Skip to main content

List of permissions

DigiCert ONE enables you to create custom user roles if our preconfigured user roles do not meet a user's requirements. Permissions are specific to each DigiCert ONE manager.

DigiCert Private CA user permissions

Assign one or more DigiCert Private CA permissions when you create a custom role.

Account permissions for standard and service users

The following permissions are available in your account:

Permission

User can

Manage CA accounts

View, select, and manage CAs within DigiCert Private CA accounts.

View AIAs

View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP).

Manage AIAs

View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP).

Manage CA CRL

View, select, create, and manage Certificate Revocation List (CRL).

View domain

View domains.

Manage domain

View, select, create, and manage domains.

Manage CA escrow recovery

Escrow CAs and recover them.

View common CA database

View Common CA Database (CCADB) connections for public certificates.

Manage common CA database

View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only)

View default configurations 

View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings.

Manage HSM management

View, select, and manage HSMs and partitions within DigiCert Private CA.

View HSM partitions

View HSM partitions within DigiCert Private CA.

View audit log

Review the actions taken in their DigiCert Private CA account audit logs.

Permission

User can

View CA

View Roots and Intermediate Certificate Authorities (ICAs) in related workflows.

Manage CA

View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows.

Manage revoke CA

User may request and approve/deny CA revocation requests

View OCSP responder

View OCSP responders.

Manage OCSP responder

User may create and manage OCSP responders

View recover escrow key

View escrowed and recovered keys and certificates.

Manage recover escrow key

Escrow keys and certificates and recover them.

View certificate

View end-entity certificates

View templates

View non-system templates to customize CAs and end-entities.

Manage templates

View, select, and manage non-system templates to customize CAs and end-entities.

System permissions for on-premises administration

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permission

User can

Manage CA accounts

View, select, and manage CAs within DigiCert Private CA accounts.

View AIAs

View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP).

Manage AIAs

View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP).

Manage CA recovery request

Receives escrow recovery requests and approve escrow recovery for an escrowed CA key.

Manage CA CRL

View, select, create, and manage Certificate Revocation List (CRL).

View domain

View domains.

Manage domain

View, select, create, and manage domains.

View audit log

Review the actions taken in their DigiCert Private CA account audit logs.

Permission

User can

View CA

View Roots and Intermediate Certificate Authorities (ICAs) in related workflows.

Manage CA

View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows.

View certificate

View end-entity certificates

Manage revoke CA

User may request and approve/deny CA revocation requests

View OCSP responder

View OCSP responders.

Manage OCSP responder

User may create and manage OCSP responders

View escrow master keys

View master escrow keys used in partitions to perform key escrow

Manage escrow master keys

Create and recover an escrowed CA key.

Manage import certificate

User may import external roots and ICAs for use in DigiCert ONE.

Manage revoke certificate

User may revoke end-entity certificates

View templates

View non-system templates to customize CAs and end-entities.

Manage templates

View, select, and manage non-system templates to customize CAs and end-entities.

Permission

User can

View ceremony request

View ceremony request

Manage ceremony requests

User may create and manage ceremony requests (DIgiCert PKI Staff only)

Manage ceremony certificate profile

User may manage modify the profile of a ceremony request (DigiCert PKI Staff only)

View key pools

View key pools.

Manage key pools

User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only)

Manage approve key pool batch

User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only)

Manage operations

User may modify and approve the operations section of a ceremony request (DigiCert PKI Staff only)

Manage validation

User may modify and approve the validation section of a ceremony request (DigiCert PKI Staff only)

Manage compliance

User may modify and approve the compliance section of a ceremony request (DigiCert PKI Staff only)

Manage ceremony executable

User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only)

Manage common CA database

View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only)

View common CA database

View common CA database.

Permission

User can

View default configurations

View the default configurations for DigiCert Private CA.

Manage default configurations

View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings.

View HSM management

View HSMs and partitions within DigiCert Private CA.

Manage HSM management

View, select, and manage HSMs and partitions within DigiCert Private CA.

View app health

Access the healthcheck endpoint API.

Content Trust Manager user permissions

Assign one or more Content Trust Manager permissions when you create a custom role.

