Documentation Suite v11.3

Permission Sets

The Permission Sets component of the Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. includes methods necessary to programmatically create, edit, retrieve, and delete permission sets within Keyfactor Command.

Permission sets are used to organize security roles (see Security Roles) and provide compartmentalization on permissions. An unconfigured Keyfactor Command has one permission set—the Global Permission Set—that will contain all the security roles created in Keyfactor Command and allow users with administrative permissions to grant any of the possible permissions (see Security Role Permissions) in Keyfactor Command to other users. An implementation with two or more permission sets can be used to limit the actions that administrative users (or any users) can take.

Permission sets can only be managed with the Keyfactor API.

Example: An organization has a couple of administrators who should be allowed to make whatever changes are necessary to Keyfactor Command and a handful of other administrators who need full control to Keyfactor Command but should not be able to access certain sensitive features of the system. However, this second set of administrators do need to be able to change permissions of users on occasion. To meet this need, the organization decides to use permission sets:

The Global Permission Set contains the following permission:
/
This is the base permission set that is created on installation. It allows any security roles created as part of the Global Permission Set to potentially contain any possible security permission within Keyfactor Command.
The organization adds an Operational Permission Set which contains the following permissions:
/agents/
/application_settings/
/certificate_stores/
/certificates/
/certificate_authorities/
/certificate_templates/
/dashboard/
/metadata/
/monitoring/
/portal/
/reports/
/security/
/scripts/
/ssl/
/workflows/
This allows any security roles created as part of the Operational Permission Set to potentially contain any of the permissions in the referenced areas of Keyfactor Command. Notice that security is among these areas. It does not allow security roles added to this permission set to be granted permissions in areas such as /auditing/ and /identity_providers/.

The organization creates these security roles:

A Global Administrators security role in the Global Permission Set which grants full control to the system. This is created by default during the installation.
An Operational Administrators security role in the Operational Permission Set which grants all the permissions in the Operational Permission Set.
A Power Users security role in the Operational Permission Set which grants a large subset of the permissions in the Operational Permission Set, more granularly than grants to the administrators (e.g. /certificates/enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)./csr A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA./).
A Viewers security role in the Operational Permission Set which grants a small subset of the permissions in the Operational Permission Set, more granularly than grants to the administrators (e.g. /certificates/collections/read/).

In this configuration, users who hold the Operational Administrators security role:

Can edit the Power Users and Viewers security roles and change the permissions granted to those roles, but they cannot add any permissions that are not in the Operational Permission Set.
Can edit the Operational Administrators security role, but can’t add any permissions that aren’t in the Operational Permission Set.
Can add new claims for users, groups and other entities.
Can add new security roles in the Operational Permission Set, referencing only permissions in that set.
Can associate users, groups and other entities with the Power Users, Viewers and Operational Administrators security roles.
Can remove role associations for users, groups and other entities for the Power Users, Viewers and Operational Administrators security roles.
Cannot edit the Global Administrators role because it’s not in the permission set to which their own security role belongs.
Cannot add or edit permission sets.

Table 522: Permission Sets Endpoints

Endpoint	Method	Description	Link
/{id}	GET	Returns the permission set with the specified GUID.	GET Permission Sets ID
/{id}	DELETE	Deletes the permission set with the specified GUID.	DELETE Permission Sets ID
/	GET	Returns a list of all the permission sets.	GET Permission Sets
/	POST	Adds a new permission set into Keyfactor Command.	POST Permission Sets
/	PUT	Updates a permission set.	PUT Permission Sets

Version v11.3

On this page: