List of permissions
DigiCert ONE enables you to create custom user roles if our preconfigured user roles do not meet a user's requirements. Permissions are specific to each DigiCert ONE manager.
DigiCert Private CA user permissions
Assign one or more DigiCert Private CA permissions when you create a custom role.
Account permissions for standard and service users
The following permissions are available in your account:
Permission | User can |
|---|---|
Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
View AIAs | View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). |
View domain | View domains. |
Manage domain | View, select, create, and manage domains. |
Manage CA escrow recovery | Escrow CAs and recover them. |
View common CA database | View Common CA Database (CCADB) connections for public certificates. |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) |
View default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. |
View HSM partitions | View HSM partitions within DigiCert Private CA. |
View audit log | Review the actions taken in their DigiCert Private CA account audit logs. |
Permission | User can |
|---|---|
View CA | View Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests |
View OCSP responder | View OCSP responders. |
Manage OCSP responder | User may create and manage OCSP responders |
View recover escrow key | View escrowed and recovered keys and certificates. |
Manage recover escrow key | Escrow keys and certificates and recover them. |
View certificate | View end-entity certificates |
View templates | View non-system templates to customize CAs and end-entities. |
Manage templates | View, select, and manage non-system templates to customize CAs and end-entities. |
System permissions for on-premises administration
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permission | User can |
|---|---|
Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
View AIAs | View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
Manage CA recovery request | Receives escrow recovery requests and approve escrow recovery for an escrowed CA key. |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). |
View domain | View domains. |
Manage domain | View, select, create, and manage domains. |
View audit log | Review the actions taken in their DigiCert Private CA account audit logs. |
Permission | User can |
|---|---|
View CA | View Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
View certificate | View end-entity certificates |
Manage revoke CA | User may request and approve/deny CA revocation requests |
View OCSP responder | View OCSP responders. |
Manage OCSP responder | User may create and manage OCSP responders |
View escrow master keys | View master escrow keys used in partitions to perform key escrow |
Manage escrow master keys | Create and recover an escrowed CA key. |
Manage import certificate | User may import external roots and ICAs for use in DigiCert ONE. |
Manage revoke certificate | User may revoke end-entity certificates |
View templates | View non-system templates to customize CAs and end-entities. |
Manage templates | View, select, and manage non-system templates to customize CAs and end-entities. |
Permission | User can |
|---|---|
View ceremony request | View ceremony request |
Manage ceremony requests | User may create and manage ceremony requests (DIgiCert PKI Staff only) |
Manage ceremony certificate profile | User may manage modify the profile of a ceremony request (DigiCert PKI Staff only) |
View key pools | View key pools. |
Manage key pools | User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only) |
Manage approve key pool batch | User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only) |
Manage operations | User may modify and approve the operations section of a ceremony request (DigiCert PKI Staff only) |
Manage validation | User may modify and approve the validation section of a ceremony request (DigiCert PKI Staff only) |
Manage compliance | User may modify and approve the compliance section of a ceremony request (DigiCert PKI Staff only) |
Manage ceremony executable | User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only) |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) |
View common CA database | View common CA database. |
Permission | User can |
|---|---|
View default configurations | View the default configurations for DigiCert Private CA. |
Manage default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
View HSM management | View HSMs and partitions within DigiCert Private CA. |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. |
View app health | Access the healthcheck endpoint API. |
Content Trust Manager user permissions
Assign one or more Content Trust Manager permissions when you create a custom role.
