Skip to content

Scopes and service account permissions

Scopes define the permissions and access levels for service accounts, determining what actions a service account can take and which resources it can access. In Venafi Control Plane, service accounts are also referred to as use cases.

The following table lists the scopes available for each service account.

Scope Name Scope ID Purpose Service Accounts (Use Cases)
Certificate Issuance certificate-issuance Enables issuing of new certificates using CyberArk APIs. Custom API Integration
Certificates Discovered on Kubernetes Clusters venafi-tlspdc Enables your CyberArk Certificate Manager - Self-Hosted instance to connect to CyberArk Certificate Manager for Kubernetes and retrieve certificates discovered on Kubernetes clusters. Certificate Manager - Self-Hosted
cert-manager Components oci-registry-cm Grants access to manage enterprise-level components within cert-manager. OCI Registry
Distributed Issuance distributed-issuance Allows issuing of certificates across multiple systems or environments. Workload Identity Management, Discovery Agent
Enterprise Approver Policy Component for cert-manager oci-registry-cm-ape Enables management of approval policies within cert-manager. OCI Registry
Enterprise Issuer Component for cert-manager oci-registry-cm-vei Allows management of the Enterprise Issuer for CyberArk Certificate Manager components within cert-manager. OCI Registry
Kubernetes Discovery kubernetes-discovery Enables discovery and identification of Kubernetes resources. Workload Identity Management, Discovery Agent
OpenShift Routes Component for cert-manager openshift-routes Grants access to the OpenShift Routes for cert-manager component. OCI Registry
Service Account Write svcaccount-write Allows creation of service accounts for the other use cases listed here. You can use the API or CLI to create a service account with this scope. Discovery Agent

Who can create and manage service accounts?

Service accounts are tenant-wide, meaning they are accessible and manageable across the entire tenant, subject to the permissions associated with your assigned role. Permissions vary significantly among roles, particularly regarding the ability to create, view, change, or delete service accounts.

Role Permissions
Resource Owner Can create, view, modify, and delete service accounts, but only for those owned by a team to which the Resource Owner belongs.
PKI Administrator Can create, view, modify, and delete all service accounts, regardless of ownership.
System Administrator Can create, view, modify, and delete all service accounts, regardless of ownership.
Guest Cannot view or manage service accounts.

API Reference