Skip to content

About user roles

TLS Protect Cloud is built around role-based access. If you need to elevate or decrease a user's permissions, simply change the role assigned to her or his user account.


TLS Protect Cloud assigns the System Administrator role to the first three (3) enrolled users automatically. Subsequent users are assigned the Guest role. This ensures that there is more than one user account with the System Administrator role assigned to it when your company account is first created. And it also provides administrator account redundancy. At least one user account must have the System Administrator role.

User roles available today include the following:

  • System Administrator: Users assigned the System Administrator role have full permissions to all features and functionality in the product. This user has access to system-level settings and can create Issuing Templates. This role has rights to everything as well as access to TLS Protect Cloud APIs.

  • PKI Administrator: This role has access to manage PKI-related resources such as creating Issuing Templates, setting up CA accounts, and managing user roles.

  • Resource Owner: This role has system-wide read-only access to all resources in the system but has read/write/delete permission for resources that he or she owns. Resource Owners have the ability to perform operations on resources they own.

    Learn more about the Resource Owner role

    TLS Protect Cloud empowers Resource Owners to manage their own applications and associated certificates, while limiting access to resources that are beyond their scope of responsibility.

    Resource Owner permissions

    TLS Protect Cloud Page Permissions
    • View consolidated statistics for all certificates
    Inventory > Certificates
    • Import new certificates and assign them to Applications owned by the Resource Owner
    • Assign existing certificates that are not assigned to any Application
    • Assign and reassign existing certificates that are assigned to at least one Application owned by the Resource Owner
    • Clear certificate assignments from Applications owned by the Resource Owner
    • Retire certificates that are assigned to an Application owned by the Resource Owner
    • View and download all certificates
    • Recover retired certificates if assigned to an application owned by the Resource Owner
    • View only certificates owned by the Resource Owner by applying the "My Certificates" filter
    • Download certificates and private key (keystores) if TLS Protect Cloud has generated the private key and if the certificate is assigned to an Application owned by the Resource Owner
    • Create, assign, and remove tags for certificates that belong to an application owned by the Resource Owner
    Inventory > TLS Server Endpoints
    • View TLS server endpoints
    Inventory > Trusted CA Certificates
    • View and download CA certificates
    Inventory > Certificate Requests
    • Create new requests. Must specify an application they own and assign the certificate to this application
    • View certificate requests for all applications
    • Resubmit failed certificate signing requests for applications you own
    • Create new applications
    • Edit applications they own, including adding additional owners
    • Remove themselves as owner (provided the application has at least one additional owner)
    • Delete applications they own
    • Invite new users to your tenant account and make them owners of applications they own; or if you're using SSO, just assign applications to existing users
    • View applications they don't own
    • Create new machines, as long as a user is an owner or member of a team that is the machine owner
    • Edit machines, as long as a user is an owner or member of a team that is the machine owner
    • Delete machines, as long as a user is an owner or member of a team that is the machine owner
    • View machines they don't own
    Settings > Issuing Templates
    • View certificate issuing templates
    Settings > Users
    • View existing users
    • Invite new users
    Settings > Teams
    • View existing teams
    • Create new teams
    • Edit applications they own
    Settings > Event Log
    • View, filter, and export the event log
    New > Certificate Request
    • Request new certificates for applications you own
  • Platform Administrator: Users assigned the Platform Administrator role are granted comprehensive access to manage all Kubernetes clusters. This includes the authority to handle service accounts crucial for accessing enterprise-level Venafi Kubernetes components. Additionally, these users have access to the private Venafi OCI registry, allowing them to efficiently manage and secure Kubernetes integrations.

  • Guest: This user has read-only access to items such as certificates, certificate requests, TLS server endpoints, applications, and activity logs.