Documentation Suite v11.3

Security Role Permissions

The Security Role Permissions that are available to be assigned to security roles within Keyfactor Command are documented below. For release 11.0 of Keyfactor Command, a new permission structure has been introduced. Users of Keyfactor Command through the Management Portal will not see much difference between the older model and the newer model, as the changes are largely behind the scenes. Users of Keyfactor Command through the Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will need to understand the new model. Some Keyfactor API endpoints (e.g. v1 Security Roles endpoints) still use the older permission model. Other Keyfactor API endpoints (e.g. v2 Security Roles endpoints) use the newer permission model.

Version Two Permission Model

The version two permission model was introduced in Keyfactor Command 11.0 and is used when setting security permissions in the Management Portal, with v2 Security Roles Keyfactor API endpoints, and with Keyfactor API Permission Set endpoints.

In the new model, permissions are built from access control strings, which are structured to support permission inheritance. Generally speaking, the more you add to an access control string, the less privilege you are granting to a user in that area of the product. For example, the following access control string grants full control to the entire product:

Add a certificates level to this, and now you’ve limited this to full control of just functions related to certificates in the product (which would include enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., for example):

/certificates/

Add a collections level to this, and now you’ve limited this further to full control of just options that can be found on the Certificates menu item in the Management Portal, including certificates both in collections and found by direct search, certificate import, and certificate collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). management:

/certificates/collections/

Add a read to this, and now you’ve limited this to just read for items on the Certificates menu:

/certificates/collections/read/

Add a certificate collection ID to this, and now you’ve locked this down to just read on just the certificates in the certificate collection with ID 5:

/certificates/collections/read/5/

When you apply permissions through the Management Portal, these access control strings are applied for you based on the selections you make in the Role Information dialog when assigning permissions to a role (see Security Role Operations). When you apply permissions through the Keyfactor API using a newer endpoint An endpoint is a URL that enables the API to gain access to resources on a server. (e.g. v2 Security Roles endpoints), you need to specify these access control strings.

Access control strings that are shown below with a # refer to a specific granular ID to which permissions should be granted. When used, they must be specified with an integer in place of the #. For example, use:

/certificate_stores/read/4/

To refer to the certificate store container with ID 4, not:

/certificate_stores/read/#/

Note: Access control strings always begin and end with a /. If you specify an access control string in the Keyfactor API without the leading or trailing slash, it will not be recognized.

Agents

Table 27: Agents Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Agents	/agents/	Users can view and modify agent auto-registration settings, Mac auto-enroll management settings, and orchestrator management and jobs.
Global	Agents > Auto-Registration	/agents/auto_registration/	Users can view and modify the agent auto-registration settings.
Global	Agents > Auto-Registration > Modify	/agents/auto_registration/modify/	Users can modify the agent auto-registration settings.
Global	Agents > Auto-Registration > Read	/agents/auto_registration/read/	Users can view the agent auto-registration settings; Users must also have Read permissions for Agent Management.
Global	Agents > Management	/agents/management/	Users can view and modify orchestrator management and jobs.
Global	Agents > Management > Modify	/agents/management/modify/	Users can access the Management Portal areas and API endpoints to: Manage orchestrators, including approving and disapproving them Unschedule and reschedule orchestrator jobs
Global	Agents > Management > Read	/agents/management/read/	Users can access the Management Portal areas and API endpoints to: View orchestrators, including filtering the orchestrator management grid View orchestrator jobs, including status, schedules, failures and warnings
Global	Agents > Management > Mac	/agents/management/mac/	Users can view and modify Mac auto-enroll management settings.
Global	Agents > Management > Mac > Auto-enrollment	/agents/management/mac/auto-enrollment/	Users can view and modify Mac auto-enroll management settings.
Global	Agents > Management > Mac > Auto-enrollment > Management	/agents/management/mac/auto-enrollment/management/	Users can view and modify Mac auto-enroll management settings.
Global	Agents > Management > Mac > Auto-enrollment > Management > Modify	/agents/management/mac/auto-enrollment/management/modify/	Users can modify the Mac auto-enroll management settings.
Global	Agents > Management > Mac > Auto-enrollment > Management > Read	/agents/management/mac/auto-enrollment/management/read/	Users can view the Mac auto-enroll management settings.

Application Settings

Table 28: Application Settings Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Application Settings	/application_settings/	Users can view and modify the application settings.
Global	Application Settings > Modify	/application_settings/modify/	Users can modify the application settings.
Global	Application Settings > Read	/application_settings/read/	Users can view the application settings.

Auditing

Table 29: Auditing Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Auditing	/auditing/	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.).
Global	Auditing > Read	/auditing/read/	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.).

Certificate Authorities

Note: This permission was previously bundled together with certificate template

A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. permissions and known as PKI

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Management.

