About user roles¶
TLS Protect Cloud is built around role-based access. If you need to elevate or decrease a user's permissions, simply change the role assigned to her or his user account.
TLS Protect Cloud assigns the Admin role to the first three (3) enrolled users automatically. Subsequent users are assigned the Guest role. This ensures that there is more than one user account with the Admin role assigned to it when your company account is first created. And it also provides administrator account redundancy. At least one user account must have the Admin role.
User roles available today include the following:
Admin: Users assigned the Admin role have full permissions to all features and functionality in the product. This user has access to system-level settings and can create Issuing Templates. This role has rights to everything as well as access to TLS Protect Cloud APIs.
PKI Administrator: This role has access to manage PKI-related resources such as creating Issuing Templates, setting up CA accounts, and managing user roles.
Resource Owner: This role has system-wide read-only access to all resources in the system but has read/write/delete permission for resources that he or she owns. Resource Owners have the ability to perform operations on resources they own.
Learn more about the Resource Owner role
TLS Protect Cloud empowers Resource Owners to manage their own applications and associated certificates, while limiting access to resources that are beyond their scope of responsibility.
Resource Owner permissions¶
VaaS Page Permissions Dashboard
- View consolidated statistics for all certificates
Inventory > Certificates
- Import new certificates and assign them to Applications owned by the Resource Owner
- Assign existing certificates that are not assigned to any Application
- Assign and reassign existing certificates that are assigned to at least one Application owned by the Resource Owner
- Clear certificate assignments from Applications owned by the Resource Owner
- Retire certificates that are assigned to an Application owned by the Resource Owner
- View and download all certificates
- Recover retired certificates if assigned to an application owned by the Resource Owner
- View only certificates owned by the Resource Owner by applying the "My Certificates" filter
- Download certificates and private key (keystores) if VaaS has generated the private key and if the certificate is assigned to an Application owned by the Resource Owner
- Create, assign, and remove tags for certificates that belong to an application owned by the Resource Owner
Inventory > TLS Server Endpoints
- View TLS server endpoints
Inventory > Trusted CA Certificates
- View and download CA certificates
Inventory > Certificate Requests
- Create new requests. Must specify an application they own and assign the certificate to this application
- View certificate requests for all applications
- Resubmit failed certificate signing requests for applications you own
- Create new applications
- Edit applications they own, including adding additional owners
- Remove themselves as owner (provided the application has at least one additional owner)
- Delete applications they own
- Invite new users to your tenant account and make them owners of applications they own; or if you're using SSO, just assign applications to existing users
- View applications they don't own
- Create new machines, as long as a user is an owner or member of a team that is the machine owner
- Edit machines, as long as a user is an owner or member of a team that is the machine owner
- Delete machines, as long as a user is an owner or member of a team that is the machine owner
- View machines they don't own
Settings > Issuing Templates
- View certificate issuing templates
Settings > Users
- View existing users
- Invite new users
Settings > Teams
- View existing teams
- Create new teams
- Edit applications they own
Settings > Event Log
- View, filter, and export the event log
New > Certificate Request
- Request new certificates for applications you own
Platform Administrator: Users assigned the Platform Administrator role are granted comprehensive access to manage all Kubernetes clusters. This includes the authority to handle service accounts crucial for accessing enterprise-level Venafi Kubernetes components. Additionally, these users have access to the private Venafi OCI registry, allowing them to efficiently manage and secure Kubernetes integrations.
Guest: This user has read-only access to items such as certificates, certificate requests, TLS server endpoints, applications, and activity logs.