The following permissions are available in your account:
Permission | User can |
|---|---|
View certificate profiles | View certificate profiles. |
View certificate templates | View certificate templates. |
Permission | User can |
|---|---|
Authorize credentials | Authorize credentials. |
Manage certificate organizations | Create, disable, enable, and edit certificate organizations. |
Create credentials | Create credentials. |
Manage credentials | Revoke credentials in the account. |
View credentials | View credentials in the account. |
Send credential OTP | Send credential one-time password. |
Sign | Sign. |
View credential profiles | View credential profiles. |
Permission | User can |
|---|---|
Manage documents | Create documents. |
View account log | View account log. |
View audit log | View audit log. |
View dashboard | View dashboard. |
View license | View licenses. |
Permissions | User can |
|---|---|
Approve self-enrollment signer | Approve a self-enrolled signer. |
Manage basic validations | Approve or reject basic validations. |
Create validations | Add validations. |
View validation | View validation. |
Manage enrollment | Create, edit, enable, and disable self-enrollment links. |
Manage validations | Create, delete, disable, and restart validations. |
View validation profiles | View validation profiles. |
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permissions | User can |
|---|---|
Manage certificate | Create, enable, disable, and edit certificates. |
Manage certificate profiles | Create, enable, disable, and edit certificate profiles. |
View certificate profiles | View certificate profiles. |
Manage certificate templates | Create, enable, disable, and edit certificate templates. |
View certificate templates | View certificate templates. |
Permissions | User can |
|---|---|
View credentials | View credentials in the account. |
View credential profiles | View credential profiles. |
Permissions | User can |
|---|---|
Manage manager configs | Create or edit configurations in the account. |
View account log | View account log. |
View app health | View app health. |
Setup account | Setup new accounts. |
View account log | View account log. |
View audit log | View audit log. |
Permissions | User can |
|---|---|
Create validations | Add validations. |
View validations | View validation. |
Manage validation profiles | Create, delete, disable, and restart validations. |
View validation profiles | View validation profiles. |
View enrollment | View self-enrolled users. |
Device Trust Manager user permissions
Assign one or more Device Trust Manager permissions when you create a custom role.
Account permissions for standard and service users
The following permissions are available in your account:
Permission | User can |
|---|---|
Manage alert policies | Configure and apply anomaly detection policies. Update and close alerts when detected and addressed. |
View alert policies | View detected alerts. |
Permission | User can |
|---|---|
Manage authentication policies | View, create, add credentials, enable, and disable authentication policies. |
View authentication policies | View authentication policies. |
Permission | User can |
|---|---|
Manage cloud platform policy | Choose any cloud platform for your connected product; Device Trust Manager works with any environment. |
View cloud platform policy | View connected cloud platform. |
Permission | User can |
|---|---|
Manage deployments | Create and abort deployments. |
View deployments | View deployments. |
Device management |
|
View devices | View devices. |
View device groups | View device groups. |
Permission | User can |
|---|---|
Manage devices | View, register, update, and disable devices. |
Manage device groups | View, create, update, clone, enable, and disable device groups. |
Manage download bootstrap configurations | Download bootstrap configuration file. |
Manage download device certificates | |
Manage register many devices | |
Manage register single device |
Permission | User can |
|---|---|
Manage DigiCert Gateway | Configure and manage a DigiCert Gateway for outbound/inbound Device Trust Manager network traffic. |
View DigiCert Gateway | View DigiCert Gateway. |
Permission | User can |
|---|---|
Manage dashboard | Update the Device Trust dashboard. |
Manage divisions | View, create, update, assign users, remove users, enable, and disable divisions. |
View divisions | View divisions. |
Manage notifications | Enable or disable notifications for specific actions. |
Manage reports | View, create, and download reports. |
View reports | View reports. |
View licenses | View licenses for the account. |
View audit log | View audit and signature logs in the account. |
Permission | User can |
|---|---|
Manage job creation - Batch certificate issuance | Batch device registration simplifies the process of enrolling multiple devices under a single certificate management policy. By submitting one API request to initiate a device batch job, you can efficiently register all the devices in a single operation. Provide the required details for each device, and Device Trust Manager handles all of the registrations at once. |
Manage job creation - Deployment | Request certificates in bulk for devices by choosing a device group and selecting a certificate management policy. After uploading the list of certificate requests, certificates will be generated and automatically linked to the corresponding existing device records. |