Table 30: Certificate Authorities Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Certificate Authorities	/certificate_authorities/	Users can view and modify certificate authority records. Users can view, test, and modify revocation monitoring settings.
Global	Certificate Authorities > Modify	/certificate_authorities/modify/	Users can modify certificate authority and revocation monitoring settings to: Import, add, edit, and delete certificate authorities. Configure CA health monitor and threshold alert recipients. Import CAs. Add, edit, delete, and test revocation monitoring endpoints. For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission. Configure revocation monitoring schedules and recipients. For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.
Global	Certificate Authorities > Read	/certificate_authorities/read/	Users can view certificate authority records. Users can view revocation monitoring settings, CA health monitoring and threshold alert recipients and schedules.

Permission Tab

Portal Permission

API Permission

Description

Global

Certificate Authorities

/certificate_authorities/

Users can view and modify certificate authority records. Users can view, test, and modify revocation monitoring settings.

Global

Certificate Authorities > Modify

/certificate_authorities/modify/

Users can modify certificate authority and revocation monitoring settings to:

Import, add, edit, and delete certificate authorities.
Configure CA health monitor and threshold alert recipients.
Import CAs.
Add, edit, delete, and test revocation monitoring endpoints.

For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.
Configure revocation monitoring schedules and recipients.

For access in the Management Portal, this also requires the Monitoring > Alerts > Read permission.

Global

Certificate Authorities > Read

/certificate_authorities/read/

Users can view certificate authority records. Users can view revocation monitoring settings, CA health monitoring and threshold alert recipients and schedules.

Certificate Stores

Table 31: Certificate Stores Security Role Permissions v2

See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.

