The Security Role Permissions that are available to be assigned to security roles within Keyfactor Command are documented below. Beginning with release 11.0 of Keyfactor Command, a new permission structure was introduced. Users of Keyfactor Command through the Management Portal will not see much difference between the older model and the newer model, as the changes are largely behind the scenes. Users of Keyfactor Command through the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will need to understand the new model. Some Keyfactor API endpoints (e.g. v1 Security Roles endpoints) still use the older permission model. Other Keyfactor API endpoints (e.g. v2 Security Roles endpoints) use the newer permission model.
 An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will need to understand the new model. Some Keyfactor API endpoints (e.g. v1 Security Roles endpoints) still use the older permission model. Other Keyfactor API endpoints (e.g. v2 Security Roles endpoints) use the newer permission model.
Version Two Permission Model
The version two permission model was introduced in Keyfactor Command 11.0 and is used when setting security permissions in the Management Portal, with v2 Security Roles Keyfactor API endpoints, and with Keyfactor API Permission Set endpoints.
In the new model, permissions are built from access control strings, which are structured to support permission inheritance. Generally speaking, the more you add to an access control string, the less privilege you are granting to a user in that area of the product. For example, the following access control string grants full control to the entire product:
Add a certificates level to this, and now you’ve limited this to full control of just functions related to certificates in the product (which would include enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., for example):
 Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., for example):
Add a collections level to this, and now you’ve limited this further to full control of just options that can be found on the Certificates menu item in the Management Portal, including certificates both in collections and found by direct search, certificate import, and certificate collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates  and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). management:
 The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates  and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). management:
Add a read to this, and now you’ve limited this to just read for items on the Certificates menu:
Add a certificate collection ID to this, and now you’ve locked this down to just read on just the certificates in the certificate collection with ID 5:
When you apply permissions through the Management Portal, these access control strings are applied for you based on the selections you make in the Role Information dialog when assigning permissions to a role (see Security Role Operations). When you apply permissions through the Keyfactor API using a newer endpoint An endpoint is a URL that enables the API to gain access to resources on a server. (e.g. v2 Security Roles endpoints), you need to specify these access control strings.
 An endpoint is a URL that enables the API to gain access to resources on a server. (e.g. v2 Security Roles endpoints), you need to specify these access control strings.
Access control strings that are shown below with a # refer to a specific granular ID to which permissions should be granted. When used, they must be specified with an integer in place of the #. For example, use:
To refer to the certificate store container with ID 4, not:
 Agents
Agents
                                                            Table 37: Agents Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Agents | /agents/ | Users can view and modify agent auto-registration settings, and orchestrator management and jobs. | 
| Global | Agents > Management | /agents/management/ | Users can view and modify orchestrator management and jobs. | 
| Global | Agents > Management > Modify | /agents/management/modify/ | Users can access the Management Portal areas and API endpoints to: 
 | 
| Global | Agents > Management > Read | /agents/management/read/ | Users can access the Management Portal areas and API endpoints to: 
 | 
 Application Settings
Application Settings
                                                            Table 38: Application Settings Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Application Settings | /application_settings/ | Users can view and modify the application settings. | 
| Global | Application Settings > Modify | /application_settings/modify/ | Users can modify the application settings. | 
| Global | Application Settings > Read | /application_settings/read/ | Users can view the application settings. | 
 Auditing
Auditing
                                                            Table 39: Auditing Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Auditing | /auditing/ | Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). | 
| Global | Auditing > Read | /auditing/read/ | Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). | 
 Certificate Authorities
Certificate Authorities
                                                             A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. permissions and known as PKI
 A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. permissions and known as PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Management.
