Security Role Permissions

The Security Permissions that are available to be assigned to security roles within Keyfactor Command are documented in the tables below.

Tip:  Where to find this in the Management Portal:
System Settings → Security Roles & Claims

The access control string security structure permission model was introduced in Keyfactor Command 11.0 and is used when setting security permissions in the Management Portal, with v2 Security Roles Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints, and with Keyfactor API Permission Set endpoints.

Note:  The legacy security structure is retained for use with the deprecated v1 security roles API endpoints, only (see Legacy Security Structure).

In the new model, permissions are built from access control strings, which are structured to support permission inheritance. Generally speaking, the more you add to an access control string, the less privilege you are granting to a user in that area of the product. For example, the following access control string grants full control to the entire product:

/

Add a certificates level to this, and now you’ve limited this to full control of just functions related to certificates in the product (which would include enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., for example):

/certificates/

Add a collections level to this, and now you’ve limited this further to full control of just options that can be found on the Certificates menu item in the Management Portal, including certificates both in collections and found by direct search, certificate import, and certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). management:

/certificates/collections/

Add a read to this, and now you’ve limited this to just read for items on the Certificates menu:

/certificates/collections/read/

Add a certificate collection ID to this, and now you’ve locked this down to just read on just the certificates in the certificate collection with ID 5:

/certificates/collections/read/5/

When you apply permissions through the Management Portal, these access control strings are applied for you based on the selections you make in the Role Information dialog when assigning permissions to a role (see Security Role Operations). When you apply permissions through the Keyfactor API using a newer endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. (e.g., v2 Security Roles endpoints), you need to specify these access control strings.

Access control strings that are shown below with a # refer to a specific granular ID to which permissions should be granted. When used, they must be specified with an integer in place of the #. For example, use:

/certificate_stores/read/4/

To refer to the certificate store application with ID 4, not:

/certificate_stores/read/#/
Note:  Access control strings always begin and end with a /. If you specify an access control string in the Keyfactor API without the leading or trailing slash, it will not be recognized.

Table 41: Agents Security Role Permissions

Note:  The Keyfactor Mac Auto-Enroll Agent was deprecated as of Keyfactor Command version 11. Any Mac Auto-Enrollment tools and configurations in the product should not be used.
Permission Tab Portal Permission API Permission Description
Global Agents /agents/ Users can view and modify orchestrator management and jobs.
Global Agents > Management /agents/management/ Users can view and modify orchestrator management and jobs.
Global Agents > Management > Modify /agents/management/modify/

Users can access the Management Portal areas and API endpoints to:

  • Manage orchestrators, including approving and disapproving them
  • Unschedule and reschedule orchestrator jobs
Global Agents > Management > Read /agents/management/read/

Users can access the Management Portal areas and API endpoints to:

  • View orchestrators, including filtering the orchestrator management grid
  • View orchestrator jobs, including status, schedules, failures and warnings
Global Agents > Management > Mac /agents/management/mac/

This permission has been deprecated and may be removed in a future release.
Global Agents > Management > Mac > Auto-enrollment /agents/management/mac/auto-enrollment/

This permission has been deprecated and may be removed in a future release.
Global Agents > Management > Mac > Auto-enrollment > Management /agents/management/mac/auto-enrollment/management/

This permission has been deprecated and may be removed in a future release.
Global Agents > Management > Mac > Auto-enrollment > Management > Modify /agents/management/mac/auto-enrollment/management/modify/

This permission has been deprecated and may be removed in a future release.
Global Agents > Management > Mac > Auto-enrollment > Management > Read /agents/management/mac/auto-enrollment/management/read/

This permission has been deprecated and may be removed in a future release.

Table 42: Application Settings Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Application Settings /application_settings/ Users can view and modify the application settings.
Global Application Settings > Modify /application_settings/modify/

Users can modify the application settings.
Global Application Settings > Read /application_settings/read/

Users can view the application settings.

Table 43: Auditing Security Role Permissions v2

Permission Tab Portal Permission API Permission Description
Global Auditing /auditing/ Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.).
Global

Auditing > Read

 /auditing/read/

Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.).
Note:  This permission was previously bundled together with certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. permissions and known as PKIClosed A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Management.

