About organizations and roles¶

Manage access to Zero Touch PKI with organizations and roles. While organizations are logical groupings for users and certificate polies, roles are static permission sets for users. Combine organizations with roles for greater control over account access and reporting.

Organizations¶

The two standard groupings for organizations are by connector and business unit. For example, create organizations for the Auto Enrollment Connector, Microsoft Intune, and Jamf Pro. Or, create them for Sales, Development, and Information Security.

Users can only see resources in their own organizations.

Roles¶

Roles define permitted actions and fall into three levels:

• Account level: Access to the full account as an admin or auditor.
• Organization level: Access to an organization as an admin or auditor.
• Least privilege: Access to certificate requests, either for a human user or an API service account.

Example: Organizations and roles¶

The following diagram shows an account with connector‑scoped organizations. Each organization includes two certificate policies (for example, user and device for Microsoft Intune). Users with the Requestor role and API service accounts with the Service Requestor role submit certificate requests based on these policies. Admins approve requests as needed.

Next steps¶

To get started, add users to your account.

Related links¶

• Manage users in Zero Touch PKI
• Manage organizations in Zero Touch PKI
• Reference: user roles