 A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Management.Table 40: Certificate Authorities Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Certificate Authorities | /certificate_authorities/ | Users can view and modify certificate authority records. Users can view, test, and modify revocation monitoring settings. | 
| Global | Certificate Authorities > Modify | /certificate_authorities/modify/ | Users can modify certificate authority and revocation monitoring settings to: 
 | 
| Global | Certificate Authorities > Read | /certificate_authorities/read/ | Users can view certificate authority records. Users can view revocation monitoring settings, CA health monitoring and threshold alert recipients and schedules. | 
 Certificate Stores
Certificate Stores
                                                            Table 41: Certificate Stores Security Role Permissions v2
See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Certificate Stores | /certificate_stores/ | Users can view and manage all certificate stores and add certificates to certificate stores, renew/reissue certificates, and remove certificates from certificate stores for all certificate stores. | 
| Global | Certificate Stores > Modify | /certificate_stores/modify/ | Users with the Modify role permission for either Certificate Stores or a container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages. The Modify permission must be granted in conjunction with either Certificate Stores Read or container (3) Read for full functionality. Users must have global Certificate Stores Read and Modify permissions to access the discover tab and use the functions on it. Users with Modify permissions granted at the container level can perform these certificate store operations (in addition to those available with Read permissions): 
 Note that this permission does not control additions of certificates to certificate stores. | 
| Container | Certificate Stores > Modify | /certificate_stores/modify/#/ | Users with the Modify role permission for either Certificate Stores or a container (#) can view the certificate stores grid and the containers grid and use the following operations on these pages. The Modify permission must be granted in conjunction with either Certificate Stores Read or container (3) Read for full functionality. Users must have global Certificate Stores Read and Modify permissions to access the discover tab and use the functions on it. Users with Modify permissions granted at the container level can perform these certificate store operations (in addition to those available with Read permissions): 
 Note that this permission does not control additions of certificates to certificate stores. | 
| Global | Certificate Stores > Read | /certificate_stores/read/ | Users with the Read global role permission for either Certificate Store or a specific container (#) can view the certificate stores grid and the containers grid and see all the certificate stores and store types. They can perform no operations on the certificate stores or containers from the certificate stores page. Users with Read permissions granted at the container level can perform these certificate store operations: 
 Users with Read permissions granted at the container level can perform these container operations: 
 | 
| Container | Certificate Stores > Read | /certificate_stores/read/#/ | Users with the Read global role permission for either Certificate Stores or a specific container (#) can view the certificate stores grid and the containers grid and see all the certificate stores and store types. They can perform no operations on the certificate stores or containers from the certificate stores page. Users with Read permissions granted at the container level can perform these certificate store operations: 
 Users with Read permissions granted at the container level can perform these container operations: 
 | 
| Global | Certificate Stores > Schedule | /certificate_stores/schedule/ | Users with the Schedule and Read role permission for either Certificate Stores or a container (#) can use the Add to Certificate Store, Remove from Certificate Store from the certificate search page, and Schedule from the certificate stores page. Users with Schedule and Read permission may perform this operation on the certificate store or container grid. 
 Users with Schedule and Read permissions granted at the container level can perform these certificate operations: 
 | 
| Container | Certificate Stores > Schedule | /certificate_stores/schedule/#/ | Users with the Schedule and Read role permission for either Certificate Stores or a container (#) can use the Add to Certificate Store, Remove from Certificate Store from the certificate search page, and Schedule from the certificate stores page. Users with Schedule and Read permission may perform this operation on the certificate store or container grid. 
 Users with Schedule and Read permissions granted at the container level can perform these certificate operations: 
 | 
 Certificate Templates
Certificate Templates
                                                             A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. permissions and known as PKI Management.
