AdminPortal (a.k.a. Management Portal)
|
Read
|
Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.
|
AgentAutoRegistration
|
Read
|
Users can view the agent auto-registration settings; Users must also have Read permissions for Agent Management.
|
AgentAutoRegistration
|
Modify
|
Users can modify the agent auto-registration settings.
|
AgentManagement
|
Read
|
Users can access the Management Portal areas and API endpoints to:
- View orchestrators, including filtering the orchestrator management grid
- View orchestrator jobs, including status, schedules, failures and warnings
|
AgentManagement
|
Modify
|
Users can access the Management Portal areas and API endpoints to:
- Manage orchestrators, including approving and disapproving them
- Unschedule and reschedule orchestrator jobs
|
API
|
Read
|
Users can call the Classic (CMS) API endpoints.
|
ApplicationSettings |
Read |
Users can view the application settings. |
ApplicationSettings |
Modify |
Users can modify the application settings. |
Auditing |
Read |
Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). The System Settings drop-down menu will display the Audit Log option to users with the Auditing Read permission. |
CertificateCollections
|
Modify
|
Users can add or edit certificate collections.
See Certificate Permissions in the Keyfactor Command Reference Guide for more information.
|
CertificateEnrollment
|
EnrollPFX
|
Users can use the PFX Enrollment page in the Management Portal and use the PFX enrollment related API endpoints.
|
CertificateEnrollment
|
EnrollCSR
|
Users can use the CSR Enrollment page in the Management Portal and use the CSR enrollment related API endpoints.
|
CertificateEnrollment
|
CsrGeneration
|
Users can use the CSR Generation page in the Management Portal and use the CSR generation related API endpoints.
|
CertificateEnrollment
|
PendingCsr
|
Users can use manage pending CSRs.
|
CertificateMetadataTypes
|
Read
|
Users can read custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and with related API endpoints.
|
CertificateMetadataTypes
|
Modify
|
Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and with related API endpoints.
|
CertificateStoreManagement
|
Read
|
Users can view certificate stores—including the stores and containers but not discovery records—and certificate store types. Users who also have Read permissions for Certificates can view inventory for a certificate store.
See Container Permissions in the Keyfactor Command Reference Guide for more information.
|
CertificateStoreManagement
|
Modify
|
Users can manage certificate stores—including the stores, containers, and discovery process—and certificate store types. Note that this permission does not control additions of certificates to certificate stores.
|
CertificateStoreManagement
|
Schedule
|
Users can add certificates to certificate stores, renew/reissue certificates, and remove certificates from certificate stores.
|
Certificates
|
Read
|
Users can view certificates in certificate search and certificate collections in the Management Portal and with related API endpoints, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores.
See Certificate Permissions in the Keyfactor Command Reference Guide for more information.
|
Certificates
|
Import
|
Users can import certificates through Add Certificate in the Management Portal and with related API endpoints. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate.
|
Certificates
|
Recover
|
Users can download the certificates with their private key.
|
Certificates
|
Revoke
|
Users can revoke certificates through Certificate Search and Certificate Collections in the Management Portal and with related API endpoints.
|
Certificates
|
Delete
|
Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database.
|
Certificates
|
ImportPrivateKey
|
Users can save the private key for the certificate in the Keyfactor Command database.
|
Certificates
|
EditMetadata
|
Users can modify certificate metadata for certificates accessed through Certificate Search and Certificate Collections in the Management Portal and with related API endpoints.
|
Dashboard
|
Read
|
Users can view the panels on their personalized dashboard and add and remove them.
|
Dashboard |
RiskHeader |
Users can view the risk header at the top of the dashboard. |
EventHandlerRegistration |
Read |
Users can view the event handler registration settings. |
EventHandlerRegistration |
Modify |
Users can modify the event handler registration settings. |
MacAutoEnrollManagement
|
Read
|
Users can view the Mac Auto-Enroll Management settings.
|
MacAutoEnrollManagement
|
Modify
|
Users can modify the Mac Auto-Enroll Management settings.
|
Monitoring
|
Read
|
Users can view the expiration alerts in the Certificate Alerts in the Management Portal and with related API endpoints, including the alert schedule.
|
Monitoring
|
Modify
|
Users can modify the expiration alerts, including the alert text, recipients and event handlers. Users can also add new alerts, delete alerts and configure the expiration alert delivery schedule.