The following permissions are available in your account:

Permission

User can

View certificate profiles

View certificate profiles.

View certificate templates

View certificate templates.

Permission

User can

Authorize credentials

Authorize credentials.

Manage certificate organizations

Create, disable, enable, and edit certificate organizations.

Create credentials

Create credentials.

Manage credentials

Revoke credentials in the account.

View credentials

View credentials in the account.

Send credential OTP

Send credential one-time password.

Sign

Sign.

View credential profiles

View credential profiles.

Permission

User can

Manage documents

Create documents.

View account log

View account log.

View audit log

View audit log.

View dashboard

View dashboard.

View license

View licenses.

Permissions

User can

Approve self-enrollment signer

Approve a self-enrolled signer.

Manage basic validations

Approve or reject basic validations.

Create validations

Add validations.

View validation

View validation.

Manage enrollment

Create, edit, enable, and disable self-enrollment links.

Manage validations

Create, delete, disable, and restart validations.

View validation profiles

View validation profiles.

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permissions

User can

Manage certificate

Create, enable, disable, and edit certificates.

Manage certificate profiles

Create, enable, disable, and edit certificate profiles.

View certificate profiles

View certificate profiles.

Manage certificate templates

Create, enable, disable, and edit certificate templates.

View certificate templates

View certificate templates.

Permissions

User can

View credentials

View credentials in the account.

View credential profiles

View credential profiles.

Permissions

User can

Manage manager configs

Create or edit configurations in the account.

View account log

View account log.

View app health

View app health.

Setup account

Setup new accounts.

View account log

View account log.

View audit log

View audit log.

Permissions

User can

Create validations

Add validations.

View validations

View validation.

Manage validation profiles

Create, delete, disable, and restart validations.

View validation profiles

View validation profiles.

View enrollment

View self-enrolled users.

Device Trust Manager user permissions

Assign one or more Device Trust Manager permissions when you create a custom role.

Account permissions for standard and service users

The following permissions are available in your account:

Permission

User can

Manage alert policies

Configure and apply anomaly detection policies. Update and close alerts when detected and addressed.

View alert policies

View detected alerts.

Permission

User can

Manage artifacts

Create artifacts.

View artifacts

View artifacts.Create an artifact

Permission

User can

Manage authentication policies

View, create, add credentials, enable, and disable authentication policies.

View authentication policies

View authentication policies.

Permission

User can

Manage cloud platform policy

Choose any cloud platform for your connected product; Device Trust Manager works with any environment.

View cloud platform policy

View connected cloud platform.

Permission

User can

Manage deployments

Create and abort deployments.

View deployments

View deployments.

Device management

  • View, register, update, and disable devices.

  • View, create, update, clone, enable, and disable device groups.

View devices

View devices.

View device groups

View device groups.

Permission

User can

Manage devices

View, register, update, and disable devices.

Manage device groups

View, create, update, clone, enable, and disable device groups.

Manage download bootstrap configurations

Download bootstrap configuration file.

Manage download device certificates

Download device certificates.

Manage register many devices

Register multiple devices.

Manage register single device

Register a single device.

Permission

User can

Manage DigiCert Gateway

Configure and manage a DigiCert Gateway for outbound/inbound Device Trust Manager network traffic.

View DigiCert Gateway

View DigiCert Gateway.

Permission

User can

Manage dashboard

Update the Device Trust dashboard.

Manage divisions

View, create, update, assign users, remove users, enable, and disable divisions.Division

View divisions

View divisions.Division

Manage notifications

Enable or disable notifications for specific actions.

Manage reports

View, create, and download reports.

View reports

View reports.

View licenses

View licenses for the account.

View audit log

View audit and signature logs in the account.

Permission

User can

Manage job creation - Batch certificate issuance

Batch device registration simplifies the process of enrolling multiple devices under a single certificate management policy. By submitting one API request to initiate a device batch job, you can efficiently register all the devices in a single operation. Provide the required details for each device, and Device Trust Manager handles all of the registrations at once.