 A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. permissions and known as PKI Management.Table 42: Certificate Templates Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Certificate Templates | /certificate_templates/ | Users can view and modify certificate template records. | 
| Global | Certificate Templates > Modify | /certificate_templates/modify/ | Users can modify certificate template settings to import, edit, and configure system settings for certificate templates. | 
| Global | Certificate Templates > Read | /certificate_templates/read/ | Users can view certificate template records. | 
 Certificates
Certificates
                                                            Table 43: Certificates Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Certificates | /certificates/ | Users can view, modify, and act upon everything certificate-related, including certificates in collections, certificates found in a search that are not in a collection, certificate import, certificate enrollment, and pending certificate request management. | 
| Global | Certificates > Collections | /certificates/collections/ | Users can view, modify, and act upon certificate-related functions including certificates in collections and certificates found in a search that are not in a collection. | 
| Global | Certificates > Collections > Change Owner | /certificates/collections/change_owner | Users can change the certificate owner (a security role) assigned to a certificate (see Change Owner). | 
| Collection | Certificates > Collections > Change Owner | /certificates/collections/change_owner/#/ | Users can changethe certificate owner assigned to a certificate for certificates in the specified certificate collection. Users will only be able to change the owner to a security role of which they are a member (see Change Owner). | 
| Global | Certificates > Collections > Delete | /certificates/collections/delete/ | Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database for any certificates. | 
| Collection | Certificates > Collections > Delete | /certificates/collections/delete/#/ | Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database for certificates in the specified certificate collection. | 
| Global | Certificates > Collections > Metadata Modify | /certificates/collections/metadata/modify/ | Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for any certificates (see Certificate Details). | 
| Collection | Certificates > Collections > Edit Metadata | /certificates/collections/metadata/modify/#/ | Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions for certificates in the specified certificate collection (see Certificate Details). | 
| Global | Certificates > Collections > Modify | /certificates/collections/modify/ | Users can add or edit certificate collections. See Certificate Collection Permissions for more information. Note:  This permission cannot be applied at the certificate collection level. | 
| Global | Certificates > Collections > Private Key Import | /certificates/collections/private_key/import/ | Users can save the private key for the certificate in the Keyfactor Command database. Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature. Note:  This permission cannot be applied at the certificate collection level. | 
| Global | Certificates > Collections > Download with Private Key | /certificates/collections/private_key/read/ | Users can download the certificates with their private key for all certificates. | 
| Collection | Certificates > Collections > Private Key Read | /certificates/collections/private_key/read/#/ | Users can download the certificates with their private key for certificates in the specified certificate collection. | 
| Global | Certificates > Collections > Read | /certificates/collections/read/ | Users can view any certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: 
 Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates. | 
| Collection | Certificates > Collections > Read | /certificates/collections/read/#/ | Users can view certificates in the specified certificate collection, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add the certificates in the collection to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: 
 Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Management). The users will be able to view all the certificates in the collections and open the details of the certificates. | 
| Global | Certificates > Collections > Revoke | /certificates/collections/revoke/ | Users can revoke any certificates through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway. Important:  In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted Issue and Manage Certificates and Manage CA permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the Issue and Manage Certificate permissions while the application pool service account has the Manage CA permissions. If you are using explicit credentials to authenticate your CA (DCOM CAs - Authentication Method Tab), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA. | 
| Collection | Certificates > Collections > Revoke | /certificates/collections/revoke/#/ | Users can revoke certificates in the specified certificate collection through Keyfactor Command. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway. Important:  In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted Issue and Manage Certificates and Manage CA permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the Issue and Manage Certificate permissions while the application pool service account has the Manage CA permissions. If you are using explicit credentials to authenticate your CA (DCOM CAs - Authentication Method Tab), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA. | 
