Security Role Permissions

Agent Auto-Registration

Table 27: Agent Auto-Registration Security Role Permissions

UI Permission	API Permission	Description
Read	AgentAutoRegistration: Read	Users can view the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. auto-registration settings; users must also have Read permissions for Agent Management to access this page in the Management Portal.
Modify	AgentAutoRegistration: Modify	Users can modify the orchestrator auto-registration settings.

Agent Management

Table 28: Agent Management Security Role Permissions

UI Permission	API Permission	Description
Read	AgentManagement: Read	Users can: View orchestrators, including filtering the Orchestrator Management grid View orchestrator jobs, including status, schedules, failures and warnings
Modify	AgentManagement: Modify	Users can: Manage orchestrators, including approving and disapproving them Unschedule and reschedule orchestrator jobs

UI Permission

API Permission

Description

Read

AgentManagement: Read

Users can:

View orchestrators, including filtering the Orchestrator Management grid
View orchestrator jobs, including status, schedules, failures and warnings

Modify

AgentManagement: Modify

Users can:

Manage orchestrators, including approving and disapproving them
Unschedule and reschedule orchestrator jobs

Alerts

Table 29: Alerts Security Role Permissions

UI Permission	API Permission	Description
Read	WorkflowManagement: Read	Users can view the pending, issued, and denied workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. alerts.
Modify	WorkflowManagement: Modify	Users can modify the pending, issued, and denied workflow alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
Test	WorkflowManagement: Test	Users can test the pending alerts, including sending email to recipients. Users must also have Read permissions for Alerts.

API

Table 30: API Security Role Permissions

UI Permission	API Permission	Description
Read	API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command.: Read	Users can call the Classic (CMS) API endpoints. This permission is not needed to use the Keyfactor API endpoints.

Application Settings

Table 31: Application Settings Security Role Permissions

UI Permission	API Permission	Description
Read	ApplicationSettings: Read	Users can view the application settings.
Modify	ApplicationSettings: Modify	Users can modify the application settings.

Auditing

Table 32: Auditing Security Role Permissions

UI Permission	API Permission	Description
Read	Auditing: Read	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). The System Settings dropdown menu will display the Audit Log option to users with the Auditing Read permission.

Certificate Collections

Table 33: Certificate Collections Security Role Permissions

UI Permission	API Permission	Description
Modify	CertificateCollections: Modify	Users can add or edit Certificate Collections. See Certificate Permissions for more information.

Certificate Enrollment

Table 34: Certificate Enrollment Security Role Permissions

UI Permission	API Permission	Description
Enroll PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers.	CertificateEnrollment: EnrollPFX	Users can use the PFX Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). page in the Management Portal and the equivalent API functions.
Enroll CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.	CertificateEnrollment: EnrollCSR	Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions.
CSR Generation	CertificateEnrollment: CsrGeneration	Users can use the CSR Generation page in the Management Portal and the equivalent API functions.
Manage Pending CSRs	CertificateEnrollment: PendingCsr	Users can use the Pending CSRs page in the Management Portal and the equivalent API functions.

Certificate Metadata Types

Table 35: Certificate Metadata Types Security Role Permissions

UI Permission	API Permission	Description
Read	CertificateMetadataTypes: Read	Users can read custom metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.
Modify	CertificateMetadataTypes: Modify	Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.

Certificate Requests

Table 36: Certificate Requests Security Role Permissions

UI Permission	API Permission	Description
Manage	WorkflowManagement: Participate	Users can participate in the pending, issued, and denied alerts by approving or denying certificate requests from the Certificate Requests page, from the individual pages reached from links included in alerts, or using the Keyfactor API /Workflow/Certificates endpoints. Note: In previous versions of Keyfactor Command, this permission was Workflow Management: Participate.

Certificate Store Management

Table 37: Certificate Store Management Security Role Permissions

See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.

UI Permission	API Permission	Description
Read	CertificateStoreManagement: Read	Users can view the certificate stores and containers tabs on the Locations > Certificate Stores menu, and view certificate store types.
Schedule	CertificateStoreManagement: Schedule	Users can add certificates to certificate stores, renew/reissue certificates, schedule and remove certificates from certificate stores.
Modify	CertificateStoreManagement: Modify	Users can manage all operations regarding certificate stores—including the stores, containers, and discovery process—and certificate store types.

Certificates

Table 38: Certificates Security Role Permissions

UI Permission	API Permission	Description
Read	Certificates: Read	Users can view certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. See Certificate Permissions for more information.
Edit Metadata	Certificates: EditMetadata	Users can modify certificate metadata for certificates accessed through Certificate Search and Certificate Collections in the Management Portal and the equivalent API functions..
Import	Certificates: Import	Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate.
Download with Private Key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.	Certificates: Recover	Users can download the certificates with their private key.
Revoke	Certificates: Revoke	Users can revoke certificates through Keyfactor Command.
Delete	Certificates: Delete	Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database.
Import Private Key	Certificates: ImportPrivateKey	Users can save the private key for the certificate in the Keyfactor Command database.

Dashboard

Table 39: Dashboard Security Role Permissions

UI Permission	API Permission	Description
Read	Dashboard: Read	Users can view the panels on their personalized dashboard and add and remove them.
Risk Header	Dashboard: RiskHeader	Users can view the risk header at the top of the dashboard.

Event Handler Registration

Table 40: Event Handler Registration Security Role Permissions

UI Permission	API Permission	Description
Read	EventHandlerRegistration: Read	Users can view the event handler registration settings.
Modify	EventHandlerRegistration: Modify	Users can modify the event handler registration settings.

Mac Auto-Enroll Management

Table 41: Mac Auto-Enroll Management Security Role Permissions

UI Permission	API Permission	Description
Read	MacAutoEnrollManagement: Read	Users can view the Mac Auto-Enroll Management settings.
Modify	MacAutoEnrollManagement: Modify	Users can modify the Mac Auto-Enroll Management settings.

Management Portal

Table 42: Management Portal Security Role Permissions

UI Permission	API Permission	Description
Read	AdminPortal: Read	Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.

Monitoring

Table 43: Monitoring Security Role Permissions

UI Permission	API Permission	Description
Read	Monitoring: Read	Users can view the expiration alerts in the Certificate Alerts in the Management Portal and the equivalent API functions, including the alert schedule.
Modify	Monitoring: Modify	Users can modify the expiration alerts, including the alert text, recipients and event handlers. Users can also add new alerts, delete alerts and configure the expiration alert delivery schedule.
Test	Monitoring: Test	Users can test the expiration alerts, including sending email to recipients. Users must also have Read permissions for Monitoring to access this in the Management Portal.

PKI Management

Table 44: PKI Management Security Role Permissions

UI Permission	API Permission	Description
Read	PkiManagement: Read	Users can view PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. management settings within: Certificate Authorities Certificate Templates Revocation Monitoring
Modify	PkiManagement: Modify	Users can modify PKI management settings to: Import, add, edit, and delete certificate authorities Import and edit certificate templates Add, edit, delete, and test revocation monitoring endpoints Configure revocation monitoring schedule Configure revocation monitoring recipients

UI Permission

API Permission

Description

Read

PkiManagement: Read

Users can view PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. management settings within:

Certificate Authorities
Certificate Templates
Revocation Monitoring

Modify

PkiManagement: Modify

Users can modify PKI management settings to:

Import, add, edit, and delete certificate authorities
Import and edit certificate templates
Add, edit, delete, and test revocation monitoring endpoints
Configure revocation monitoring schedule
Configure revocation monitoring recipients

Privileged Access Management

Table 45: Privileged Access Management Security Role Permissions

UI Permission	API Permission	Description
Read	PrivilegedAccessManagement: Read	Users can view PAM providers.
Modify	PrivilegedAccessManagement: Modify	Users can add, edit, and delete PAM providers.

Reports

Table 46: Reports Security Role Permissions

UI Permission	API Permission	Description
Read	Reports: Read	Users can generate and view reports.
Modify	Reports: Modify	Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note: Report scheduling is limited by collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). permissions. Users in roles that have Reports: Read and Modify permissions will also need to have Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions.

Security Settings

Table 47: Security Settings Security Role Permissions

UI Permission	API Permission	Description
Read	SecuritySettings: Read	Users can view the settings for Security Roles and Security Identities. Users must also have the Read permission for System Settings to access this in the Management Portal.
Modify	SecuritySettings: Modify	Users can modify the settings for Security Roles and Security Identities.

SSH

Table 48: SSH Security Role Permissions

UI Permission	API Permission	Description
User	SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption.: User	Users can generate their own SSH keys.
Server Admin	SSH: ServerAdmin	Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership (see SSH Permissions).
Enterprise Admin	SSH: EnterpriseAdmin	Users can use all SSH functions (see SSH Permissions).

SSL Management

Table 49: SSL Management Security Role Permissions

UI Permission	API Permission	Description
Read	SslManagement: Read	Users can view the SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.
Modify	SslManagement: Modify	Users can modify the SSL Discovery settings: Create, edit, and delete networks, including scan schedules and notification recipients Add, edit, and delete network ranges for networks Add, edit, and delete agent pools Add and remove discovered endpoints from monitoring

UI Permission

API Permission

Description

Read

SslManagement: Read

Users can view the SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.

Modify

SslManagement: Modify

Users can modify the SSL Discovery settings:

Create, edit, and delete networks, including scan schedules and notification recipients
Add, edit, and delete network ranges for networks
Add, edit, and delete agent pools
Add and remove discovered endpoints from monitoring

System Settings

Table 50: System Settings Security Role Permissions

UI Permission	API Permission	Description
Read	SystemSettings: Read	Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for: SMTP Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. Configuration for email delivery of reports and alerts Installed components Licensing General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)
Modify	SystemSettings: Modify	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file

UI Permission

API Permission

Description

Read

SystemSettings: Read

Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for:

SMTP Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. Configuration for email delivery of reports and alerts
Installed components
Licensing
General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Modify

SystemSettings: Modify

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Workflow Definitions

Table 51: Workflow Definitions Security Role Permissions

UI Permission	API Permission	Description
Read	WorkflowDefinitions: Read	Users can view the configured workflow definitions.
Modify	WorkflowDefinitions: Modify	Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions.

Workflow Instances

Table 52: Workflow Instances Security Role Permissions

UI Permission	API Permission	Description
ReadAll	WorkflowInstances: ReadAll	Users can view all the workflow instances that have been initiated.
Read - Assigned To Me	WorkflowInstances: ReadAssignedToMe	Users can view the workflow instances that have been initiated and are awaiting input from them. Tip: There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Read - Assigned To Me Workflow Instances permission in order to provide the input.
Read - Started By Me	WorkflowInstances: ReadMy	Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate).
Manage	WorkflowInstances: Manage	Users can manage initiated workflow instances, including stopping, restarting, and deleting them.

Security Role Permissions

Products

Solutions

Resources

Company