Table 44: Certificate Authorities Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Certificate Authorities > Read /certificate_authorities Users can view and modify certificate authority records. Users can view, test, and modify revocation monitoring settings.
Global

Certificate Authorities > Modify

 /certificate_authorities/modify/

Users can modify certificate authority and revocation monitoring settings to:

  • Import, add, edit, and delete certificate authorities.
  • Configure CA health monitor and threshold alert recipients.
  • Import CAs.

  • Add, edit, delete, and test revocation monitoring endpoints.

    For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.

  • Configure revocation monitoring schedules and recipients.

    For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.
Global

Certificate Authorities > Read

 /certificate_authorities/read/

Users can view certificate authority records. Users can view revocation monitoring settings, CA health monitoring and threshold alert recipients and schedules.

Table 45: Certificate Stores Security Role Permissions

See Application Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.

Permission Tab Portal Permission API Permission Description
Global Certificate Stores /certificate_stores/ Users can view and manage all certificate stores and add certificates to certificate stores, renew/reissue certificates, and remove certificates from certificate stores for all certificate stores. Users can manage certificate store applications. Users can initiate certificate store discovery jobs and manage the resulting certificate stores.
Global Certificate Stores > Modify /certificate_stores/modify/

Users with the Modify role permission for either Certificate Stores or an application (#) can view the certificate stores grid and the applications grid and use the following operations on these pages (in addition to those available with Read and Schedule permissions):

  • Add (Certificate Stores tab): Add new certificate stores.

  • Edit (Certificate Stores tab): Edit existing certificate stores.

  • Delete (Certificate Stores tab): Delete certificate stores.

  • Set New Password (Certificate Stores tab): For certificate stores with a store password, set a new store password.

  • Assign Application (Certificate Stores tab): Assign a certificate store to a certificate store application.

  • Add (Applications tab): Add a new certificate store application. This permission cannot be granted at the application level.

  • Edit (Application tab): Edit a certificate store application.

  • Delete (Application tab): Delete a certificate store application.

  • Permissions (Application tab): View and modify certificate store application permissions from the applications tab. Keyfactor recommended best practice is to manage permissions as part of the overall permission configuration on the Security Roles and Claims page, as additional system-wide configuration settings are available there that cannot be viewed or modified from this page.

  • Discover tab: View certificate store discover job results on the Discover tab. Schedule discovery jobs. Approved or delete discovered certificate stores. This permission cannot be granted at the application level.

    Important:  Scheduling discovery jobs also requires Agents > Management > Read (see Agents).
Note:  This permission does not control additions of certificates to certificate stores (see Certificate Stores > Schedule and Certificates).
Application Certificate Stores > Modify /certificate_stores/modify/#/

See description above. Users with permissions at only the application level can act only on certificates stores within the specified container. For example:

  • Add (Certificate Stores tab): When a new certificate store is added, only applications on which the user has Modify permissions will appear in the application dropdown and the newly created certificate store must be added to one of these if the user does not have global certificate store management permissions.

  • Edit (Certificate Stores tab): Only certificate stores in applications on which the user has Modify permissions will be editable.

  • Delete (Certificate Stores tab): Only certificate stores in applications on which the user has Modify permissions will be available for deletion.

  • Set New Password (Certificate Stores tab): Only certificate stores in applications on which the user has Modify permissions will be available for password reset.

  • Assign Application (Certificate Stores tab): A certificate store can only be assigned to an application or moved from one application to another if the user has Modify permissions on both the source (if applicable) and target containers.

  • Edit (Application tab): Only applications on which the user has Modify permissions will be available for editing.

  • Delete (Application tab): Only applications on which the user has Modify permissions will be available for deletion.

  • Permissions (Application tab): Only applications on which the user has Modify permissions will be available for permission management.
Global Certificate Stores > Read /certificate_stores/read/

Users with the Read global role permission for either Certificate Stores or a specific application (#) can view the certificate stores grid and the applications grid and use the following operations on these pages:

  • View (Certificate Stores tab): For users without the Modify permission, see a read-only view of the certificate store configuration details.

    Important:  This option also requires Agents > Management > Read (see Agents).

  • View Inventory (Certificate Stores tab): Open a subpage under Certificate Stores to view all certificates found in the certificate store on an inventory job.

  • Query Certificate Store (Certificate Stores tab): Redirect to Certificate Search to view all certificates found in the certificate store on an inventory job. The search is opened in a new tab.

    Important:  This option also requires global Certificates > Read (see Certificates).

  • View (Applications tab): For users without the Modify permission, see a read-only view of the application configuration details.

Users can perform no operations on the certificate stores or applications.
Application

Certificate Stores > Read

 /certificate_stores/read/#/

See description above. Users with permissions at only the application level can act only on certificates stores within the specified application. For example:

  • View (Certificate Stores tab): Only certificate stores in applications on which the user has Read permissions will appear in the certificate stores grid.

  • View Inventory (Certificate Stores tab): Only certificate stores in applications on which the user has Read permissions will appear in the certificate stores grid.

  • Query Certificate Store (Certificate Stores tab): Only certificate stores in applications on which the user has Read permissions will appear in the certificate stores grid.

  • View (Applications tab): Only applications on which the user has Read permissions will appear in the applications grid.
Global Certificate Stores > Schedule /certificate_stores/schedule/

Users with the Schedule and Read role permission for either Certificate Stores or an application (#) can view the certificate stores grid and the applications grid and use the following operations on these pages:

  • ODKG (Certificate Stores tab): For certificate store types that support it, perform a certificate enrollment using on-device key generation (formerly reenrollment).

    Important:  This option also requires CSR enrollment permissions (Certificates > Enrollment > Csr).

  • Schedule Inventory (Certificate Stores tab): On the Certificate Stores tab, set an inventory job for a certificate store.

  • Schedule Inventory (Applications tab): On the Container tab, set an inventory job for am application.

  • Add to Certificate Store (Certificate Search page): On the Certificate Search page or in a certificate collection, add a certificate to the certificate store.

    Important:  To use the add, remove, and renew/reissue certificate options, users must have either global Certificates > Collections > Read or have been granted access to one or more certificate collections via collection-level permissions (see Certificate Collection Permissions).

  • Remove from Certificate Store (Certificate Search page): On the Certificate Search page or in a certificate collection, remove a certificate from the certificate store.

  • Renew/Reissue (Certificate Search page): Renew or reissue a certificate and deliver it to the certificate store.

    Important:  To renew/reissue certificates, users must have Certificates > Enrollment permissions (PFX and/or CSR) and Agents > Management > Read (see Certificates and Agents).
Application

Certificate Stores > Schedule

 /certificate_stores/schedule/#/

See description above. Users with permissions at only the application level can act only on certificates stores within the specified application. For example:

  • ODKG (Certificate Stores tab): Only certificate stores in applications on which the user has Schedule permissions, along with Enroll CSR permissions (see Certificates) will be available for ODKG.

  • Schedule Inventory (Certificate Stores tab): Only certificate stores in applications on which the user has Schedule permissions will be available for scheduling inventory.

  • Schedule Inventory (Applications tab): Only applications on which the user has Schedule permissions will be available for scheduling inventory.

  • Add to Certificate Store (Certificate Search page): Only certificate stores in applications on which the user has Schedule permissions will be available for adding a certificate to in certificate collections or certificate search.

  • Remove from Certificate Store (Certificate Search page): Only certificate stores in applications on which the user has Schedule permissions will be available for removing a certificate from in certificate collections or certificate search.

  • Renew/Reissue (Certificate Search page): Only certificate stores in applications on which the user has Schedule permissions will be available for renewing or reissuing a certificate in certificate collections or certificate search.
Global Certificate Stores > Change Owner /certificate_stores/change_owner/

Users with the Change Owner and Read role permission for either Certificate Stores or an application (#) can change the certificate owner (a security role) assigned to a certificate found in a certificate store from the View Inventory subpage to the Certificate Stores page. Users will only be able to change the owner to a security role of which they are a member (see Change Owner).