| Global | Certificates > Enrollment | /certificates/enrollment/ | Users can use all the enrollment-related functions, including CSR generation, CSR enrollment, and PFX enrollment. | 
| Global | Certificates > Enrollment > Csr | /certificates/enrollment/csr/ | Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions. | 
| Global | Certificates > Enrollment > Csr Generation | /certificates/enrollment/csr_generation/ | Users can use the CSR Generation page in the Management Portal and the equivalent API functions. | 
| Global | Certificates > Enrollment > Pfx | /certificates/enrollment/pfx/ | Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions. | 
| Global | Certificates > Import | /certificates/import/ | Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate. Note:  This permission was controlled at the global certificate collection level in previous versions of Keyfactor Command, but has moved to a higher level separate from collections. | 
| Global | Certificates > Requests Manage | /certificates/requests/manage/ | Users can use the Pending CSRs page in the Management Portal and the equivalent API functions. | 
 Dashboard
Dashboard
                                                            Table 44: Dashboard Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Dashboard | /dashboard/ | Users can view the panels, including the risk header, on their personalized dashboard and add and remove the customizable panels. | 
| Global | Dashboard > Read | /dashboard/read/ | Users can view the panels on their personalized dashboard and add and remove them. | 
| Global | Dashboard > Risk Header | /dashboard/risk_header/ | Users can view the risk header at the top of the dashboard. | 
| Global | Dashboard > Risk Header > Read | /dashboard/risk_header/read/ | Users can view the risk header at the top of the dashboard. | 
 Identity Providers
Identity Providers
                                                            Table 45: Identity Providers Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Identity Providers | /identity_providers/ | Users can view and modify the identity provider settings for identity providers. | 
| Global | Identity Providers > Modify | /identity_providers/modify/ | Users can modify the identity provider settings for identity providers. | 
| Global | Identity Providers > Read | /identity_providers/read/ | Users can view the identity provider settings for identity providers. | 
 Metadata
Metadata
                                                            Table 46: Certificate Metadata Types Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Metadata | /metadata/ | Users can view and modify custom metadata attribute definitions. | 
| Global | Metadata > Types | /metadata/types/ | Users can view and modify custom metadata attribute definitions. | 
| Global | Metadata > Types > Modify | /metadata/types/modify/ | Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions. | 
| Global | Metadata > Types > Read | /metadata/types/read/ | Users can view custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions. | 
 Monitoring
Monitoring
                                                            Table 47: Monitoring Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Monitoring | /monitoring/ | Users can view, modify, and test the pending, issued, and denied certificate request alerts and the event handler registration settings. | 
| Global | Monitoring > Alerts | /monitoring/alerts/ | Users can view, modify, and test the pending, issued, and denied certificate request alerts. | 
| Global | Monitoring > Alerts > Modify | /monitoring/alerts/modify/ | Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule. | 
| Global | Monitoring > Alerts > Read | /monitoring/alerts/read/ | Users can view the pending, issued, and denied certificate request alerts. | 
| Global | Monitoring > Alerts > Schedule | /monitoring/alerts/schedule/ | Users can schedule the revocation monitoring alerts. Tip:  To allow the revocation monitoring alerts page to appear in the Keyfactor Command Management Portal, users also require Read permissions for Certificate Authorities. | 
| Global | Monitoring > Alerts > Schedule > Revocation | /monitoring/alerts/schedule/revocation/ | Users can schedule the revocation monitoring alerts. Tip:  To allow the revocation monitoring alerts page to appear in the Keyfactor Command Management Portal, users also require Read permissions for Certificate Authorities. | 
| Global | Monitoring > Alerts > Test | /monitoring/alerts/test/ | Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts. | 
| Global | Monitoring > Handlers | /monitoring/handlers/ | Users can view and modify the event handler registration settings. | 
| Global | Monitoring > Handlers > Registration | /monitoring/handlers/registration/ | Users can view and modify the event handler registration settings. | 
| Global | Monitoring > Handlers > Registration > Modify | /monitoring/handlers/registration/modify/ | Users can modify the event handler registration settings. | 
| Global | Monitoring > Handlers > Registration > Read | /monitoring/handlers/registration/read/ | Users can view the event handler registration settings. | 
 Privileged Access Management (PAM)
Privileged Access Management (PAM)
                                                            Table 48: Privileged Access Management Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Pam | /pam/ | Users can view and modify any PAM provider. | 
| Global | Pam > Modify | /pam/modify/ | Users can add, edit, and delete any PAM provider. | 
| PAM Provider | Pam > Modify | /pam/modify/#/ | Users can add, edit, and delete the specified PAM provider. | 
| Global | Pam > Read | /pam/read/ | Users can view any PAM provider. Users can select any PAM providers to provide credentials within Keyfactor Command for: 
 | 
| PAM Provider | Pam > Read | /pam/read/#/ | Users can view or select the specified PAM provider. | 
 [Management] Portal
[Management] Portal
                                                            Table 49: Management Portal Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Portal | /portal/ | Users can access the Management Portal. | 
| Global | Portal > Read | /portal/read/ | Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal. | 
 Reports
Reports
                                                            Table 50: Reports Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Reports | /reports/ | Users can generate, view, and modify the delivery schedule for reports. Users can add, edit, and delete custom reports. | 
| Global | Reports > Modify | /reports/modify/ | Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note:    Report scheduling is limited by collection permissions. Users in roles that have Reports > Read and Modify permissions will also need to have either global certificate Read permissions or Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions if permissions are granted at a collection-by-collection level rather than globally. | 
| Global | Reports > Read | /reports/read/ | Users can generate and view reports. | 
 Scripts
Scripts
                                                            Table 51: Scripts Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Scripts | /scripts/ | Users can view and modify scripts used in alert event handlers and workflows. | 
| Global | Scripts > Modify | /scripts/modify/ | Users can add, edit, and delete scripts used in alert event handlers and workflows. | 
| Global | Scripts > Read | /scripts/read/ | Users can view scripts used in alert event handlers and workflows. | 
 Security
Security
                                                            Table 52: Security Settings Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Security | /security/ | Users can view and modify the settings for Security Roles and Security Claims. | 
| Global | Security > Modify | /security/modify/ | Users can modify the settings for Security Roles and Security Claims. | 
| Global | Security > Read | /security/read/ | Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal. | 
 SSH
SSH
                                                            Table 53: SSH Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Ssh | /ssh/ | Users can use all SSH functions. | 
| Global | Ssh > Enterprise Admin | /ssh/enterprise_admin/ | Users can use all SSH functions. | 
| Global | Ssh > Server Admin | /ssh/server_admin/ | Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership. | 
| Global | Ssh > User | /ssh/user/ | Users can generate their own SSH keys. | 
 SSL
SSL
                                                            Table 54: SSL Management Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Ssl | /ssl/ | Users can view and modify the SSL Discovery settings. | 
| Global | Ssl > Modify | /ssl/modify/ | Users can modify the SSL Discovery settings: 
 | 
| Global | Ssl > Read | /ssl/read/ | Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints. | 
 System Settings
System Settings
                                                            Table 55: System Settings Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | System Settings | /system_settings/ | Users can modify the System Settings for: 
 | 
| Global | System Settings > Modify | /system_settings/modify/ | Users can modify the System Settings for: 
 | 
| Global | System Settings > Read | /system_settings/read/ | Users can view the System Settings for: 
 | 
 Workflows
Workflows
                                                            Table 56: Workflows Security Role Permissions v2
| Permission Tab | Portal Permission | API Permission | Description | 
|---|---|---|---|
| Global | Workflows | /workflows/ | Users can view and modify the configured workflow definitions and view and manage all initiated workflow instances. | 
| Global | Workflows > Definitions | /workflows/definitions/ | Users can view and modify the configured workflow definitions. | 
| Global | Workflows > Definitions > Modify | /workflows/definitions/modify/ | Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions. | 
| Global | Workflows > Definitions > Read | /workflows/definitions/read/ | Users can view the configured workflow definitions. | 
| Global | Workflows > Instances | /workflows/instances/ | Users can view and manage all initiated workflow instances. | 
| Global | Workflows > Instances > Manage | /workflows/instances/manage/ | Users can manage initiated workflow instances, including stopping, restarting, and deleting them. | 
| Global | Workflows > Instances > Read | /workflows/instances/read/ | Users can view all the workflow instances that have been initiated. | 
| Global | Workflows > Instances > Read > Mine | /workflows/instances/read/mine/ | Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate). | 
| Global | Workflows > Instances > Read > Pending | /workflows/instances/read/pending/ | Users can view the workflow instances that have been initiated and are awaiting input from them. Tip:  There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Workflows > Instances > Read > Pending permission in order to provide the input. | 
Version One Permission Model
The version one permission model was largely replaced in Keyfactor Command version 11.0, but is retained for backwards compatibility for use with select Keyfactor API endpoints.
