Container Permissions

Permissions on certificate stores and their containers are controlled at two levels—system-wide and on a certificate store container-by-container basis. When designing a certificate store permission scheme, you may use entirely system-wide permissions or you may use a combination of system-wide permissions and container permissions. Both system-wide and container permissions are configured through Security Roles (see Security Role Operations).

System-wide certificate store permissions are controlled with the Certificate Stores role permissions on the Global Permissions tab of the Security Role Information dialog.

Note:  Unlike PAMClosed PAM (Privileged Access Management): Controls privileged access by vaulting credentials, enforcing least-privilege/just-in-time access, rotating secrets, and auditing sessions. Across Keyfactor products, PAM protects diverse sensitive operations and secrets—for example certificate stores and CA credentials—via built-in or third-party providers; external integrations are delivered as custom PAM extensions (several published on Keyfactor’s public GitHub). and certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). permissions, container permissions are not explicitly listed under global permissions. Instead, they are entirely embedded within certificate store permissions and are not separately highlighted in the certificate store permissions section.

Figure 412: Certificate Stores: Global Permissions

Container-by-container permissions are set on the Container Permissions tab of the Role Information dialog for each container by name using the same set of permissions.

Any containers that do not have container-by-container permissions applied fall back to the system-wide permissions, if any system-wide permissions have been set for that role.

Tip:  The Read, Schedule and Modify permissions are linked. If you enable Modify, Schedule and Read will automatically be enabled and cannot be disabled. If you enable Schedule, Read will automatically be enabled and cannot be disabled.

Figure 413: Certificate Store Management - Container Permissions

Container permissions work in conjunction with many other security permissions to control access to certificate store related functionality.

For more information about configuring container-level permissions, see Container Permissions Tab.

Important:  The Edit Metadata, Download with Private Key, Revoke, and Change Owner permissions for certificates stores at either the system-wide or container level apply to operations carried out from the View Inventory subpage to the Certificate Stores page and do not apply to operations on the Certificate Search or collections pages (see Certificate Collection Permissions).
Tip:  See the detailed tip sections of Certificate Operations, Certificate Store Operations and Certificate Store Types for more information regarding which combination of security permissions are required for various operations.