Note:  This permission does not apply to operations on the Certificate Search page.
Application

Certificate Stores > Change Owner

 /certificate_stores/change_owner/#/

See description above. Users with permissions at only the application level can act only on certificates in certificates stores within the specified application.
Global Certificate Stores > Private Key Read /certificate_stores/private_key/read/

Users with the Private Key Read and Read role permission for either Certificate Stores or an application (#) can download a certificate found in a certificate store with its private key from the View Inventory subpage to the Certificate Stores page.

Note:  This permission does not apply to operations on the Certificate Search page.
Container

Certificate Stores > Private Key Read

 /certificate_stores/private_key/read/#/

See description above. Users with permissions at only the application level can act only on certificates in certificates stores within the specified application.
Global Certificate Stores > Metadata Modify /certificate_stores/metadata/modify/

Users with the Metadata Modify and Read role permission for either Certificate Stores or an application (#) can edit the metadata fields for a certificate found in a certificate store from the View Inventory subpage to the Certificate Stores page.

Note:  This permission does not apply to operations on the Certificate Search page.
Container

Certificate Stores > Metadata Modify

 /certificate_stores/metadata/modify/#/

See description above. Users with permissions at only the application level can act only on certificates in certificates stores within the specified application.
Global Certificate Stores > Revoke /certificate_stores/revoke/

Users with the Revoke and Read role permission for either Certificate Stores or an application (#) can revoke a certificate found in a certificate store from the View Inventory subpage to the Certificate Stores page.

Note:  This permission does not apply to operations on the Certificate Search page.
Container

Certificate Stores > Revoke

 /certificate_stores/revoke/#/

See description above. Users with permissions at only the application level can act only on certificates in certificates stores within the specified application.
Note:  This permission was previously bundled together with certificate authorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. permissions and known as PKI Management.

Table 46: Certificate Templates Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Certificate Templates /certificate_templates/ Users can view and modify certificate template records.
Global

Certificate Templates > Modify

 /certificate_templates/modify/

Users can modify certificate template settings to import, edit, and configure system settings for certificate templates.
Global

Certificate Templates > Read

 /certificate_templates/read/

Users can view certificate template records.

Table 47: Certificates Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Certificates /certificates/ Users can view, modify, and act upon everything certificate-related, including certificates in collections, certificates found in a search that are not in a collection, certificate import, certificate enrollment, and pending certificate request management.
Global Certificates > Expanded Change Owner /certificates/expanded_change_owner

Users can change the certificate owner to any role within the permission sets of which the acting user is a member. The Change Owner dialog presents a search select dropdown containing all the allowed roles. This list will be disabled if the acting user is not a member of the original certificate owner's security role permission set.

This permission setting overrides the Certificates > Collections > Change Owner permission at both the global and collection levels when both permissions are set.

To utilize the Expanded Change Owner permission, a user must hold at least one security role within a permission set and have either Security or Security > Read permissions on that role in order to access all security roles within the permission set.

For more details, see Change Owner.
Global Certificates > Import /certificates/import/

Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or application permissions can add certificates to certificate stores from Add Certificate.

Note:  This permission was controlled at the global certificate collection level in previous versions of Keyfactor Command, but has moved to a higher level separate from collections.
Global

Certificates > Requests Manage

 /certificates/requests/manage/

Users can use the Pending CSRs page in the Management Portal and the equivalent API functions.
Global Certificates > Excluded Certificates > Read /certificates/excluded_certificates/read Users can view certificates that have been marked to be deleted and excluded from Keyfactor Command on the Excluded Certificates page (see Excluded Certificates).
Global Certificates > Enrollment /certificates/enrollment/ Users can use all the enrollment-related functions, including CSR generation, CSR enrollment, and PFX enrollment.
Global

Certificates > Enrollment > Csr

 /certificates/enrollment/csr/

Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions.
Global

Certificates > Enrollment > Csr Generation

 /certificates/enrollment/csr_generation/

Users can use the CSR Generation page in the Management Portal and the equivalent API functions.
Global

Certificates > Enrollment > Pfx

 /certificates/enrollment/pfx/

Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions.
Global Certificates > Collections /certificates/collections/modify Users can view, modify, and act upon certificate-related functions including certificates in collections and certificates found in a search that are not in a collection.
Global Certificates > Change Owner /certificates/change_owner Users can change the certificate owner (a security role) assigned to any certificate (see Change Owner). Users will only be able to change the owner to a security role of which they are a member (see Change Owner).
Collection Certificates > Change Owner /certificates/change_owner/#/ Users can change the certificate owner assigned to certificates in the specified certificate collection. Users will only be able to change the owner to a security role of which they are a member (see Change Owner).
Global Certificates > Delete And Exclude /certificates/delete_and_exclude