 Agent Management
Agent Management
                                                            Table 57: Agent Management Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | AgentManagement: Read | Users can: 
 | 
| Modify | AgentManagement: Modify | Users can: 
 | 
 Alerts
Alerts
                                                            Table 58: Alerts Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | WorkflowManagement: Read | Users can view the pending, issued, and denied certificate request alerts. | 
| Modify | WorkflowManagement: Modify | Users can modify the pending, issued, and denied certificate request alerts, including the alert text, recipients, and event handlers. Users can also add new alerts, delete alerts, and configure the pending alert delivery schedule. | 
| Test | WorkflowManagement: Test | Users can test the pending certificate request alerts, including sending email to recipients. Users must also have Read permissions for Alerts. | 
 Application Settings
Application Settings
                                                            Table 59: Application Settings Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | ApplicationSettings: Read | Users can view the application settings. | 
| Modify | ApplicationSettings: Modify | Users can modify the application settings. | 
 Auditing
Auditing
                                                            Table 60: Auditing Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | Auditing: Read | Users can access the Audit Log page in the Management Portal, and will be able to make API requests to obtain data from the audit log (query, etc.). The System Settings dropdown menu will display the Audit Log option to users with the Auditing Read permission. | 
 Certificate Collections
Certificate Collections
                                                            Table 61: Certificate Collections Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Modify | CertificateCollections: Modify | Users can add or edit Certificate Collections. See Certificate Collection Permissions for more information. | 
 Certificate Enrollment
Certificate Enrollment
                                                            Table 62: Certificate Enrollment Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Enroll PFX | CertificateEnrollment: EnrollPFX | Users can use the PFX Enrollment page in the Management Portal and the equivalent API functions. | 
| Enroll CSR | CertificateEnrollment: EnrollCSR | Users can use the CSR Enrollment page in the Management Portal and the equivalent API functions. | 
| CSR Generation | CertificateEnrollment: CsrGeneration | Users can use the CSR Generation page in the Management Portal and the equivalent API functions. | 
| Manage Pending CSRs | CertificateEnrollment: PendingCsr | Users can use the Pending CSRs page in the Management Portal and the equivalent API functions. | 
 Certificate Metadata Types
Certificate Metadata Types
                                                            Table 63: Certificate Metadata Types Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | CertificateMetadataTypes: Read | Users can read custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions. | 
| Modify | CertificateMetadataTypes: Modify | Users can add, edit, and delete custom metadata attribute definitions on the Certificate Metadata page in the Management Portal and the equivalent API functions. | 
 Certificate Requests
Certificate Requests
                                                            Table 64: Certificate Requests Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Manage | WorkflowManagement: Participate | Users can participate in the pending, issued, and denied alerts by approving or denying certificate requests from the Certificate Requests page, from the individual pages reached from links included in alerts, or using the Keyfactor API /Workflow/Certificates endpoints. Note:  In previous versions of Keyfactor Command, this permission was Workflow Management: Participate. | 
 Certificate Store Management
Certificate Store Management
                                                            Table 65: Certificate Store Management Security Role Permissions v1
See Container Permissions, Certificate Operations, Certificate Store Types and Certificate Store Operations for more information.
| UI Permission | API Permission | Description | 
|---|---|---|
| Read | CertificateStoreManagement: Read | Users can view the certificate stores and containers tabs on the Locations > Certificate Stores menu, and view certificate store types. | 
| Schedule | CertificateStoreManagement: Schedule | Users can add certificates to certificate stores, renew/reissue certificates, schedule and remove certificates from certificate stores. | 
| Modify | CertificateStoreManagement: Modify | Users can manage all operations regarding certificate stores—including the stores, containers, and discovery process—and certificate store types. | 
 Certificates
Certificates
                                                            Table 66: Certificates Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | Certificates: Read | Users can view certificates, including certificate history, and can download certificates. Users who also have Read permissions for Certificate Store Management or certificate store container permissions can add certificates to certificate stores from Certificate Search and Certificate Collections. The certificate operations possibly available to users with this permission are: 
