Skip to content

Creating new Teams

Creating teams and adding team members is easy. But before you start creating teams, consider the following:

  • Who do you want to add as team owners?

  • Who do you want to add as team members?

  • What role do you plan to assign to your team so that team members can do their work most effectively?

  • If you're using SSO, does your SSO solution return additional information (called claims) about your users that can be used to assign users to teams?

About role assignments and Teams

Within TLS Protect Cloud, user roles are assigned to users individually. This can be done either manually by an administrator, or it can be done automatically based on team membership.

A user can't be assigned multiple roles within a single TLS Protect Cloud product. When a user is added to a team (either automatically or manually), TLS Protect Cloud examines the current role assigned to the user. If the user role is different than the role associated with the Team, TLS Protect Cloud changes the user's role to the role associated with the team automatically. If the user belongs to multiple Teams, TLS Protect Cloud calculates the highest privilege role from the set of Teams to which the user belongs, and then assigns the user to that role.

For example, suppose you have 2 teams: TeamA and TeamB. TeamA is configured with the PKI Administrator role while TeamB is configured with the Resource Owner role. Alan is a user in TLS Protect Cloud that is currently assigned the Guest role. Alan is then added to TeamA and TeamB by each teams' respective owners. The result is that Alan's new role in TLS Protect Cloud is a PKI Administrator.


Users who are removed from all teams are demoted to the lowest privileged Guest role automatically.

To create a new team

  1. Sign in to Venafi Control Plane.
  2. Click Settings > Teams.
  3. Click New.
  4. (Required) On the New Team page, type a name for your team in Team.
  5. (Required) Click Owner and select the people who you want to assign as team owners.

    Repeat this step to add additional owners.

    About team owners

    Team owners are users who are authorized to edit the team itself. Team owners are not added as team members automatically.

  6. (Required) Click Role and select the role to assign to team members.

    About assigning roles to teams

    When creating a team, you cannot assign a role to the team that is higher privileged than the role assigned to your user account. For example, if Alan is assigned the Resource Owner role, he can't create a team with the PKI Administrator or System Administrator roles. Learn more about user roles.

  7. (Optional) Click Members to add users to the team.

    A team can contain a combination of SSO and local users. Local users are users who sign in to TLS Protect Cloud with a username/password configured in TLS Protect Cloud.

    Additionally, new users can be added to a team by using the Invite Team Members button. This link can be shared with anyone in your organization that does not have a TLS Protect Cloud account. Once a user creates a new TLS Protect Cloud account using the invitation link, they are added to the team automatically.

  8. (Conditional) If SSO is enabled, define your team membership rules to organize your users into teams automatically.

    As you specify your membership rules, keep the following in mind:

    • In the Claim name field, make sure that you enter the exact name of your AD group.
    • claim rules are AND rules; so if you specify multiple rules, ALL of them must be met in order for a user to meet the criteria and be added to the team.
    • Carefully review these team membership rule guidelines; which operators you select can determine whether users are assigned correctly.

    You can skip this step and come back to it later, or you can let the team owners specify membership rules.

  9. Click Save.