate authorities
Import and edit certificate templates
Add, edit, delete, and test revocation monitoring endpoints
Configure revocation monitoring schedules
Configure revocation monitoring recipients

Privileged Access Management

Table 71: Privileged Access Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	PrivilegedAccessManagement: Read	Users can view PAM providers.
Modify	PrivilegedAccessManagement: Modify	Users can add, edit, and delete PAM providers.

Reports

Table 72: Reports Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Reports: Read	Users can generate and view reports.
Modify	Reports: Modify	Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note: Report scheduling is limited by collection permissions. Users in roles that have Reports: Read and Modify permissions will also need to have Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions.

Scripts

Table 73: Scripts Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Scripts: Read	Users can view scripts.
Modify	Scripts: Modify	Users can add, edit, and delete scripts.

Security Settings

Table 74: Security Settings Security Role Permissions v1

Portal Permission	API Permission	Description
Read	SecuritySettings: Read	Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal.
Modify	SecuritySettings: Modify	Users can modify the settings for Security Roles and Security Claims.

SSH

Table 75: SSH Security Role Permissions v1

Portal Permission	API Permission	Description
User	SSH: User	Users can generate their own SSH keys.
Server Admin	SSH: ServerAdmin	Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership (see SSH Permissions).
Enterprise Admin	SSH: EnterpriseAdmin	Users can use all SSH functions (see SSH Permissions).

SSL Management

Table 76: SSL Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	SslManagement: Read	Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.
Modify	SslManagement: Modify	Users can modify the SSL Discovery settings: Create, edit, and delete networks, including scan schedules and notification recipients Add, edit, and delete network ranges for networks Add, edit, and delete agent pools Add and remove discovered endpoints from monitoring

Portal Permission

API Permission

Description

Read

SslManagement: Read

Modify

SslManagement: Modify

Users can modify the SSL Discovery settings:

Create, edit, and delete networks, including scan schedules and notification recipients
Add, edit, and delete network ranges for networks
Add, edit, and delete agent pools
Add and remove discovered endpoints from monitoring

System Settings

Table 77: System Settings Security Role Permissions v1

Portal Permission	API Permission	Description
Read	SystemSettings: Read	Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for: SMTP Configuration for email delivery of reports and alerts Installed components Licensing General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)
Modify	SystemSettings: Modify	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file

Portal Permission

API Permission

Description

Read

SystemSettings: Read

Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for:

SMTP Configuration for email delivery of reports and alerts
Installed components
Licensing
General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Modify

SystemSettings: Modify

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Workflow Definitions

Table 78: Workflow Definitions Security Role Permissions v1

Portal Permission	API Permission	Description
Read	WorkflowDefinitions: Read	Users can view the configured workflow definitions.
Modify	WorkflowDefinitions: Modify	Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions.

Workflow Instances

Table 79: Workflow Instances Security Role Permissions v1

Portal Permission	API Permission	Description
ReadAll	WorkflowInstances: ReadAll	Users can view all the workflow instances that have been initiated.
Read - Assigned To Me	WorkflowInstances: ReadAssignedToMe	Users can view the workflow instances that have been initiated and are awaiting input from them. Tip: There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Read - Assigned To Me Workflow Instances permission in order to provide the input.
Read - Started By Me	WorkflowInstances: ReadMy	Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate).
Manage	WorkflowInstances: Manage	Users can manage initiated workflow instances, including stopping, restarting, and deleting them.

Was this page helpful? Provide Feedback

Version v25.2

On this page: