Application Permissions

Tip:  Previous versions of Keyfactor Command referred to the certificate store applications as containers.

Permissions on certificate stores and their applications are controlled at two levels—system-wide and on a certificate store application-by-application basis. When designing a certificate store permission scheme, you may use entirely system-wide permissions or you may use a combination of system-wide permissions and application permissions. Both system-wide and application permissions are configured through Security Roles (see Security Role Operations).

System-wide certificate store permissions are controlled with the Certificate Stores role permissions on the Global Permissions tab of the Security Role Information dialog.

Note:  Unlike PAMClosed PAM (Privileged Access Management): Controls privileged access by vaulting credentials, enforcing least-privilege/just-in-time access, rotating secrets, and auditing sessions. Across Keyfactor products, PAM protects diverse sensitive operations and secrets—for example certificate stores and CA credentials—via built-in or third-party providers; external integrations are delivered as custom PAM extensions (several published on Keyfactor’s public GitHub). and certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). permissions, application permissions are not explicitly listed under global permissions. Instead, they are entirely embedded within certificate store permissions and are not separately highlighted in the certificate store permissions section.

Figure 432: Certificate Stores: Global Permissions

Application-by-application permissions are set on the Application Permissions tab of the Role Information dialog for each application by name using the same set of permissions.

Any applications that do not have application-by-application permissions applied fall back to the system-wide permissions, if any system-wide permissions have been set for that role.

Tip:  The Read, Schedule and Modify permissions are linked. If you enable Modify, Schedule and Read will automatically be enabled and cannot be disabled. If you enable Schedule, Read will automatically be enabled and cannot be disabled.

Figure 433: Certificate Store Management - Application Permissions

Application permissions work in conjunction with many other security permissions to control access to certificate store related functionality.

For more information about configuring application-level permissions, see Application Permissions Tab.

Important:  The Edit Metadata, Download with Private Key, Revoke, and Change Owner permissions for certificates stores at either the system-wide or application level apply to operations carried out from the View Inventory subpage to the Certificate Stores page and do not apply to operations on the Certificate Search or collections pages (see Certificate Collection Permissions).
Tip:  See the detailed tip sections of Certificate Operations, Certificate Store Operations and Certificate Store Types for more information regarding which combination of security permissions are required for various operations.