Keyfactor Command Security Design Considerations

As you create your security design, be sure to cover the following:

  • Determine the list of users, groups, and other entities who will have access to Keyfactor Command. Access in Keyfactor Command is based on identity provider users and groups or roles (see Identity Providers). These will be used to create Security Claims in Keyfactor Command to which Security Roles will be assigned.

    Note:   If you require only one layer of security (all users will have full access) you may wish to simply use the Administrator role that was created during installation (see Administrative Users Tab).
    Note:  When defining the users and groups you will use to form claims, consider whether you will have a one-to-one or one-to many relationship between Claims and Roles.
  • Define the naming convention for Security Roles. Menu access and certificate security will be assigned to Roles which in turn will be applied to Security Claims.
  • Determine the Keyfactor Command menu access and Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. access as well as the level of functionality you want to apply to each Role using the permissions information found Security Role Permissions.
  • If you need a further level of control beyond Security Roles, consider Permission Sets. Permission sets are containers which allow you to organize roles and compartmentalize permissions. They can only be configured through the Keyfactor API (see Permission Sets).
  • Determine certificate security based on collections and certificate store permissions based on containers, if any. See below for more information.

When designing a container permission scheme, you need to think first about whether you want your users to have access to all the certificate stores in your Keyfactor Command database or whether you need to limit your users to having access to only a subset of your stores. If you're comfortable granting access to all the stores, you can use the global Read permission. If you're not comfortable with this, you need to use container-level permissions and grant Read permissions on a container-by-container basis. These can be granted separately on a group-by-group (or user-by-user) basis, so group A can be granted global Read while group B is only granted Read to a certain container.

Next, you need to think about what you want your users to be able to do with the stores they have access to. By granting Read access to the stores, you're allowing your users to browse to the certificate stores page and see all the stores and containers that they've been granted access to, but they can perform no operations related to the stores. These are controlled with additional permissions (see below) that can also be set either globally or on a container-by-container basis. You can combine global and container-level security.

Example:  You've decided that you need to use container-level security at the Read level on three different containers rather than granting global Read to your Web Server Managers group. You want these users to be able to push new certificates out to certificate stores in the IIS Personal, PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. and Java containers but not to stores on your F5 and NetScaler devices. You could either grant them the Schedule permission on a container-by-container basis or you could grant them the global Schedule permission for Certificate Store Management. Since the users have neither the global Read permission nor container permission for the containers for the F5 and NetScaler devices, these two settings would accomplish the same goal.

In addition to the permissions that must be considered when designing a permission scheme for certificate stores, you must also give consideration to permissions for certificates. Users must have permissions to certificates in order to use the certificate store operations. See Certificate Collection Permissions and Container Permissions.

Note:  Setting permissions on a container-by-container basis automatically grants the lower permissions (e.g. setting Schedule automatically grants Read). The same is not true for permissions set at the global level.

Any containers that do not have container-by-container permissions applied fall back to the global permissions, if any global permissions have been set.

When designing a certificate permission scheme, you need to think first about whether you want your users to have access to all the certificates in your Keyfactor Command database or whether you need to limit your users to having access to only a subset of your certificates. If you're comfortable granting access to all the certificates, you can use the global Read permission. If you're not comfortable with this, you need to use collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports).-level permissions and grant Read permissions on a collection-by-collection basis. These can be granted separately on a group-by-group (or user-by-user) basis, so group A can be granted global Read while group B is only granted Read to a certain collection.

Next, you need to think about what you want your users to be able to do with the certificates they can view. There are certificate operation permissions (see Certificate Collection Permissions) that you can set that control what your users can do with the certificates. These can be set either globally or on a collection-by-collection basis. You can combine global and collection-level security.

Example:  You've decided that you need to use collection-level security at the Read level on four different collections to grant Read access to your PKIClosed A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Help Desk group and will not grant them global Read permissions. You also want these users to be able to edit the metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields of the certificates in all four of these collections. You could either grant them the Edit Metadata permission on a collection-by-collection basis or you could grant them the global Edit Metadata permission. Since the users don't have the global Read permission (and thus can't read the other collections), these two settings would accomplish the same goal.

At the global level, the Certificates Read role permission grants access to both the certificate search page and all certificate collections. Users who have been granted only collection-level Read permissions and not global Read permissions have access only to the collections to which they have been granted access and not to the certificate search page. See Security Role Permissions and Certificate Collection Permissions.

In addition to the Certificates role permissions that must be considered when designing a permission scheme for certificates, you must also give consideration to the Certificate Collections and Certificate Store Management global role permissions.

  • Enabling the Certificate Collections Modify global role permission allows users to use the Save, Save As and Delete buttons for a collection. This allows users to create new certificate collections based on existing collections (Save As), delete existing collections (Delete), or modify select settings about an existing collection (Save). Typically, Certificate Collections permissions would only be granted to users who also had at least global Read permissions to allow them to do certificate searches from which to create new collections.

  • You will need to consider the Certificate Store Management role permissions if you use certificate stores and want any of your limited access users to make use of the Add to Certificate Store, Remove from Certificate Store, or Renew/Reissue operations on certificates. These certificate operations are only available to users who have also been granted the Read and Schedule role permissions for Certificate Store Management. Permissions to certificate stores can be granted either globally or via container security (see Certificate Collection Permissions and Container Permissions).