Permission Tab	Portal Permission	API Permission	Description
Global	Certificate Stores	/certificate_stores/	Users can view and manage all certificate stores and add certificates to certificate stores, renew/reissue certificates, and remove certificates from certificate stores for all certificate stores.
Global	Certificate Stores > Modify	/certificate_stores/modify/	Users with the Modify role permission for either Certificate Stores or a container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages. The Modify permission must be granted in conjunction with either Certificate Stores Read or container (3) Read for full functionality. Users must have global Certificate Stores Read and Modify permissions to access the discover tab and use the functions on it. Users with Modify permissions granted at the container level can perform these certificate store operations (in addition to those available with Read permissions): Add—When a new certificate store is added, only containers on which the user has Modify permissions will appear in the container dropdown and the newly created certificate store must be added to one of these if the user does not have global certificate store management permissions. Edit—Only certificate stores in containers on which the user has Modify permissions will be editable. Delete—Only certificate stores in containers on which the user has Modify permissions will be available for deletion. Assign Container—The container assigned to a certificate store can only be changed if the store is currently in a container on which the user has Modify permissions, and the store can only be assigned to another container on which the user has Modify permissions. The user must have Modify permissions on both the source container and the target container when moving a certificate store from one container to another. Set New Password—Only certificate stores in containers on which the user has Modify permissions will be available for password reset. Reenrollment—Only certificate stores in containers on which the user has Schedule permissions, along with Enroll CSR permissions (see Certificate Enrollment ) will be available for reenrollment. Note that this permission does not control additions of certificates to certificate stores.
Container	Certificate Stores > Modify	/certificate_stores/modify/#/	Users with the Modify role permission for either Certificate Stores or a container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages. The Modify permission must be granted in conjunction with either Certificate Stores Read or container (3) Read for full functionality. Users must have global Certificate Stores Read and Modify permissions to access the discover tab and use the functions on it. Users with Modify permissions granted at the container level can perform these certificate store operations (in addition to those available with Read permissions): Add—When a new certificate store is added, only containers on which the user has Modify permissions will appear in the container dropdown and the newly created certificate store must be added to one of these if the user does not have global certificate store management permissions. Edit—Only certificate stores in containers on which the user has Modify permissions will be editable. Delete—Only certificate stores in containers on which the user has Modify permissions will be available for deletion. Assign Container—The container assigned to a certificate store can only be changed if the store is currently in a container on which the user has Modify permissions, and the store can only be assigned to another container on which the user has Modify permissions. The user must have Modify permissions on both the source container and the target container when moving a certificate store from one container to another. Set New Password—Only certificate stores in containers on which the user has Modify permissions will be available for password reset. Reenrollment—Only certificate stores in containers on which the user has Schedule permissions, along with Enroll CSR permissions (see Certificate Enrollment ) will be available for reenrollment. Note that this permission does not control additions of certificates to certificate stores.
Global	Certificate Stores > Read	/certificate_stores/read/	Users with the Read global role permission for either Certificate Store or a specific container (#) can view the certificate stores grid and the containers grid and see all the certificate stores and store types. They can perform no operations on the certificate stores or containers from the certificate stores page. If the users also have global Read permissions for Certificates > Collections, they can view inventory for a certificate store by highlighting a certificate store in the certificate store grid and clicking the View Inventory button. Users with Read permissions granted at the container level can perform these certificate store operations: View—Only certificate stores in containers on which the user has Read permissions will appear in the certificate stores grid. Users can open each certificate store to view the details of it but cannot change them. View Inventory—Only certificate stores in containers on which the user has Read permissions will be available with the View Inventory option. Users with Read permissions granted at the container level can perform these container operations: View—Only containers on which the user has Read permissions will appear in the containers grid. Users can open each container to view the details of it but cannot change them.
Container	Certificate Stores > Read	/certificate_stores/read/#/	Users with the Read global role permission for either Certificate Stores or a specific container (#) can view the certificate stores grid and the containers grid and see all the certificate stores and store types. They can perform no operations on the certificate stores or containers from the certificate stores page. If the users also have global Read permissions for Certificates > Collections, they can view inventory for a certificate store by highlighting a certificate store in the certificate store grid and clicking the View Inventory button. Users with Read permissions granted at the container level can perform these certificate store operations: View—Only certificate stores in containers on which the user has Read permissions will appear in the certificate stores grid. Users can open each certificate store to view the details of it but cannot change them. View Inventory—Only certificate stores in containers on which the user has Read permissions will be available with the View Inventory option. Users with Read permissions granted at the container level can perform these container operations: View—Only containers on which the user has Read permissions will appear in the containers grid. Users can open each container to view the details of it but cannot change them.
Global	Certificate Stores > Schedule	/certificate_stores/schedule/	Users with the Schedule and Read role permission for either Certificate Stores or a container (#) can use the Add to Certificate Store, Remove from Certificate Store from the certificate search page, and Schedule from the certificate stores page. Users must have either global Read for Certificates > Collections or have been granted access to one or more certificate collections via collection-level permissions (see Certificate Collection Permissions) to use the add, remove, and renew/reissue certificate options. To renew/reissue certificates, users must also have been assigned to a role with Certificates > Enrollment permissions (PFX and/or CSR (see Certificate Enrollment )) and Agents > Management-Read Users with Schedule and Read permission may perform this operation on the certificate store or container grid. Schedule Inventory—Only certificate stores in containers on which the user has Schedulepermissions will be available for scheduling inventory. Users with Schedule and Read permissions granted at the container level can perform these certificate operations: Add to Certificate Store—Only certificate stores in containers on which the user has Schedule permissions will be available for adding a certificate to in certificate collections or certificate search. Remove from Certificate Store—Only certificate stores in containers on which the user has Schedule permissions will be available for removing a certificate from in certificate collections or certificate search. Renew/Reissue—Only certificate stores in containers on which the user has Schedule permissions will be available for renewing or reissuing a certificate in certificate collections or certificate search. .
Container	Certificate Stores > Schedule	/certificate_stores/schedule/#/	Users with the Schedule and Read role permission for either Certificate Stores or a container (#) can use the Add to Certificate Store, Remove from Certificate Store from the certificate search page, and Schedule from the certificate stores page. Users must have either global Read for Certificates > Collections or have been granted access to one or more certificate collections via collection-level permissions (see Certificate Collection Permissions) to use the add, remove, and renew/reissue certificate options. To renew/reissue certificates, users must also have been assigned to a role with Certificates > Enrollment permissions (PFX and/or CSR (see Certificate Enrollment )) and Agents > Management-Read Users with Schedule and Read permission may perform this operation on the certificate store or container grid. Schedule Inventory—Only certificate stores in containers on which the user has Schedulepermissions will be available for scheduling inventory. Users with Schedule and Read permissions granted at the container level can perform these certificate operations: Add to Certificate Store—Only certificate stores in containers on which the user has Schedule permissions will be available for adding a certificate to in certificate collections or certificate search. Remove from Certificate Store—Only certificate stores in containers on which the user has Schedule permissions will be available for removing a certificate from in certificate collections or certificate search. Renew/Reissue—Only certificate stores in containers on which the user has Schedule permissions will be available for renewing or reissuing a certificate in certificate collections or certificate search.

Certificate Templates

Note: This permission was previously bundled together with certificate authority

A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. permissions and known as PKI Management.

Table 32: Certificate Templates Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Certificate Templates	/certificate_templates/	Users can view and modify certificate template records.
Global	Certificate Templates > Read	/certificate_templates/read/	Users can view certificate template records.
Global	Certificate Templates > Modify	/certificate_templates/modify/	Users can modify certificate template settings to import, edit, and configure system settings for certificate templates.