Manage job creation - Register many devices | Register multiple devices by uploading a device list and choosing a certificate management policy that meets your needs. Each device record will be automatically set up with a bootstrap certificate credential. This feature requires an Advanced license. |
Permission | User can |
|---|---|
Manage CA connector | Integrate CAs and remove CAs. |
Manage certificates | View, request, renew, download, and revoke certificates. |
Manage request certificates | Request new certificates. |
Manage approve certificate request | Approve certificate requests. |
Manage certificate management policy | View and create certificate management policies. |
Manage certificate profiles | View, create, enable, disable, delete, and undelete certificate profiles. |
View certificate profiles | View certificate profiles. |
Manage renew certificates | Renew expiring certificates. |
Manage request certificates | View, create, approve, and deny certificate requests. |
Manage revoke certificates | Revoke certificates. |
Manage issuing CAs | Specify which CAs can issue certificates. |
Manage OCSP groups | Manage OSCP groups. |
Manage trust bundles | View, create, update, add and remove certificates, delete, enable, disable, download, and get download URL certificate trust bundles. |
Manage unmanaged intermediate CAs | Manage unmanaged intermediate CAs. |
View certificate management policy | |
View certificate templates | View certificate templates. |
View issuing CAs | View issuing CAs. |
View trust bundles | |
View unmanaged intermediate CAs | View unmanaged intermediate CAs. |
System permissions for on-premises administration
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permission | User can |
|---|---|
View alert policies | View detected alerts. |
Permission | User can |
|---|---|
View artifacts | View artifacts. |
Permission | User can |
|---|---|
View authentication policies | View authentication policies. |
Permission | User can |
|---|---|
View deployments | View deployments. |
Permission | User can |
|---|---|
View devices | View devices. |
View device groups | View device groups. |
Permission | User can |
|---|---|
View DigiCert Gateway | View DigiCert Gateway. |
Permission | User can |
|---|---|
View job details | View jobs. |
Permission | User can |
|---|---|
View releases | View releases. |
Permission | User can |
|---|---|
Manage dashboard | Update the Device Trust dashboard. |
Manage notifications | Enable or disable notifications for specific actions. |
View app Health | View app health (API). |
Manage divisions | View, create, update, assign users, remove users, enable, and disable divisions. |
View divisions | View divisions. |
Manage licenses | Update licenses for the account. |
View licenses | View licenses for the account. |
Manage reports | View, create, and download reports. |
View reports | View reports. |
Manage settings | Update account settings. |
View audit log | View audit and signature logs in the account. |
Permission | User can |
|---|---|
View certificate | View certificates. |
View certificate management policy | |
View certificate profiles | View certificate profiles. |
View certificate templates | View certificate templates. |
View issuing CAs | View issuing CAs. |
View OCSP groups | View OSCP groups. |
View trust bundles | |
View unmanaged intermediate CAs | View unmanaged intermediate CAs. |
IoT Trust Manager user permissions
Assign one or more IoT Trust Manager permissions when you create a custom role.
The following permissions are available in your account:
Permission | User can |
|---|---|
Manage alerts | Configure and apply anomaly detection policies. Update and close alerts when detected and addressed. |
Manage division | Create and manage divisions to manage user access to some IoT Trust Manager assets, such as certificate profiles and intermediate CAs. |
Manage gateway | Configure and manage a DigiCert gateway for outbound/inbound IoT Trust Manager network traffic. |
Manage settings | View and update general IoT Trust Manager settings. |
View audit log | View audit and signature logs in the account. |
View license | View licenses for the account. |
Permission | User can |
|---|---|
Manage device | Monitor and manage device records for the devices in your IoT production environment. |
Manage device profile | Create and update device profiles that define API access and custom data fields for individual device records. |
Permission | User can |
|---|---|
Manage authentication CA | Manage device authentication for certificate requests in your IoT production environment. Create and update authentication CA templates and upload authentication CAs. |
Manage certificate | Manage individual and batch certificate requests and records for issued certificates. |
Manage certificate profile | Define and manage certificate configuration requirements, including required and optional fields. |
Manage enrollment profile | Configure certificate enrollment parameters, including allowed enrollment methods, issuing CA, and device and certificate profiles to use. |
Manage external CAs | Monitor external CAs and manage division and enrollment profile assignments. |
