Security Role Operations

Tip:  You can view all the permissions set for a given role at a glance by granting one role to one claim only (and no other roles) and then using the View Permissions option for the claim (see Viewing Permissions for a Security Claim).

Editing the built-in Administrator role is different than editing any other role. Instead of the full security dialog opening, only the claims tab will open when you click Edit from the Security Roles and Claims page.

To add a new claim to the built-in Administrator security role or update an existing claim:

  1. In the Management Portal, browse to System Settings Icon > Security Roles and Claims.

  2. On the Security Roles and Claims page > Security Role tab, highlight the Administrator row and click Edit from the top of the grid or from the right click menu.

  3. Click Add to add a new claim. You can associate existing security claims or add new security claims and associate them in one step. Claim to role associations can also be removed from this tab, but claims cannot be deleted from here. See Security Role Operations for more information.

    To remove the association of a claim to the role, on the Claims tab, highlight one or more rows and click Remove from the top of the grid or select a single row and choose Remove from the right click menu.

  4. Click Save to save changes.

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
Security > Modify
Security > Read

To add a new security role or update an existing role:

  1. In the Management Portal, browse to System Settings Icon > Security Roles and Claims.

  2. On the Security Roles and Claims page, select the Security Role tab and click Add from the menu at the top of the grid to add a new security role; or highlight a row and click Edit from the top of the grid or from the right click menu to modify an existing role.

    Note:  The built-in Administrator role cannot be edited or deleted (except to add user claims to the role)—it is shown as immutable in the grid.

  3. The page will change to either the Add Security Role or Role information For <role> dialog. Fill in each tab of the dialog with the information desired for the selected security role as described below.

    On the details tab, give the role a Name and Description. Commas are not allowed in the name field. Both fields are required. If desired, add an Email Address for the role. This address can be used from workflows to direct email messages to the owner of certificates for uses such as certificate expiration alerts (assuming the certificate owner for the certificates, a security role, has been populated).

    In the Permission Set dropdown, select a permission set to apply to the role. For more information about permission sets, see Permission Sets .

    Note:  Selecting a permission set limits the permissions available for selection in the dialog to those supported by the permission set. If you select a permission set other than the Global permission set, some permissions may not appear in the dialogs. This includes the CollectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). Permissions, Container Permissions and PAMClosed PAM (Privileged Access Management): Controls privileged access by vaulting credentials, enforcing least-privilege/just-in-time access, rotating secrets, and auditing sessions. Across Keyfactor products, PAM protects diverse sensitive operations and secrets—for example certificate stores and CA credentials—via built-in or third-party providers; external integrations are delivered as custom PAM extensions (several published on Keyfactor’s public GitHub). Provider Permissions tabs, which only appear if the permissions for these are included in the selected permission set.

    If you change the permission set for a role after permissions have already been granted for the role, any permissions not contained in the new permission set will be removed from the role upon save.

    On the Global Permissions tab, check the boxes for the permissions that are appropriate for the new role (see Security Role Permissions).

    Figure 416: Grant Global Permissions to a Security Role

    Tip:  If desired, use the dropdown at the top to enable all the Read boxes (Read Only) or All the boxes (Select All). Click Apply to apply the selection in the dropdown across all permissions. Click Reset to return the dialog to the state it was in when last saved and remove any changes made since opening the permissions for editing. Click Clear to uncheck all the boxes.
    Note:  For the most part, when you grant Modify role permissions to an area in the Management Portal, you must also grant Read role permissions to that same area for that security role to receive full functionality. Granting Modify without Read to a user or a group can result in unexpected behavior. See also Certificate Collection Permissions.
    Note:  Security roles for SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. key management are structured somewhat differently than those for most of the rest of the product set, as they don't use the standard Read and Modify convention. For more information, see SSH Permissions.

    Optionally, on the Collection Permissions tab, highlight each certificate collection you would like to set permissions for and click the toggle button for each desired permission (see Certificate Collection Permissions). If you do not opt to set permissions on any collections, the permissions set on the Global Permissions tab will apply to all collections.

    Along the top of the Collection Permissions tab, you can see the system-wide certificate collection permissions that have been configured. This is useful for reference. The system-wide settings may also be edited from this tab, if desired.

    Any permissions that have been enabled at the system-wide level will not be available for configuration at the collection-level. Toggles for these will be grayed out.

    Tip:  The search bar at the top of Collection Name column on the collections tab can make it easier to find collections if you have a large number of them.

    Figure 417: Grant Collection Permissions to a Security Role

    Optionally, on the Container Permissions tab, highlight each certificate store container you would like to set permissions for and click the toggle button for each desired permission (see Container Permissions). If you do not opt to set permissions on any certificate store containers, the permissions set on the Global Permissions tab will apply to all certificate store containers.

    Note:  Unlike PAM and certificate collection permissions, container permissions are not explicitly listed under global permissions. Instead, they are entirely embedded within certificate store permissions and are not separately highlighted in the certificate store permissions section.
    Tip:  The search bar at the top of Container Name column on the containers tab can make it easier to find certificate store containers if you have a large number of them.

    Figure 418: Grant Container Permissions to a Security Role

    Optionally, on the PAM Provider Permissions tab, highlight each PAM provider you would like to set permissions for and click the toggle button for each desired permission (see PAM Permissions). If you do not opt to set permissions on any PAM providers, the permissions set on the Global Permissions tab will apply to all PAM providers.

    Figure 419: Grant PAM Provider Permissions to a Security Role

    Tip:  The search bar at the top of PAM Provider Name column on the PAM Provider Permissions tab can make it easier to find PAM providers if you have a large number of them.
  4. Click Save to save the role.
Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
Security > Modify
Security > Read

To copy a security role:

  1. In the Management Portal, browse to System Settings Icon > Security Roles and Claims.
  2. On the Security Roles and Claims page, select the Security Role tab. Highlight a row and click Copy from the top of the grid or from the right click menu to copy an existing role.

  3. Give the new role a Name and Description.

    Note:  Copying a security role will also assign the new role to all the same security claims as the original role.
  4. Click Save to save the new role.
Note:  The Administrators role cannot be copied.
Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
Security > Modify
Security > Read

To delete a security role:

  1. In the Management Portal, browse to System Settings Icon > Security Roles and Claims.
  2. On the Security Roles and Claims page, select the Security Role tab. Highlight a row and click Delete from the top of the grid or from the right click menu to delete an existing role.
  3. Click OK to the Confirm Operation message.
Note:  The Administrators role cannot be edited or deleted. A security role cannot be deleted if it is set as the owner of a certificate or as the Default Certificate Owner Role Name in a certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. or system-wide settings policy.