Manage job creation - Deployment

Request certificates in bulk for devices by choosing a device group and selecting a certificate management policy. After uploading the list of certificate requests, certificates will be generated and automatically linked to the corresponding existing device records.

Manage job creation - Register many devices

Register multiple devices by uploading a device list and choosing a certificate management policy that meets your needs. Each device record will be automatically set up with a bootstrap certificate credential. This feature requires an Advanced license.

Permission

User can

Manage releases

Create releases.

View releases

View releases.

Permission

User can

Manage CA connector

Integrate CAs and remove CAs.

Manage certificates

View, request, renew, download, and revoke certificates.

Manage request certificates

Request new certificates.

Manage approve certificate request

Approve certificate requests.

Manage certificate management policy

View and create certificate management policies.

Manage certificate profiles

View, create, enable, disable, delete, and undelete certificate profiles.

View certificate profiles

View certificate profiles.

Manage renew certificates

Renew expiring certificates.

Manage request certificates

View, create, approve, and deny certificate requests.

Manage revoke certificates

Revoke certificates.

Manage issuing CAs

Specify which CAs can issue certificates.

Manage OCSP groups

Manage OSCP groups.

Manage trust bundles

View, create, update, add and remove certificates, delete, enable, disable, download, and get download URL certificate trust bundles.

Manage unmanaged intermediate CAs

Manage unmanaged intermediate CAs.

View certificate management policy

View certificate management policies.

View certificate templates

View certificate templates.

View issuing CAs

View issuing CAs.

View trust bundles

View certificate trust bundles.

View unmanaged intermediate CAs

View unmanaged intermediate CAs.

System permissions for on-premises administration

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permission

User can

View alert policies

View detected alerts.

Permission

User can

View artifacts

View artifacts.Create an artifact

Permission

User can

View authentication policies

View authentication policies.

Permission

User can

View deployments

View deployments.

Permission

User can

View devices

View devices.

View device groups

View device groups.

Permission

User can

View DigiCert Gateway

View DigiCert Gateway.

Permission

User can

View job details

View jobs.

Permission

User can

View releases

View releases.

Permission

User can

Manage dashboard

Update the Device Trust dashboard.

Manage notifications

Enable or disable notifications for specific actions.

View app Health

View app health (API).

Manage divisions

View, create, update, assign users, remove users, enable, and disable divisions.Division

View divisions

View divisions.Division

Manage licenses

Update licenses for the account.

View licenses

View licenses for the account.

Manage reports

View, create, and download reports.

View reports

View reports.

Manage settings

Update account settings.

View audit log

View audit and signature logs in the account.

Permission

User can

View certificate

View certificates.

View certificate management policy

View certificate management policies.

View certificate profiles

View certificate profiles.

View certificate templates

View certificate templates.

View issuing CAs

View issuing CAs.

View OCSP groups

View OSCP groups.

View trust bundles

View certificate trust bundles.

View unmanaged intermediate CAs

View unmanaged intermediate CAs.

IoT Trust Manager user permissions

Assign one or more IoT Trust Manager permissions when you create a custom role.

The following permissions are available in your account:

Permission

User can

Manage alerts

Configure and apply anomaly detection policies. Update and close alerts when detected and addressed.

Manage division

Create and manage divisions to manage user access to some IoT Trust Manager assets, such as certificate profiles and intermediate CAs.

Manage gateway

Configure and manage a DigiCert gateway for outbound/inbound IoT Trust Manager network traffic.

Manage settings

View and update general IoT Trust Manager settings.

View audit log

View audit and signature logs in the account.

View license

View licenses for the account.

Permission

User can

Manage device

Monitor and manage device records for the devices in your IoT production environment.

Manage device profile

Create and update device profiles that define API access and custom data fields for individual device records.

Permission

User can

Manage authentication CA

Manage device authentication for certificate requests in your IoT production environment. Create and update authentication CA templates and upload authentication CAs.

Manage certificate

Manage individual and batch certificate requests and records for issued certificates.

Manage certificate profile

Define and manage certificate configuration requirements, including required and optional fields.

Manage enrollment profile

Configure certificate enrollment parameters, including allowed enrollment methods, issuing CA, and device and certificate profiles to use.