 This permission can be applied at either the global or certificate collect level (see Certificate Collection Permissions. Users with global Read role permissions can browse to Certificate Search in the Management Portal and view all saved certificate collections. They can view any certificate in the Keyfactor Command database and are not limited to just those returned by select collections. Users with this permission can view the certificates returned by searches and open the details of the certificates. Users with collection-level Read role permissions on a collection will see the collections to which they have been granted access appear on the Certificate Collections menu (if they have been configured to appear on the menu—see Certificate Collection Management). The users will be able to view all the certificates in the collections and open the details of the certificates. | 
| Edit Metadata | Certificates: EditMetadata | Users can modify certificate metadata for certificates in the Certificate Details dialog (only information on the metadata tab can be edited) and the equivalent API functions. If the users have also been granted global Read permission on Certificates, they can modify the metadata of any certificates within the Keyfactor Command database. If the users have not been granted the global Read permission, they can only modify the certificates found in collections to which they have been granted collection-level Read access. Note:  If you plan to edit metadata via the Keyfactor API, the user running the API needs only Edit Metadata permissions. Read permissions are not required. | 
| Import | Certificates: Import | Users can import certificates using the Management Portal Add Certificate page or the Keyfactor API POST /Certificates/Import method. Users who also have Read permissions for Certificate Store Management or container permissions can add certificates to certificate stores from Add Certificate. Note:  This permission cannot be applied at the certificate collection level. | 
| Download with Private Key | Certificates: Recover | Users can download the certificates with their private key. | 
| Revoke | Certificates: Revoke | Users can revoke certificates through Keyfactor Command. Users with this role can use the revoke certificate operation on any certificates to which they have been granted access. This includes certificates that have been issued by a Microsoft or EJBCA CA configured for synchronization or by a cloud-based certificate vendor that is managed via a Keyfactor certificate gateway. Important:  In order to successfully revoke certificates, the service account under which the Keyfactor Command application pool is running must be granted Issue and Manage Certificates and Manage CA permissions to the CA database as per Create Groups to Control Access to Keyfactor Command Features, or, if delegation is configured for the CA, the user executing the revoke must have the Issue and Manage Certificate permissions while the application pool service account has the Manage CA permissions. If you are using explicit credentials to authenticate your CA (see DCOM CAs - Authentication Method Tab), it is the user specified on the CA configuration in Keyfactor Command who must have permissions on the CA. | 
| Delete | Certificates: Delete | Users can delete certificates and, if applicable, the private keys of the certificates from the Keyfactor Command database. | 
| Import Private Key | Certificates: ImportPrivateKey | Users can save the private key for the certificate in the Keyfactor Command database. Users with this role can add a certificate with an associated private key through the Add Certificate option under the Certificate Locations menu (see Add Certificate) and the private key will be stored in the Keyfactor Command database. Users must also be granted the Import role in order to be able to use the Add Certificate feature. Note:  This permission cannot be applied at the certificate collection level. | 
 Dashboard
Dashboard
                                                            Table 67: Dashboard Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | Dashboard: Read | Users can view the panels on their personalized dashboard and add and remove them. | 
| Risk Header | Dashboard: RiskHeader | Users can view the risk header at the top of the dashboard. | 
 Event Handler Registration
Event Handler Registration
                                                            Table 68: Event Handler Registration Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | EventHandlerRegistration: Read | Users can view the event handler registration settings. | 
| Modify | EventHandlerRegistration: Modify | Users can modify the event handler registration settings. | 
 Identity Providers
Identity Providers
                                                            Table 69: Identity Providers Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | IdentityProviders: Read | Users can view the identity provider settings. | 
| Modify | IdentityProviders: Modify | Users can modify the identity provider settings. | 
 Management Portal
Management Portal
                                                            Table 70: Management Portal Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | AdminPortal: Read | Users can access the Management Portal. This permission must be enabled for all roles that will access the Management Portal. | 
 Monitoring
Monitoring
                                                            Table 71: Monitoring Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | Monitoring: Read | Users can view the expiration alerts in the Certificate Alerts in the Management Portal and the equivalent API functions, including the alert schedule. | 
| Modify | Monitoring: Modify | Users can modify the expiration alerts, including the alert text, recipients and event handlers. Users can also add new alerts, delete alerts and configure the expiration alert delivery schedule. | 
| Test | Monitoring: Test | Users can test the expiration alerts, including sending email to recipients. Users must also have Read permissions for Monitoring to access this in the Management Portal. | 