Certificates

Table 33: Certificates Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Certificates	/certificates/	Users can view, modify, and act upon everything certificate-related, including certificates in collections, certificates found in a search that are not in a collection, certificate import, certificate enrollment, and pending certificate request management.
Global	Certificates > Import	/certificates/import/	Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate. Note: This permission was controlled at the global certificate collection level in previous versions of Keyfactor Command, but has moved to a higher level separate from collections.
Global	Certificates > Requests Manage	/certificates/requests/manage/	Users can use the Pending CSRs page in the Management Portal and the equivalent API functions.
Global	Certificates > Enrollment	/certificates/enrollment/	Users can use all the enrollment-related functions, including CSR generation, CSR enrollment, and PFX enrollment.
Global	Certificates > Enrollment > Pfx	/certificates/enrollment/pfx/	Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions.
Global	Certificates > Enrollment > Csr	/certificates/enrollment/csr/	Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions.
Global	Certificates > Enrollment > Csr > Generation	/certificates/enrollment/csr/generation/	Users can use the CSR Generation page in the Management Portal and the equivalent API functions.
Global	Certificates > Collections	/certificates/collections/	Users can view, modify, and act upon certificate-related functions including certificates in collections and certificates found in a search that are not in a collection.
Global	Certificates > Collections > Delete	/certificates/collections/delete/	Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database for any certificates.
Collection	Certificates > Collections > Delete	/certificates/collections/delete/#/	Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database for certificates in the specified certificate collection.
Global	Certificates > Collections > Metadata Modify	/certificates/collections/metadata/modify/	Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for any certificates.
Collection	Certificates > Collections > Edit Metadata	/certificates/collections/metadata/modify/#/	Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for certificates in the specified certificate collection.
Global	Certificates > Collections > Modify	/certificates/collections/modify/	Users can add or edit certificate collections. See Certificate Collection Permissions for more information. Note: This permission cannot be applied at the certificate collection level.
Global	Certificates > Collections > Private Key Import	/certificates/collections/private_key/import/	Users can save the private key for the certificate in the Keyfactor Command database. Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature. Note: This permission cannot be applied at the certificate collection level.
Global	Certificates > Collections > Download with Private Key	/certificates/collections/private_key/read/	Users can download the certificates with their private key for all certificates.
Collection	Certificates > Collections > Private Key Read	/certificates/collections/private_key/read/#/	Users can download the certificates with their private key for certificates in the specified certificate collection.
Global	Certificates > Collections > Read	/certificates/collections/read/	Users can view any certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: Add to Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Display Download Get CSV Identity Audit (Also requires the Security > Read permission) Include Revoked checkbox Include Expired checkbox Renew (Also requires the Certificates > Enrollment > Pfx permission and Certificate Stores > Schedule permission at either the global or container level) Remove from Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates.
Collection	Certificates > Collections > Read	/certificates/collections/read/#/	Users can view certificates in the specified certificate collection, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add the certificates in the collection to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: Add to Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Display Download Get CSV Identity Audit (Also requires the Security > Read permission) Include Revoked checkbox Include Expired checkbox Renew (Also requires the Certificates > Enrollment > Pfx permission and Certificate Stores > Schedule permission at either the global or container level) Remove from Certificate Store (Also requires the Certificate Stores > Schedule permission at either the global or container level) Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Manager). The users will be able to view all the certificates in the collections and open the details of the certificates.
Global	Certificates > Collections > Revoke	/certificates/collections/revoke/	Users can revoke any certificates through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway. Important: In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted “Issue and Manage Certificates” and “Manage CA” permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the “Issue and Manage Certificates” permissions while the application pool service account has the “Manage CA” permissions. If you are using explicit credentials to authenticate your CA (see Adding or Modifying a CA Record), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA.
Collection	Certificates > Collections > Revoke	/certificates/collections/revoke/#/	Users can revoke certificates in the specified certificate collection through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway. Important: In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted “Issue and Manage Certificates” and “Manage CA” permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the “Issue and Manage Certificates” permissions while the application pool service account has the “Manage CA” permissions. If you are using explicit credentials to authenticate your CA (see Adding or Modifying a CA Record), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA.

Dashboard

Table 34: Dashboard Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Dashboard	/dashboard/	Users can view the panels, including the risk header, on their personalized dashboard and add and remove the customizable panels.
Global	Dashboard > Read	/dashboard/read/	Users can view the panels on their personalized dashboard and add and remove them.
Global	Dashboard > Risk Header	/dashboard/risk_header/	Users can view the risk header at the top of the dashboard.
Global	Dashboard > Risk Header > Read	/dashboard/risk_header/read/	Users can view the risk header at the top of the dashboard.

Identity Providers

Table 35: Identity Providers Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Identity Providers	/identity_providers/	Users can view and modify the identity provider settings for identity providers.
Global	Identity Providers > Modify	/identity_providers/modify/	Users can modify the identity provider settings for identity providers.
Global	Identity Providers > Read	/identity_providers/read/	Users can view the identity provider settings for identity providers.