Manage external CAs

Monitor external CAs and manage division and enrollment profile assignments.

Manage IoT CA

Request and manage intermediate CAs.

Manage OCSP grouping

Manage bulk OCSP calls and responses for certificate status.

Manage certificate template

Add and manage certificate structure and format requirements.

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permission

User can

Manage alerts

Configure and apply anomaly detection policies. Update and close alerts when detected and addressed.

View alerts

View anomaly detection policies and detected anomalies.

Manage division

Create and manage divisions to manage user access to some IoT Trust Manager assets, such as certificate profiles and intermediate CAs.

View division

View divisions that allow user access to some IoT Trust Manager assets, such as certificate profiles and intermediate CAs.

Manage gateway

Configure and manage a DigiCert gateway for outbound/inbound IoT Trust Manager network traffic.

View gateway

View DigiCert gateway configurations for outbound/inbound IoT Trust Manager network traffic.

Manage settings

View and update general IoT Trust Manager settings.

View settings

View and update general IoT Trust Manager settings.

View app health

View app health (API).

View audit log

View audit and signature logs in the account.

Permission

User can

Manage device

Monitor and manage device records for the devices in your IoT production environment.

View device

View device records for the devices in your IoT production environment.

Manage device profile

Create and update device profiles that define API access and custom data fields for individual device records.

View device profile

View device profiles that define API access and custom data fields for individual device records.

Permission

User can

Manage authentication CA

Manage device authentication for certificate requests in your IoT production environment. Create and update authentication CA templates and upload authentication CAs.

View authentication CA

View device authentication for certificate requests in your IoT production environment.

View certificate

View individual and batch certificate requests and records for issued certificates.

Manage certificate profile

Define and manage certificate configuration requirements, including required and optional fields.

View certificate profile

View certificate configuration requirements, including required and optional fields.

Manage enrollment profile

Configure certificate enrollment parameters, including allowed enrollment methods, issuing CA, and device and certificate profiles to use.

View enrollment profile

View certificate enrollment parameters, including allowed enrollment methods, issuing CA, and device and certificate profiles to use.

Manage external CAs

Monitor external CAs and manage division and enrollment profile assignments.

Manage IoT CA

Request and manage intermediate CAs.

View IoT CA

View intermediate CAs requested through your IoT Trust Manager account.

Manage OCSP grouping

Manage bulk OCSP calls and responses for certificate status.

View OCSP grouping

View OCSP groups for bulk OCSP calls and responses for certificate status.

Manage certificate template

Add and manage certificate structure and format requirements.

View certificate template

View certificate structure and format requirements.

KeyLocker user permissions

Assign one or more DigiCert​​®​​ KeyLocker permissions when you create a custom role.

The following permissions are available in your account:

Permission

User can

Manage CertCentral API key

Delete, disable, enable, setup, update and validate a CertCentral API key.

Permission

User can

Notes

View certificate

View certificate details for all certificates assigned to them.

Users with Manage keypair permission can view all certificates within the account.

Revoke certificate

Revoke certificates associated with keypairs that they're assigned to.

Users with Manage keypair permission can revoke certificates associated with any keypair within the account.

Permission

User can

View keypair

View keypair details in the account.

Manage keypair

Update the keypair alias.

Sign

Sign software with keypairs assigned to them.

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permission

User can

Notes

Manage CertCentral API key

Delete, disable, enable, setup, update and validate a CertCentral API key.

View audit log

View audit and signature logs.

Export audit logs

Export audit and signature logs.

View audit log is required as an additional permission to export audit logs.

View health

View app health (API).

Permission

User can

Notes

View keypair

View keypair details in the account.

Import keypair

Import keypairs into the account.

View keypair is required as an additional permission to import keypairs.

Manage keypair

  • Update, suspend or unsuspend keypairs.

  • Create, update, enable, and disable keypair profiles.

  • Create and update user groups.

  • Create, update, and refresh key rotation.

  • Generate a CSR

View keypair is required as an additional permission to manage keypairs.

Permission

User can

Notes

View certificate

View certificate details in the account.

Manage certificate hierarchy

Create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies.

