Scopes and service account permissions¶
Scopes define the permissions and access levels for service accounts, determining what actions a service account can perform and what resources it can access. Here is a table of the current scopes available for each type of service account (also referred to as use cases):
| Scope Name | Scope ID | Purpose | Relevant Service Accounts (Use Cases) |
|---|---|---|---|
| Distributed Issuance | distributed-issuance | Allows issuing of certificates across multiple systems or environments. | Firefly, Kubernetes Agent |
| Kubernetes Discovery | kubernetes-discovery | Enables discovery and identification of Kubernetes resources. | Firefly, Kubernetes Agent |
| cert-manager Components | oci-registry-cm | Grants access to manage Enterprise-level components within cert-manager. | Venafi Registry |
| Venafi Enhanced Issuer Component for cert-manager | oci-registry-cm-vei | Allows management of the Enterprise Issuer for CyberArk Certificate Manager components within cert-manager. | Venafi Registry |
| Approver Policy Enterprise Component for cert-manager | oci-registry-cm-ape | Enables management of approval policies within cert-manager. | Venafi Registry |
| Certificate Issuance | certificate-issuance | Permits the issuing of new certificates using Venafi APIs. | Custom API Integration |
Who can create and manage service accounts?¶
Service accounts are tenant-wide, meaning they are accessible and manageable across the entire tenant, subject to the permissions associated with your assigned role. Permissions vary significantly among roles, particularly regarding the ability to create, view, change, or delete service accounts.
| Role | Permissions |
|---|---|
| Resource Owner | Can create, view, modify, and delete service accounts, but only for those owned by a team to which the Resource Owner belongs. |
| PKI Administrator | Can create, view, modify, and delete all service accounts, regardless of ownership. |
| System Administrator | Can create, view, modify, and delete all service accounts, regardless of ownership. |
| Guest | Cannot view or manage service accounts. |
Related links¶
- Reference: supported JWT signing algrithms
- Creating a Firefly or Kubernetes Agent service account
- Creating a Venafi Registry service account
- Creating a TLS Protect Datacenter service account
- Creating a Custom API Integration service account
- Toggling service accounts on or off
- Editing service account settings
- Deleting service accounts
API Reference