Metadata

Table 36: Certificate Metadata Types Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Metadata	/metadata/	Users can view and modify custom metadata attribute definitions.
Global	Metadata > Types	/metadata/types/	Users can view and modify custom metadata attribute definitions.
Global	Metadata > Types > Read	/metadata/types/read/	Users can view custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.
Global	Metadata > Types > Modify	/metadata/types/modify/	Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.

Monitoring

Table 37: Monitoring Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Monitoring	/monitoring/	Users can view, modify, and test the pending, issued, and denied certificate request alerts and the event handler registration settings.
Global	Monitoring > Handlers	/monitoring/handlers/	Users can view and modify the event handler registration settings.
Global	Monitoring > Handlers > Registration	/monitoring/handlers/registration/	Users can view and modify the event handler registration settings.
Global	Monitoring > Handlers > Registration > Modify	/monitoring/handlers/registration/modify/	Users can modify the event handler registration settings.
Global	Monitoring > Handlers > Registration > Read	/monitoring/handlers/registration/read/	Users can view the event handler registration settings.
Global	Monitoring > Alerts	/monitoring/alerts/	Users can view, modify, and test the pending, issued, and denied certificate request alerts.
Global	Monitoring > Alerts > Modify	/monitoring/alerts/modify/	Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
Global	Monitoring > Alerts > Read	/monitoring/alerts/read/	Users can view the pending, issued, and denied certificate request alerts.
Global	Monitoring > Alerts > Test	/monitoring/alerts/test/	Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts.

Privileged Access Management (PAM)

Table 38: Privileged Access Management Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Pam	/pam/	Users can view and modify any PAM provider.
Global	Pam > Modify	/pam/modify/	Users can add, edit, and delete any PAM provider.
PAM Provider	Pam > Modify	/pam/modify/#/	Users can add, edit, and delete the specified PAM provider.
Global	Pam > Read	/pam/read/	Users can view any PAM provider. Users can select any PAM providers to provide credentials within Keyfactor Command for: Certificate Stores Certificate Authorities Workflow Definitions
PAM Provider	Pam > Read	/pam/read/#/	Users can view or select the specified PAM provider.

[Management] Portal

Table 39: Management Portal Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Portal	/portal/	Users can access the Management Portal.
Global	Portal > Read	/portal/read/	Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.

Reports

Table 40: Reports Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Reports	/reports/	Users can generate, view, and modify the delivery schedule for reports. Users can add, edit, and delete custom reports.
Global	Reports > Modify	/reports/modify/	Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note: Report scheduling is limited by collection permissions. Users in roles that have Reports > Read and Modify permissions will also need to have either global certificate Read permissions or Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions if permissions are granted at a collection-by-collection level rather than globally.
Global	Reports > Read	/reports/read/	Users can generate and view reports.

Scripts

Table 41: Scripts Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Scripts	/scripts/	Users can view and modify scripts used in alert event handlers and workflows.
Global	Scripts > Modify	/scripts/modify/	Users can add, edit, and delete scripts used in alert event handlers and workflows.
Global	Scripts > Read	/scripts/read/	Users can view scripts used in alert event handlers and workflows.

Security

Note: Users can only edit security settings on security roles that are in a permission set to which they have been mapped. In some environments, there is only one permission set to which all users are mapped. Other environments may have implemented a more privileged access model with multiple permission sets. For more information on permission sets, see Permission Sets.

Table 42: Security Settings Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Security	/security/	Users can view and modify the settings for Security Roles and Security Claims.
Global	Security > Modify	/security/modify/	Users can modify the settings for Security Roles and Security Claims.
Global	Security > Read	/security/read/	Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal.

SSH

Table 43: SSH Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Ssh	/ssh/	Users can use all SSH functions.
Global	Ssh > Enterprise Admin	/ssh/enterprise_admin/	Users can use all SSH functions.
Global	Ssh > Server Admin	/ssh/server_admin/	Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership.
Global	Ssh > User	/ssh/user/	Users can generate their own SSH keys.

SSL

Table 44: SSL Management Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Ssl	/ssl/	Users can view and modify the SSL Discovery settings.
Global	Ssl > Modify	/ssl/modify/	Users can modify the SSL Discovery settings: Create, edit, and delete networks, including scan schedules and notification recipients Add, edit, and delete network ranges for networks Add, edit, and delete agent pools Add and remove discovered endpoints from monitoring
Global	Ssl > Read	/ssl/read/	Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.

Permission Tab

Portal Permission

API Permission

Description

Global

Ssl

/ssl/

Users can view and modify the SSL Discovery settings.

