Scopes and service account permissions¶
Scopes define the permissions and access levels for service accounts, determining what actions a service account can take and which resources it can access. In Venafi Control Plane, service accounts are also referred to as use cases.
The following table lists the scopes available for each service account.
| Scope Name | Scope ID | Purpose | Service Accounts (Use Cases) |
|---|---|---|---|
| Certificate Issuance | certificate-issuance | Enables issuing of new certificates using CyberArk APIs. | Custom API Integration |
| Certificates Discovered on Kubernetes Clusters | venafi-tlspdc | Enables your CyberArk Certificate Manager - Self-Hosted instance to connect to CyberArk Certificate Manager for Kubernetes and retrieve certificates discovered on Kubernetes clusters. | Certificate Manager - Self-Hosted |
| cert-manager Components | oci-registry-cm | Grants access to manage enterprise-level components within cert-manager. | OCI Registry |
| Distributed Issuance | distributed-issuance | Allows issuing of certificates across multiple systems or environments. | Workload Identity Management, Discovery Agent |
| Enterprise Approver Policy Component for cert-manager | oci-registry-cm-ape | Enables management of approval policies within cert-manager. | OCI Registry |
| Enterprise Issuer Component for cert-manager | oci-registry-cm-vei | Allows management of the Enterprise Issuer for CyberArk Certificate Manager components within cert-manager. | OCI Registry |
| Kubernetes Discovery | kubernetes-discovery | Enables discovery and identification of Kubernetes resources. | Workload Identity Management, Discovery Agent |
| OpenShift Routes Component for cert-manager | openshift-routes | Grants access to the OpenShift Routes for cert-manager component. | OCI Registry |
| Service Account Write | svcaccount-write | Allows creation of service accounts for the other use cases listed here. You can use the API or CLI to create a service account with this scope. | Discovery Agent |
Who can create and manage service accounts?¶
Service accounts are tenant-wide, meaning they are accessible and manageable across the entire tenant, subject to the permissions associated with your assigned role. Permissions vary significantly among roles, particularly regarding the ability to create, view, change, or delete service accounts.
| Role | Permissions |
|---|---|
| Resource Owner | Can create, view, modify, and delete service accounts, but only for those owned by a team to which the Resource Owner belongs. |
| PKI Administrator | Can create, view, modify, and delete all service accounts, regardless of ownership. |
| System Administrator | Can create, view, modify, and delete all service accounts, regardless of ownership. |
| Guest | Cannot view or manage service accounts. |
Related links¶
- Reference: supported JWT signing algorithms
- Creating an Issuer or Kubernetes Agent service account
- Creating a CyberArk Registry service account
- Creating a Certificate Manager - Self-Hosted service account
- Creating a Custom API Integration service account
- Toggling service accounts on or off
- Editing service account settings
- Deleting service accounts
API Reference