Users can delete AND exclude certificates and, if applicable, the private keys of the certificates, which will permanently delete a certificate from the Keyfactor Command database, excluding it from all product functionality. Excluded Certificates.
Collection Certificates > Delete And Exclude /certificates/delete_and_exclude/#

Users can delete AND exclude certificates and, if applicable, the private keys of the certificates for any certificates in the specified certificate collection, which will permanently delete a certificate from the Keyfactor Command database, excluding it from all product functionality.Excluded Certificates.

Important:  Deletion of a certificate from a collection for which a user has permission will also delete it from collections for which the user does not have permissions.
Global Certificates > Delete /certificates/delete/

Users can delete certificates (but not exclude) and, if applicable, the private keys of the certificates from the Keyfactor Command database for any certificates.

Only users with both delete, and delete and exclude permissions will be able to delete certificates with or without excluding them.
Collection Certificates > Delete /certificates/delete/#/

Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database for certificates in the specified certificate collection.

Only users with both delete, and delete and exclude permissions will be able to delete certificates with or without excluding them.
Global

Certificates > Metadata Modify

 /certificates/metadata/modify/ Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for any certificates (see Certificate Details).
Collection

Certificates > Metadata Modify

 /certificates/metadata/modify/#/

Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for certificates in the specified certificate collection (see Certificate Details).
Global Certificates > Modify /certificates/modify/

Users can add or edit certificate collections. See Certificate Collection Permissions for more information.

Note:  This permission cannot be applied at the certificate collection level.
Global Certificates > Private Key Import /certificates/private_key/import/

Users can save the private key for the certificate in the Keyfactor Command database.

Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature.

Note:  This permission cannot be applied at the certificate collection level.
Global

Certificates > Download with Private Key

 /certificates/private_key/read/ Users can download a certificate with its private key for any certificate.
Collection

Certificates > Private Key Read

 /certificates/private_key/read/#/ Users can download a certificate with its private key for certificates in the specified certificate collection.
Global Certificates > Read /certificates/read/

Users can view any certificates, including certificate history, and can download certificates.

Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections.

The certificate operations possibly available to users with this permission are:

  • Add to Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level)
  • Display
  • Download
  • Get CSV
  • Identity Audit (Also requires the Security > Read permission)
  • Include Revoked checkbox
  • Include Expired checkbox
  • Renew (Also requires the Certificates > Enrollment > Pfx permission and Certificate Stores > Schedule permission at either the global or container level)
  • Remove from Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level)

Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates.
Collection

Certificates > Read

 /certificates/read/#/

Users can view certificates in the specified certificate collection, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store application permissions can add the certificates in the collection to certificate stores from Certificate Search and Certificate Collections.

The certificate operations possibly available to users with this permission are:

  • Add to Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or application level)
  • Display
  • Download
  • Get CSV
  • Identity Audit (Also requires the Security > Read permission)
  • Include Revoked checkbox
  • Include Expired checkbox
  • Renew (Also requires the Certificates > Enrollment > Pfx permission and Certificate Stores > Schedule permission at either the global or application level)
  • Remove from Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or application level)

Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Management). The users will be able to view all the certificates in the collections and open the details of the certificates.
Global Certificates > Revoke /certificates/revoke/

Users can revoke any certificates through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway.

Important:  In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted Issue and Manage Certificates and Manage CA permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the Issue and Manage Certificate permissions while the application pool service account has the Manage CA permissions. If you are using explicit credentials to authenticate your CA (DCOM CAs - Authentication Method Tab), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA.
Collection Certificates > Revoke /certificates/revoke/#/

Users can revoke certificates in the specified certificate collection through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway.

Important:  In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted Issue and Manage Certificates and Manage CA permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the Issue and Manage Certificate permissions while the application pool service account has the Manage CA permissions. If you are using explicit credentials to authenticate your CA (DCOM CAs - Authentication Method Tab), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA.