Global

Ssl > Modify

/ssl/modify/

Users can modify the SSL Discovery settings:

Create, edit, and delete networks, including scan schedules and notification recipients
Add, edit, and delete network ranges for networks
Add, edit, and delete agent pools
Add and remove discovered endpoints from monitoring

Global

Ssl > Read

/ssl/read/

Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.

System Settings

Table 45: System Settings Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	System Settings	/system_settings/	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file
Global	System Settings > Modify	/system_settings/modify/	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file
Global	System Settings > Read	/system_settings/read/	Users can view the System Settings for: SMTP Configuration for email delivery of reports and alerts Installed components Licensing General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Permission Tab

Portal Permission

API Permission

Description

Global

System Settings

/system_settings/

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Global

System Settings > Modify

/system_settings/modify/

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Global

System Settings > Read

/system_settings/read/

Users can view the System Settings for:

SMTP Configuration for email delivery of reports and alerts
Installed components
Licensing
General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Workflows

Table 46: Workflows Security Role Permissions v2

Permission Tab	Portal Permission	API Permission	Description
Global	Workflows	/workflows/	Users can view and modify the configured workflow definitions and view and manage all initiated workflow instances.
Global	Workflows > Definitions	/workflows/definitions/	Users can view and modify the configured workflow definitions.
Global	Workflows > Definitions > Modify	/workflows/definitions/modify/	Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions.
Global	Workflows > Definitions > Read	/workflows/definitions/read/	Users can view the configured workflow definitions.
Global	Workflows > Instances	/workflows/instances/	Users can view and manage all initiated workflow instances.
Global	Workflows > Instances > Manage	/workflows/instances/manage/	Users can manage initiated workflow instances, including stopping, restarting, and deleting them.
Global	Workflows > Instances > Read	/workflows/instances/read/	Users can view all the workflow instances that have been initiated.
Global	Workflows > Instances > Read > Mine	/workflows/instances/read/mine/	Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate).
Global	Workflows > Instances > Read > Pending	/workflows/instances/read/pending/	Users can view the workflow instances that have been initiated and are awaiting input from them. Tip: There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Workflows > Instances > Read > Pending permission in order to provide the input.

Version One Permission Model

The version one permission model was largely replaced in Keyfactor Command version 11.0, but is retained for backwards compatibility for use with select Keyfactor API endpoints.

Agent Auto-Registration

Table 47: Agent Auto-Registration Security Role Permissions v1

Portal Permission	API Permission	Description
Read	AgentAutoRegistration: Read	Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this page in the Management Portal.
Modify	AgentAutoRegistration: Modify	Users can modify the orchestrator auto-registration settings.

Agent Management

Table 48: Agent Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	AgentManagement: Read	Users can: View orchestrators, including filtering the Orchestrator Management grid View orchestrator jobs, including status, schedules, failures and warnings
Modify	AgentManagement: Modify	Users can: Manage orchestrators, including approving and disapproving them Unschedule and reschedule orchestrator jobs

Portal Permission

API Permission

Description

Read

AgentManagement: Read

Users can:

View orchestrators, including filtering the Orchestrator Management grid
View orchestrator jobs, including status, schedules, failures and warnings

Modify

AgentManagement: Modify

Users can:

Manage orchestrators, including approving and disapproving them
Unschedule and reschedule orchestrator jobs

Alerts

Table 49: Alerts Security Role Permissions v1

Portal Permission	API Permission	Description
Read	WorkflowManagement: Read	Users can view the pending, issued, and denied certificate request alerts.
Modify	WorkflowManagement: Modify	Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule.
Test	WorkflowManagement: Test	Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts.

Application Settings

Table 50: Application Settings Security Role Permissions v1

Portal Permission	API Permission	Description
Read	ApplicationSettings: Read	Users can view the application settings.
Modify	ApplicationSettings: Modify	Users can modify the application settings.

Auditing

Table 51: Auditing Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Auditing: Read	Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). The System Settings dropdown menu will display the Audit Log option to users with the Auditing Read permission.

Certificate Collections

Table 52: Certificate Collections Security Role Permissions v1

Portal Permission	API Permission	Description
Modify	CertificateCollections: Modify	Users can add or edit Certificate Collections. See Certificate Collection Permissions for more information.

Certificate Enrollment

Table 53: Certificate Enrollment Security Role Permissions v1

Portal Permission	API Permission	Description
Enroll PFX	CertificateEnrollment: EnrollPFX	Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions.
Enroll CSR	CertificateEnrollment: EnrollCSR	Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions.
CSR Generation	CertificateEnrollment: CsrGeneration	Users can use the CSR Generation page in the Management Portal and the equivalent API functions.
Manage Pending CSRs	CertificateEnrollment: PendingCsr	Users can use the Pending CSRs page in the Management Portal and the equivalent API functions.

