Skip to content

Scopes and service account permissions

Scopes define the permissions and access levels for service accounts, determining what actions a service account can perform and what resources it can access. Here is a table of the current scopes available for each type of service account (also referred to as use cases):

Scope Name Scope ID Purpose Relevant Service Accounts (Use Cases)
Distributed Issuance distributed-issuance Allows issuing of certificates across multiple systems or environments. Firefly, Kubernetes Agent
Kubernetes Discovery kubernetes-discovery Enables discovery and identification of Kubernetes resources. Firefly, Kubernetes Agent
Enterprise cert-manager Components oci-registry-cm Grants access to manage Enterprise-level components within cert-manager. Venafi Registry
Venafi Enhanced Issuer Component for cert-manager oci-registry-cm-vei Allows management of the Venafi Enhanced Issuer components within cert-manager. Venafi Registry
Approver Policy Enterprise Component for cert-manager oci-registry-cm-ape Enables management of approval policies within cert-manager. Venafi Registry
Certificate Issuance certificate-issuance Permits the issuing of new certificates using Venafi APIs. Custom API Integration

Who can create and manage service accounts?

Service accounts are tenant-wide, meaning they are accessible and manageable across the entire tenant, subject to the permissions associated with your assigned role. Permissions vary significantly among roles, particularly regarding the ability to create, view, change, or delete service accounts.

Role Permissions
Resource Owner Can create, view, modify, and delete service accounts, but only for those owned by a team to which the Resource Owner belongs.
PKI Administrator Can create, view, modify, and delete all service accounts, regardless of ownership.
System Administrator Can create, view, modify, and delete all service accounts, regardless of ownership.
Guest Cannot view or manage service accounts.

API Reference