 PKI Management
PKI Management
                                                            Table 72: PKI Management Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | PkiManagement: Read | Users can view PKI management settings within: 
 | 
| Modify | PkiManagement: Modify | Users can modify PKI management settings to: 
 | 
 Privileged Access Management
Privileged Access Management
                                                            Table 73: Privileged Access Management Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | PrivilegedAccessManagement: Read | Users can view PAM providers. | 
| Modify | PrivilegedAccessManagement: Modify | Users can add, edit, and delete PAM providers. | 
 Reports
Reports
                                                            Table 74: Reports Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | Reports: Read | Users can generate and view reports. | 
| Modify | Reports: Modify | Users can modify the delivery schedule for reports in Report Manager in the Management Portal and the equivalent API functions and add, edit, and delete custom reports. Note:    Report scheduling is limited by collection permissions. Users in roles that have Reports: Read and Modify permissions will also need to have Read collection permissions on individual collections to have the ability to add, edit, and delete schedules associated with collections. The user will not have access to add, edit, and delete schedules for any collections for which they do not have collection Read permissions in addition to Reports permissions. | 
 Scripts
Scripts
                                                            Table 75: Scripts Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | Scripts: Read | Users can view scripts. | 
| Modify | Scripts: Modify | Users can add, edit, and delete scripts. | 
 Security Settings
Security Settings
                                                            Table 76: Security Settings Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | SecuritySettings: Read | Users can view the settings for Security Roles and Security Claims. Users must also have the Read permission for System Settings to access this in the Management Portal. | 
| Modify | SecuritySettings: Modify | Users can modify the settings for Security Roles and Security Claims. | 
 SSH
SSH
                                                            Table 77: SSH Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| User | SSH: User | Users can generate their own SSH keys. | 
| Server Admin | SSH: ServerAdmin | Users can use all SSH functions, except creating server groups and assigning server group owners. Users have limited access to some functions based on server group ownership (see SSH Permissions). | 
| Enterprise Admin | SSH: EnterpriseAdmin | Users can use all SSH functions (see SSH Permissions). | 
 SSL Management
SSL Management
                                                            Table 78: SSL Management Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | SslManagement: Read | Users can view the SSL Discovery pages in the Management Portal and the equivalent API functions, including defined networks and the network ranges configured for them, agent pools, and scan results. Users can use the query tool on the Results tab to find discovered endpoints and then view the discovered endpoints, including the details for the endpoints. | 
| Modify | SslManagement: Modify | Users can modify the SSL Discovery settings: 
 | 
 System Settings
System Settings
                                                            Table 79: System Settings Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | SystemSettings: Read | Users can view the orchestrator auto-registration settings; users must also have Read permissions for Agent Management to access this in the Management Portal. Users can view the System Settings for: 
 | 
| Modify | SystemSettings: Modify | Users can modify the System Settings for: 
 | 
 Workflow Definitions
Workflow Definitions
                                                            Table 80: Workflow Definitions Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| Read | WorkflowDefinitions: Read | Users can view the configured workflow definitions. | 
| Modify | WorkflowDefinitions: Modify | Users can modify both the built-in and any custom workflow definitions, including the name and description and the configuration for the steps. Users can also add new workflow definitions, delete workflow definitions, publish workflow definitions, and import and export workflow definitions. | 
 Workflow Instances
Workflow Instances
                                                            Table 81: Workflow Instances Security Role Permissions v1
| Portal Permission | API Permission | Description | 
|---|---|---|
| ReadAll | WorkflowInstances: ReadAll | Users can view all the workflow instances that have been initiated. | 
| Read - Assigned To Me | WorkflowInstances: ReadAssignedToMe | Users can view the workflow instances that have been initiated and are awaiting input from them. Tip:  There is not a security permission at this level that controls whether users can provide input (a signal) to a workflow instance. This is controlled using the security roles configured on the specific workflow definition. Any user who holds one of the roles configured in the workflow step that requires a signal may provide the necessary input. The user does not need to hold the Read - Assigned To Me Workflow Instances permission in order to provide the input. | 
| Read - Started By Me | WorkflowInstances: ReadMy | Users can view the workflow instances that have been initiated by them (e.g. because they enrolled for a certificate). | 
| Manage | WorkflowInstances: Manage | Users can manage initiated workflow instances, including stopping, restarting, and deleting them. |