Certificate Metadata Types

Table 54: Certificate Metadata Types Security Role Permissions v1

Portal Permission	API Permission	Description
Read	CertificateMetadataTypes: Read	Users can read custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.
Modify	CertificateMetadataTypes: Modify	Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions.

Certificate Requests

Table 55: Certificate Requests Security Role Permissions v1

Portal Permission	API Permission	Description
Manage	WorkflowManagement: Participate	Users can participate in the pending, issued, and denied alerts by approving or denying certificate requests from the Certificate Requests page, from the individual pages reached from links included in alerts, or using the Keyfactor API /Workflow/Certificates endpoints. Note: In previous versions of Keyfactor Command, this permission was Workflow Management: Participate.

Certificate Store Management

Table 56: Certificate Store Management Security Role Permissions v1

See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.

UI Permission	API Permission	Description
Read	CertificateStoreManagement: Read	Users can view the certificate stores and containers tabs on the Locations > Certificate Stores menu, and view certificate store types.
Schedule	CertificateStoreManagement: Schedule	Users can add certificates to certificate stores, renew/reissue certificates, schedule and remove certificates from certificate stores.
Modify	CertificateStoreManagement: Modify	Users can manage all operations regarding certificate stores—including the stores, containers, and discovery process—and certificate store types.

Certificates

Table 57: Certificates Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Certificates: Read	Users can view certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: Add to Certificate Store (Also requires the Read and Schedule Certificate Store Management permissions) Edit Download Get CSV Identity Audit (Also requires the Read Security Settings permission) Include Revoked checkbox Include Expired checkbox Renew (Also requires the Read and Schedule Certificate Store Management permissions) Remove from Certificate Store (Also requires the Read and Schedule Certificate Store Management permissions) This permission can be applied at either the global or certificate collect level (see Certificate Collection Permissions. Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates. Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Manager). The users will be able to view all the certificates in the collections and open the details of the certificates.
Edit Metadata	Certificates: EditMetadata	Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions. If the users have also been granted global Read permission on Certificates, they can modify the metadata of any certificates within the Keyfactor Command database. If the users have not been granted the global Read permission, they can only modify the certificates found in collections to which they have been granted collection-level Read access. Note: If you plan to edit metadata via the Keyfactor API, the user running the API needs only Edit Metadata permissions. Read permissions are not required.
Import	Certificates: Import	Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate. Note: This permission cannot be applied at the certificate collection level.
Download with Private Key	Certificates: Recover	Users can download the certificates with their private key.
Revoke	Certificates: Revoke	Users can revoke certificates through Keyfactor Command. Users with this role can use the revoke certificate operation on any certificates to which they have been granted access. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway. Important: In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted “Issue and Manage Certificates” and “Manage CA” permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the “Issue and Manage Certificates” permissions while the application pool service account has the “Manage CA” permissions. If you are using explicit credentials to authenticate your CA (see Adding or Modifying a CA Record), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA.
Delete	Certificates: Delete	Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database.
Import Private Key	Certificates: ImportPrivateKey	Users can save the private key for the certificate in the Keyfactor Command database. Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature. Note: This permission cannot be applied at the certificate collection level.

Dashboard

Table 58: Dashboard Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Dashboard: Read	Users can view the panels on their personalized dashboard and add and remove them.
Risk Header	Dashboard: RiskHeader	Users can view the risk header at the top of the dashboard.

Event Handler Registration

Table 59: Event Handler Registration Security Role Permissions v1

Portal Permission	API Permission	Description
Read	EventHandlerRegistration: Read	Users can view the event handler registration settings.
Modify	EventHandlerRegistration: Modify	Users can modify the event handler registration settings.

Identity Providers

Table 60: Identity Providers Security Role Permissions v1

Portal Permission	API Permission	Description
Read	IdentityProviders: Read	Users can view the identity provider settings.
Modify	IdentityProviders: Modify	Users can modify the identity provider settings.

Mac Auto-Enroll Management

Table 61: Mac Auto-Enroll Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	MacAutoEnrollManagement: Read	Users can view the Mac Auto-Enroll Management settings.
Modify	MacAutoEnrollManagement: Modify	Users can modify the Mac Auto-Enroll Management settings.

Management Portal

Table 62: Management Portal Security Role Permissions v1

Portal Permission	API Permission	Description
Read	AdminPortal: Read	Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal.

Monitoring

Table 63: Monitoring Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Monitoring: Read	Users can view the expiration alerts in the Certificate Alerts in the Management Portal and the equivalent API functions, including the alert schedule.
Modify	Monitoring: Modify	Users can modify the expiration alerts, including the alert text, recipients and event handlers. Users can also add new alerts, delete alerts and configure the expiration alert delivery schedule.
Test	Monitoring: Test	Users can test the expiration alerts, including sending email to recipients. Users must also have Read permissions for Monitoring to access this in the Management Portal.