Table 48: Dashboard Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Dashboard /dashboard/ Users have full legacy dashboard permissions.
Global

Dashboard > Read

 /dashboard/read/

Users can view the panels on their personalized legacy dashboard.
Global Dashboard > Risk Header /dashboard/risk_header/ Users can view the risk header at the top of the legacy dashboard.
Global Dashboard > Risk Header > Read /dashboard/risk_header/read/ Users can view the risk header at the top of the legacy dashboard.

Table 49: Enrollment Pattern Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Enrollment Pattern /enrollment_pattern/ Users can view and modify the enrollment pattern settings.
Global

Enrollment Pattern > Read

 /enrollment_pattern/read/

Users can view the enrollment pattern settings.
Global Enrollment Pattern > Modify /enrollment_pattern/write/ Users can modify the enrollment pattern settings.

Table 50: Identity Providers Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Identity Providers /identity_providers/ Users can view and modify the identity provider settings for identity providers.
Global Identity Providers > Modify /identity_providers/modify/ Users can modify the identity provider settings for identity providers.
Global Identity Providers > Read /identity_providers/read/ Users can view the identity provider settings for identity providers.

Table 51: Certificate Metadata Types Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Metadata /metadata/ Users can view and modify custom metadata attribute definitions.
Global Metadata > Types /metadata/types/ Users can view and modify custom metadata attribute definitions.
Global

Metadata > Types > Modify

 /metadata/types/modify/

Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.
Global

Metadata > Types > Read

 /metadata/types/read/

Users can view custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.

Table 52: Monitoring Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Monitoring /monitoring/ Users can view, modify, and test the pending, issued, and denied certificate request alerts and the event handler registration settings.
Global Monitoring > Alerts /monitoring/alerts/ Users can view, modify, and test the pending, issued, and denied certificate request alerts.
Global

Monitoring > Alerts > Modify

 /monitoring/alerts/modify/

Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
Global

Monitoring > Alerts > Read

 /monitoring/alerts/read/

Users can view the pending, issued, and denied certificate request alerts.
Global Monitoring > Alerts > Schedule /monitoring/alerts/schedule/

Users can schedule the revocation monitoring alerts.

Tip:  To allow the revocation monitoring alerts page to appear in the Keyfactor Command Management Portal, users also require Read permissions for Certificate Authorities.
Global Monitoring > Alerts > Schedule > Revocation /monitoring/alerts/schedule/revocation/

Users can schedule the revocation monitoring alerts.

Tip:  To allow the revocation monitoring alerts page to appear in the Keyfactor Command Management Portal, users also require Read permissions for Certificate Authorities.
Global Monitoring > Alerts > Test /monitoring/alerts/test/

Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts.
Global Monitoring > Handlers /monitoring/handlers/ Users can view and modify the event handler registration settings.
Global Monitoring > Handlers > Registration /monitoring/handlers/registration/ Users can view and modify the event handler registration settings.
Global

Monitoring > Handlers > Registration > Modify

 /monitoring/handlers/registration/modify/

Users can modify the event handler registration settings.
Global

Monitoring > Handlers > Registration > Read

 /monitoring/handlers/registration/read/

Users can view the event handler registration settings.

Table 53: Privileged Access Management Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Pam /pam/ Users can view and modify any PAM provider.
Global Pam > Modify /pam/modify/ Users can add, edit, and delete any PAM provider.
PAM Provider

Pam > Modify

 /pam/modify/#/

Users can add, edit, and delete the specified PAM provider.
Global Pam > Read /pam/read/ Users can view any PAM provider.

Users can select any PAM providers to provide credentials within Keyfactor Command for:

  • Certificate Stores

  • Certificate Authorities

  • Workflow Definitions
PAM Provider

Pam > Read

 /pam/read/#/

Users can view or select the specified PAM provider.

Table 54: Management Portal Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Portal /portal/ Users can access the Management Portal.
Global

Portal > Read

 /portal/read/

Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.

Table 55: Reports Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Reports /reports/ Users can generate, view, and modify the delivery schedule for reports. Users can add, edit, and delete custom reports.
Global

Reports > Modify

 /reports/modify/

Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports.

Note:   Report scheduling is limited by collection permissions. Users in roles that have Reports > Read and Modify permissions will also need to have either global certificate Read permissions or Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions if permissions are granted at a collection-by-collection level rather than globally.
Global

Reports > Read

 /reports/read/

Users can generate and view reports.

Table 56: Scripts Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Scripts /scripts/ Users can view and modify scripts used in alert event handlers and workflows.
Global

Scripts > Modify

 /scripts/modify/

Users can add, edit, and delete scripts used in alert event handlers and workflows.
Global

Scripts > Read

 /scripts/read/

Users can view scripts used in alert event handlers and workflows.
Note:  Users can only edit security settings on security roles that are in a permission set to which they have been mapped. In some environments, there is only one permission set to which all users are mapped. Other environments may have implemented a more privileged access model with multiple permission sets. For more information on permission sets, see Permission Sets.

Table 57: Security Settings Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Security /security/ Users can view and modify the settings for Security Roles and Security Claims.
Global

Security > Modify

 /security/modify/

Users can modify the settings for Security Roles and Security Claims.
Global

Security > Read

 /security/read/

Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal.

Table 58: SSH Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Ssh /ssh/ Users can use all SSH functions.
Global Ssh > Enterprise Admin /ssh/enterprise_admin/ Users can use all SSH functions.
Global

Ssh > Server Admin

 /ssh/server_admin/

Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership.
Global

Ssh > User

 /ssh/user/

Users can generate their own SSH keys.

Table 59: SSL Management Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Ssl /ssl/ Users can view and modify the SSL Discovery settings.
Global

Ssl > Modify

 /ssl/modify/

Users can modify the SSL Discovery settings:

  • Create, edit, and delete networks, including scan schedules and notification recipients
  • Add, edit, and delete network ranges for networks
  • Add, edit, and delete agent pools
  • Add and remove discovered endpoints from monitoring
Global

Ssl > Read

 /ssl/read/

Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.
Note:  Users can only edit security settings on security roles that are in a permission set to which they have been mapped. In some environments, there is only one permission set to which all users are mapped. Other environments may have implemented a more privileged access model with multiple permission sets. For more information on permission sets, see Permission Sets.

Table 60: System Settings Permissions

Permission Tab Portal Permission API Permission Description
Global System Settings /system_settings/

Users can modify the System Settings for:

  • Update SMTP Configuration for email delivery of reports and alerts

  • Installed components, including removing servers from use

  • Licensing, including the option to replace the existing license file

Global

System Settings > Modify

 /system_settings/modify/

Users can modify the System Settings for:

  • Update SMTP Configuration for email delivery of reports and alerts

  • Installed components, including removing servers from use

  • Licensing, including the option to replace the existing license file
Global

System Settings > Read

 /system_settings/read/

Users can view the System Settings for:

  • SMTP Configuration for email delivery of reports and alerts

  • Installed components

  • Licensing

  • General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Table 61: Workflows Security Role Permissions

Permission Tab Portal Permission API Permission Description
Global Workflows /workflows/ Users can view and modify the configured workflow definitions and view and manage all initiated workflow instances.
Global Workflows > Definitions /workflows/definitions/ Users can view and modify the configured workflow definitions.
Global

Workflows > Definitions > Modify

 /workflows/definitions/modify/

Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions.
Global

Workflows > Definitions > Read

 /workflows/definitions/read/

Users can view the configured workflow definitions.
Global Workflows > Instances /workflows/instances/ Users can view and manage all initiated workflow instances.
Global Workflows > Instances > Manage /workflows/instances/manage/

Users can manage initiated workflow instances, including stopping, restarting, and deleting them.
Global

Workflows > Instances > Read

 /workflows/instances/read/

Users can view all the workflow instances that have been initiated.
Global Workflows > Instances > Read > Mine /workflows/instances/read/mine/

Users can view the workflow instances that have been initiated by them (e.g., because they enrolled for a certificate).
Global

Workflows > Instances > Read > Pending

 /workflows/instances/read/pending/

Users can view the workflow instances that have been initiated and are awaiting input from them.

Tip:  There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Workflows > Instances > Read > Pending permission in order to provide the input.