Security Role Permissions

The Security Role Permissions that are available to be assigned to security roles within Keyfactor Command are documented below. For release 11.0 of Keyfactor Command, a new permission structure has been introduced. Users of Keyfactor Command through the Management Portal will not see much difference between the older model and the newer model, as the changes are largely behind the scenes. Users of Keyfactor Command through the Keyfactor APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will need to understand the new model. Some Keyfactor API endpoints (e.g. v1 Security Roles endpoints) still use the older permission model. Other Keyfactor API endpoints (e.g. v2 Security Roles endpoints) use the newer permission model.

Note:  The Keyfactor Mac Auto-Enroll Agent has been deprecated as of Keyfactor Command version 11. Any reference to Mac Auto-EnrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). in the UI should not be used.
Version Two Permission Model

The version two permission model was introduced in Keyfactor Command 11.0 and is used when setting security permissions in the Management Portal, with v2 Security Roles Keyfactor API endpoints, and with Keyfactor API Permission Set endpoints.

In the new model, permissions are built from access control strings, which are structured to support permission inheritance. Generally speaking, the more you add to an access control string, the less privilege you are granting to a user in that area of the product. For example, the following access control string grants full control to the entire product:

/

Add a certificates level to this, and now you’ve limited this to full control of just functions related to certificates in the product (which would include enrollment, for example):

/certificates/

Add a collections level to this, and now you’ve limited this further to full control of just options that can be found on the Certificates menu item in the Management Portal, including certificates both in collections and found by direct search, certificate import, and certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). management:

/certificates/collections/

Add a read to this, and now you’ve limited this to just read for items on the Certificates menu:

/certificates/collections/read/

Add a certificate collection ID to this, and now you’ve locked this down to just read on just the certificates in the certificate collection with ID 5:

/certificates/collections/read/5/

When you apply permissions through the Management Portal, these access control strings are applied for you based on the selections you make in the Role Information dialog when assigning permissions to a role (see Security Role Operations). When you apply permissions through the Keyfactor API using a newer endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. (e.g. v2 Security Roles endpoints), you need to specify these access control strings.

Access control strings that are shown below with a # refer to a specific granular ID to which permissions should be granted. When used, they must be specified with an integer in place of the #. For example, use:

/certificate_stores/read/4/

To refer to the certificate store container with ID 4, not:

/certificate_stores/read/#/
Note:  Access control strings always begin and end with a /. If you specify an access control string in the Keyfactor API without the leading or trailing slash, it will not be recognized.
Version One Permission Model

The version one permission model was largely replaced in Keyfactor Command version 11.0, but is retained for backwards compatibility for use with select Keyfactor API endpoints.