PKI Management

Table 64: PKI Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	PkiManagement: Read	Users can view PKI management settings within: Certificate Authorities Certificate Templates Revocation Monitoring
Modify	PkiManagement: Modify	Users can modify PKI management settings to: Import, add, edit, and delete certificate authorities Import and edit certificate templates Add, edit, delete, and test revocation monitoring endpoints Configure revocation monitoring schedules Configure revocation monitoring recipients

Portal Permission

API Permission

Description

Read

PkiManagement: Read

Users can view PKI management settings within:

Certificate Authorities
Certificate Templates
Revocation Monitoring

Modify

PkiManagement: Modify

Users can modify PKI management settings to:

Import, add, edit, and delete certificate authorities
Import and edit certificate templates
Add, edit, delete, and test revocation monitoring endpoints
Configure revocation monitoring schedules
Configure revocation monitoring recipients

Privileged Access Management

Table 65: Privileged Access Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	PrivilegedAccessManagement: Read	Users can view PAM providers.
Modify	PrivilegedAccessManagement: Modify	Users can add, edit, and delete PAM providers.

Reports

Table 66: Reports Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Reports: Read	Users can generate and view reports.
Modify	Reports: Modify	Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note: Report scheduling is limited by collection permissions. Users in roles that have Reports: Read and Modify permissions will also need to have Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions.

Scripts

Table 67: Scripts Security Role Permissions v1

Portal Permission	API Permission	Description
Read	Scripts: Read	Users can view scripts.
Modify	Scripts: Modify	Users can add, edit, and delete scripts.

Security Settings

Table 68: Security Settings Security Role Permissions v1

Portal Permission	API Permission	Description
Read	SecuritySettings: Read	Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal.
Modify	SecuritySettings: Modify	Users can modify the settings for Security Roles and Security Claims.

SSH

Table 69: SSH Security Role Permissions v1

Portal Permission	API Permission	Description
User	SSH: User	Users can generate their own SSH keys.
Server Admin	SSH: ServerAdmin	Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership (see SSH Permissions).
Enterprise Admin	SSH: EnterpriseAdmin	Users can use all SSH functions (see SSH Permissions).

SSL Management

Table 70: SSL Management Security Role Permissions v1

Portal Permission	API Permission	Description
Read	SslManagement: Read	Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints.
Modify	SslManagement: Modify	Users can modify the SSL Discovery settings: Create, edit, and delete networks, including scan schedules and notification recipients Add, edit, and delete network ranges for networks Add, edit, and delete agent pools Add and remove discovered endpoints from monitoring

Portal Permission

API Permission

Description

Read

SslManagement: Read

Modify

SslManagement: Modify

Users can modify the SSL Discovery settings:

Create, edit, and delete networks, including scan schedules and notification recipients
Add, edit, and delete network ranges for networks
Add, edit, and delete agent pools
Add and remove discovered endpoints from monitoring

System Settings

Table 71: System Settings Security Role Permissions v1

Portal Permission	API Permission	Description
Read	SystemSettings: Read	Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for: SMTP Configuration for email delivery of reports and alerts Installed components Licensing General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)
Modify	SystemSettings: Modify	Users can modify the System Settings for: Update SMTP Configuration for email delivery of reports and alerts Installed components, including removing servers from use Licensing, including the option to replace the existing license file

Portal Permission

API Permission

Description

Read

SystemSettings: Read

Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for:

SMTP Configuration for email delivery of reports and alerts
Installed components
Licensing
General Alerts and Warnings about the health of the Keyfactor Command system (not related to a specific area of the product)

Modify

SystemSettings: Modify

Users can modify the System Settings for:

Update SMTP Configuration for email delivery of reports and alerts
Installed components, including removing servers from use
Licensing, including the option to replace the existing license file

Workflow Definitions

Table 72: Workflow Definitions Security Role Permissions v1

Portal Permission	API Permission	Description
Read	WorkflowDefinitions: Read	Users can view the configured workflow definitions.
Modify	WorkflowDefinitions: Modify	Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions.

Workflow Instances

Table 73: Workflow Instances Security Role Permissions v1

Portal Permission	API Permission	Description
ReadAll	WorkflowInstances: ReadAll	Users can view all the workflow instances that have been initiated.
Read - Assigned To Me	WorkflowInstances: ReadAssignedToMe	Users can view the workflow instances that have been initiated and are awaiting input from them. Tip: There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Read - Assigned To Me Workflow Instances permission in order to provide the input.
Read - Started By Me	WorkflowInstances: ReadMy	Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate).
Manage	WorkflowInstances: Manage	Users can manage initiated workflow instances, including stopping, restarting, and deleting them.

Version v11.3

On this page: