Skip to content

About user roles

Venafi as a Service is built around role-based access. If you need to elevate or decrease a user's permissions, simply change the role assigned to her or his user account.


Venafi as a Service assigns the System Administrator role to the first three (3) enrolled users automatically. Subsequent users are assigned the Guest role. This ensures that there is more than one user account with the System Administrator role assigned to it when your company account is first created. And it also also provides administrator account redundancy. At least one user account must have the System Administrator role.

User roles available today include the following:

  • System Administrator: the Administrator has full permissions to all features and functionality in the product. This user has access to system-level settings and can create Issuing Templates. This role has rights to everything as well as access to Venafi Cloud APIs.

  • PKI Administrator:This person has access to manage PKI-related resources such as creating Issuing Templates, setting up CA accounts, and managing user roles.

  • Resource Owner: This person has system-wide read-only access to all resources in the system but has read/write/delete permission for resources that he or she owns. Resource owners have the ability to approve operations on resources they own.

  • Guest: This user has permission to request certificates. This person has system-wide read-only access to all resources in the system.

Last update: November 10, 2021