|
Monitoring
|
Test
|
Users can test the expiration alerts, including sending email to recipients. Users must also have Read permissions for Monitoring.
|
PkiManagement
|
Read
|
Users can view the Keyfactor Command PKI management settings within the following Management Portal areas and use related endpoints:
- Certificate Authorities
- Certificate Templates
- Revocation Monitoring
|
PkiManagement
|
Modify
|
Users can modify the Keyfactor Command PKI management settings:
- Import, add, edit, and delete certificate authorities
- Import certificate templates
- Add, edit, delete, and test revocation monitoring endpoints
- Configure revocation monitoring schedule
- Configure revocation monitoring recipients
|
PrivilegedAccessManagement |
Read |
Users can view PAM providers. |
PrivilegedAccessManagement |
Modify |
Users can add, edit, and delete PAM providers. |
Reports
|
Read
|
Users can generate and view reports.
|
Reports
|
Modify
|
Users can modify the delivery schedule for reports in Report Manager in the Management Portal and add, edit, and delete custom reports.
Note: Report scheduling is limited by collection permissions. Users in roles that have Reports: Read and Modify permissions will also need to have Read collection permissions on individual collections to have the ability to add, edit and delete schedules associated with collections. The user will not have access to add, edit and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions.
|
SecuritySettings
|
Read
|
Users can view the settings for Security Roles and Security Identities. Users must also have the Read permission for System Settings.
|
SecuritySettings
|
Modify
|
Users can modify the settings for Security Roles and Security Identities in the Management Portal and with related API endpoints.
|
SSH |
User |
Users can generate their own SSH keys. |
SSH |
ServerAdmin |
Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership.
See SSH Permissions in the Keyfactor Command Reference Guide for more information.
|
SSH |
EnterpriseAdmin |
Users can use all SSH functions.
See SSH Permissions in the Keyfactor Command Reference Guide for more information.
|
SslManagement
|
Read
|
Users can view the SSL Network Discovery and Monitoring area in the Management Portal and with related API endpoints, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.
|
SslManagement
|
Modify
|
Users can modify the SSL Network Discovery and Monitoring settings:
- Create, edit, and delete networks, including scan schedules and notification recipients
- Add, edit, and delete network ranges for networks
- Add, edit, and delete agent pools
- Add and remove discovered endpoints from monitoring
|
SystemSettings
|
Read
|
Users can view the System Settings for:
- Application Settings
- Event Handler Registration to view built-in or custom event handlers
- API Applications allowed to use the APIs for certificate lifecycle management
- SMTP Configuration for email delivery of reports and alerts
- Installed components
- Licensing
- Alerts and Warnings about the health of the Keyfactor Command system
|
SystemSettings
|
Modify
|
Users can modify the System Settings for:
- Application Settings to configure many options for Keyfactor Command
- Event Handler Registration to add or remove built-in or custom event handlers
- Update SMTP Configuration for email delivery of reports and alerts
- Installed components, including removing servers from use
- Licensing, including the option to replace the existing license file
|
WorkflowDefinitions |
Read |
Users can view the configured workflow definitions. |
WorkflowDefinitions |
Modify |
Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions. |
WorkflowInstances |
Manage |
Users can manage initiated workflow instances, including stopping, restarting, and deleting them. |
WorkflowInstances |
ReadAssignedToMe |
Users can view the workflow instances that have been initiated and are awaiting input from them.
Tip: There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the ReadAssignedToMe WorkflowInstances permission in order to provide the input. |
WorkflowInstances |
ReadAll |
Users can view all the workflow instances that have been initiated. |
WorkflowInstances |
ReadMy |
Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate). |
WorkflowManagement (a.k.a. Alerts)
|
Read
|
Users can view the pending, issued, and denied workflow alerts.
|
WorkflowManagement (a.k.a. Alerts)
|
Modify
|
Users can modify the pending, issued, and denied workflow alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
|
WorkflowManagement (a.k.a. Alerts)
|
Test
|
Users can test the pending alerts, including sending email to recipients. Users must also have Read permissions for Workflow.
|
WorkflowManagement (a.k.a. Certificate Requests)
|
Participate
|
Users can participate in the pending, issued and denied workflow process by approving or denying certificate requests from the Certificate Requests page or from the individual pages reached from links included in alerts in the Management Portal and with related API endpoints.
|