About user roles¶
TLS Protect Cloud is built around role-based access. If you need to elevate or decrease a user's permissions, simply change the role assigned to her or his user account.
Tip
TLS Protect Cloud assigns the System Administrator role to the first three (3) enrolled users automatically. Subsequent users are assigned the Guest role. This ensures that there is more than one user account with the System Administrator role assigned to it when your company account is first created. And it also provides administrator account redundancy. At least one user account must have the System Administrator role.
User roles available today include the following:
-
System Administrator: Users assigned the System Administrator role have full permissions to all features and functionality in the product. This user has access to system-level settings and can create Issuing Templates. This role has rights to everything as well as access to TLS Protect Cloud APIs.
-
PKI Administrator: This role has access to manage PKI-related resources such as creating Issuing Templates, setting up CA accounts, and managing user roles.
-
Resource Owner: TLS Protect Cloud empowers Resource Owners to manage their own Applications and associated certificates, while limiting access to resources that are beyond their scope of responsibility.
Learn more about the Resource Owner's permissions
Certificates shared by multiple Applications
Certificates can be assigned to multiple Applications. Resource Owners only need to own one of those Applications to take action on the certificate. Keep in mind that any action taken will affect all Applications using that certificate.
Category Permissions Applications - View and edit Applications where Resource Owner is listed as an owner
- Create new Applications
Certificate requests - View certificate requests for owned Applications
- Request new certificates for owned Applications
Certificates Unassigned certificates
Certificates assigned to owned Applications
- View
- Request
- Renew or reissue
- Revoke
- Retire
- Delete
- Assign
- Unassign
- Download certificates and keychains (for TLS Protect Cloud-generated certificates)
- Import existing certificates
- Add tags
- Remove tags
- Validate
Certificate approval workflows
If Resource Owner is assigned as an approver:
TLS server endpoints - View TLS endpoints linked to certificates for owned Applications
Trusted CA certificates Cloud keystores - View
- Create new keystores
Machines - View machines linked to teams where Resource Owner is a member
- Create new machines
Issuing templates - View
- Assign templates to Applications (if Resource Owner is listed as Resource Consumer in the template)
Cloud providers - View
- Create new cloud providers
-
Platform Administrator: Users assigned the Platform Administrator role are granted comprehensive access to manage all Kubernetes clusters. This includes the authority to handle service accounts crucial for accessing enterprise-level Venafi Kubernetes components. Additionally, these users have access to the private Venafi OCI registry, allowing them to efficiently manage and secure Kubernetes integrations.
-
Guest: This user has read-only access to items such as certificates, certificate requests, TLS server endpoints, Applications, and activity logs.