Manage IoT CA | Request and manage intermediate CAs. |
Manage OCSP grouping | Manage bulk OCSP calls and responses for certificate status. |
Manage certificate template | Add and manage certificate structure and format requirements. |
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permission | User can |
|---|---|
Manage alerts | Configure and apply anomaly detection policies. Update and close alerts when detected and addressed. |
View alerts | View anomaly detection policies and detected anomalies. |
Manage division | Create and manage divisions to manage user access to some IoT Trust Manager assets, such as certificate profiles and intermediate CAs. |
View division | View divisions that allow user access to some IoT Trust Manager assets, such as certificate profiles and intermediate CAs. |
Manage gateway | Configure and manage a DigiCert gateway for outbound/inbound IoT Trust Manager network traffic. |
View gateway | View DigiCert gateway configurations for outbound/inbound IoT Trust Manager network traffic. |
Manage settings | View and update general IoT Trust Manager settings. |
View settings | View and update general IoT Trust Manager settings. |
View app health | View app health (API). |
View audit log | View audit and signature logs in the account. |
Permission | User can |
|---|---|
Manage device | Monitor and manage device records for the devices in your IoT production environment. |
View device | View device records for the devices in your IoT production environment. |
Manage device profile | Create and update device profiles that define API access and custom data fields for individual device records. |
View device profile | View device profiles that define API access and custom data fields for individual device records. |
Permission | User can |
|---|---|
Manage authentication CA | Manage device authentication for certificate requests in your IoT production environment. Create and update authentication CA templates and upload authentication CAs. |
View authentication CA | View device authentication for certificate requests in your IoT production environment. |
View certificate | View individual and batch certificate requests and records for issued certificates. |
Manage certificate profile | Define and manage certificate configuration requirements, including required and optional fields. |
View certificate profile | View certificate configuration requirements, including required and optional fields. |
Manage enrollment profile | Configure certificate enrollment parameters, including allowed enrollment methods, issuing CA, and device and certificate profiles to use. |
View enrollment profile | View certificate enrollment parameters, including allowed enrollment methods, issuing CA, and device and certificate profiles to use. |
Manage external CAs | Monitor external CAs and manage division and enrollment profile assignments. |
Manage IoT CA | Request and manage intermediate CAs. |
View IoT CA | View intermediate CAs requested through your IoT Trust Manager account. |
Manage OCSP grouping | Manage bulk OCSP calls and responses for certificate status. |
View OCSP grouping | View OCSP groups for bulk OCSP calls and responses for certificate status. |
Manage certificate template | Add and manage certificate structure and format requirements. |
View certificate template | View certificate structure and format requirements. |
KeyLocker user permissions
Assign one or more DigiCert® KeyLocker permissions when you create a custom role.
The following permissions are available in your account:
Permission | User can |
|---|---|
Manage CertCentral API key | Delete, disable, enable, setup, update and validate a CertCentral API key. |
Permission | User can | Notes |
|---|---|---|
View certificate | View certificate details for all certificates assigned to them. | Users with |
Revoke certificate | Revoke certificates associated with keypairs that they're assigned to. | Users with |
Permission | User can |
|---|---|
View keypair | View keypair details in the account. |
Manage keypair | Update the keypair alias. |
Sign | Sign software with keypairs assigned to them. |
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permission | User can | Notes |
|---|---|---|
Manage CertCentral API key | Delete, disable, enable, setup, update and validate a CertCentral API key. | |
View audit log | View audit and signature logs. | |
Export audit logs | Export audit and signature logs. |
|
View health | View app health (API). |
Permission | User can | Notes |
|---|---|---|
View keypair | View keypair details in the account. | |
Import keypair | Import keypairs into the account. |
|
Manage keypair |
|
|
Permission | User can | Notes |
|---|---|---|
View certificate | View certificate details in the account. | |
Manage certificate hierarchy | Create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies. |
|
View certificate template | View certificate template details in the account. | |
Manage certificate template | Create, update, and clone certificate templates. |
|
View certificate profile | View certificate profile details in the account. | |
Manage certificate profiles |
|
|
Permission | User can |
|---|---|
View release | View releases in the account. |
Software Trust Manager user permissions
Assign one or more Software Trust Manager permissions when you create a custom role.
Account permissions for standard and service users
The following permissions are available in your account:
Permission | User can | Notes |
|---|---|---|
Manage account settings | Update Software Trust Manager > Accounts > Account settings. | |
Manage CertCentral API key | Delete, disable, enable, setup, update and validate a CertCentral API key. | |
Manage all teams |
| |
Manage my teams | View, update, deactivate, and map resources to existing teams that they are part of, if they have relevant resource permissions. | |
View audit log | View audit and signature logs. | |
Export audit logs | Export audit and signature logs. |
|
Permission | User can | Notes |
|---|---|---|
View keypair | View keypairs and key rotations relying on keypairs assigned to them. | Users with |
Generate keypair | Create a new keypair. | |
Import keypair | Import keypairs into the account. | To import a GPG secring, the |
Request keypair export | Request to export keypairs that they're assigned to. | Users with |
Approve keypair export | Approve requests to export keypairs that they're assigned to. | Users with |
Approve keypair delete | Approve requests to delete keypairs that they're assigned to. | Users with |
Manage keypair |
| |
Sign | Sign software with keypairs assigned to them. |
Permission | User can | Notes |
|---|---|---|
View certificate | View certificate details for all certificates assigned to them. | Users with |
Generate certificate | Create a new certificate using keypairs that they're assigned to. | Users with |
Import certificate | Import certificates for keypairs that they're assigned to. | Users with |
Revoke certificate | Revoke certificates associated with keypairs that they're assigned to. | Users with |
Manage certificate hierarchy | View and create hierarchies. They can also activate and deactivate restricted hierarchies. | |
View certificate profile | View certificate profiles created. | |
Manage certificate profiles |
| |
View certificate template | View certificate template details in the account. |
System permissions for on-premises administration
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permission | User can | Notes |
|---|---|---|
Manage CertCentral API key | Delete, disable, enable, setup, update and validate a CertCentral API key. | |
View audit log | View audit and signature logs. | |
Export audit logs | Export audit and signature logs. |
|
View health | View app health (API). |
Permission | User can | Notes |
|---|---|---|
View keypair | View keypair details in the account. | |
Import keypair | Import keypairs into the account. |
|
Manage keypair |
|
|
Permission | User can | Notes |
|---|---|---|
View certificate | View certificate details in the account. | |
Manage certificate hierarchy | Create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies. |
|
View certificate template | View certificate template details in the account. | |
Manage certificate template | Create, update, and clone certificate templates. |
|
View certificate profile | View certificate profile details in the account. | |
Manage certificate profiles |
|
|
Permission | User can |
|---|---|
View release | View releases in the account. |
Trust Lifecycle Manager user permissions
Assign one or more Trust Lifecycle Manager permissions when you create a custom role.
The following permissions are available in your account:
Permission | User can |
|---|---|
Manage automation | Manage certificate lifecycle automation activities/features. |
Manage business units | Manage business units. |
View business units | View business units. |
Manage certificate owners | Manage certificate owners. |
View certificate owners | View certificate owners. |
Manage connectors | Manage connectors. |
View connectors | View connectors. |
View custom attributes | View custom attributes. |
Manage licensed seats | Manage seat allocations to business units. |
View licensed seats | View seat allocations to business units. |
Manage network scans | Manage network scans. |
Manage report | Manage reports. |
View report | View reports. |
Manage seats | Manage seats. |
View seats | View seats. |
Manage system scans | Manage system scans. |
View license | View available seat licenses in Account Manager. |
View logs | View audit logs. |
View SSP Portal config | View the self-service portal. |
Manage CMDB Integration config | Manage ServiceNow connectors. |
Manage client tools | Manage client tools. |
View client tools | View client tools. |
Permission | User can |
|---|---|
Manage enrollment | Manage certificate enrollments. |
View enrollment | View certificate enrollments. |
Manage profile | Manage certificate profiles. |
View profile | View certificate profiles. |
Manage template | Manage certificate templates. |
View template | View certificate templates. |
Permission | User can |
|---|---|
View certificate | View certificates and certificate details. |
Manage create | Enroll certificates. |
Manage import | Import certificates from external CAs. |
Manage certificate | |
Manage recover | Recover escrowed certificates. |
Manage renew | Renew certificates. |
Manage resume | Re-enable suspended certificates. |
Manage revoke | Revoke certificates. |
Manage suspend | Temporarily disable certificates. |
For on-premises customers, these permissions are available for custom user roles used for system administration.
Permission | User can |
|---|---|
Manage business units | Manage business units. |
View business units | View business units. |
View business unit seat allocation | View seat allocations to business units. |
Manage licensed seats | Manage seat allocations to business units. |
Manage report | Manage reports. |
View report | View reports. |
View app health | View app health (API). |
View audit logs | View audit logs. |
View certificate owners | View certificate owners. |
View CMDB Integration config | View ServiceNow connectors. |
View connectors | View connectors. |
View custom attributes | View custom attributes. |
View network scans | View network scans. |
View seats | View seats. |
View SSP Portal config | View the self-service portal. |
View system scans | View system scans. |
Permission | User can |
|---|---|
View enrollment | View certificate enrollments. |
View profile | View certificate profiles. |
Manage template | Manage certificate templates. |
View template | View certificate templates. |
Permission | User can |
|---|---|
View certificate | View certificates and certificate details. |
Manage resume | Re-enable suspended certificates. |
Manage suspend | Temporarily disable certificates. |