View certificate permission is required as an additional permission to manage certificate hierarchy.

View certificate template

View certificate template details in the account.

Manage certificate template

Create, update, and clone certificate templates.

View certificate template is required as an additional permission to manage certificate templates.

View certificate profile

View certificate profile details in the account.

Manage certificate profiles

  • Create, update, enable, disable, and delete certificate profiles.

  • Update and delete certificates.

View certificate profile is required as an additional permission to manage certificate profiles.

Permission

User can

View release

View releases in the account.

Software Trust Manager user permissions

Assign one or more Software Trust Manager permissions when you create a custom role.

Account permissions for standard and service users

The following permissions are available in your account:

Permission

User can

Notes

Manage account settings

Update Software Trust Manager > Accounts > Account settings.

Manage CertCentral API key

Delete, disable, enable, setup, update and validate a CertCentral API key.

Manage all teams

  • Create teams.

  • View, update, deactivate, delete, and assign resources to all teams within the account, if they have relevant resource permissions.

Manage my teams

View, update, deactivate, and map resources to existing teams that they are part of, if they have relevant resource permissions.

View audit log

View audit and signature logs.

Export audit logs

Export audit and signature logs.

View audit log is required as an additional permission to be able to export audit logs.

Permission

User can

Notes

View keypair

View keypairs and key rotations relying on keypairs assigned to them.

Users with Manage keypair permission can view all keypairs and key rotations within the account.

Generate keypair

Create a new keypair.

Import keypair

Import keypairs into the account.

To import a GPG secring, the Manage master key permission is also required.

Request keypair export

Request to export keypairs that they're assigned to.

Users with Manage keypair permission can request to export any keypair within the account.

Approve keypair export

Approve requests to export keypairs that they're assigned to.

Users with Manage keypair permission can approve keypair exports for any keypair within the account.

Approve keypair delete

Approve requests to delete keypairs that they're assigned to.

Users with Manage keypair permission can approve keypair delete for any keypair within the account.

Manage keypair

  • Update, suspend or unsuspend keypairs.

  • Create, update, enable, and disable keypair profiles.

  • Create and update user groups.

  • Create, update, and refresh key rotation.

  • Generate a CSR.

Sign

Sign software with keypairs assigned to them.

Permission

User can

Notes

View certificate

View certificate details for all certificates assigned to them.

Users with Manage keypair permission can view all certificates within the account.

Generate certificate

Create a new certificate using keypairs that they're assigned to.

Users with Manage keypair permission can create a new certificate using any keypair within the account.

Import certificate

Import certificates for keypairs that they're assigned to.

Users with Manage keypair permission can import a certificate to any keypair within the account.

Revoke certificate

Revoke certificates associated with keypairs that they're assigned to.

Users with Manage keypair permission can revoke certificates associated with any keypair within the account.

Manage certificate hierarchy

View and create hierarchies. They can also activate and deactivate restricted hierarchies.

View certificate profile

View certificate profiles created.

Manage certificate profiles

  • View, create, update, clone, enable, and disable certificate profiles.

  • View, update, and delete all certificates associated with a certificate profile that the user created.

View certificate template

View certificate template details in the account.

System permissions for on-premises administration

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permission

User can

Notes

Manage CertCentral API key

Delete, disable, enable, setup, update and validate a CertCentral API key.

View audit log

View audit and signature logs.

Export audit logs

Export audit and signature logs.

View audit log is required as an additional permission to export audit logs.

View health

View app health (API).

Permission

User can

Notes

View keypair

View keypair details in the account.

Import keypair

Import keypairs into the account.

View keypair is required as an additional permission to import keypairs.

Manage keypair

  • Update, suspend or unsuspend keypairs.

  • Create, update, enable, and disable keypair profiles.

  • Create and update user groups.

  • Create, update, and refresh key rotation.

  • Generate a CSR

View keypair is required as an additional permission to manage keypairs.

Permission

User can

Notes

View certificate

View certificate details in the account.

Manage certificate hierarchy

Create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies.

View certificate permission is required as an additional permission to manage certificate hierarchy.

View certificate template

View certificate template details in the account.

Manage certificate template

Create, update, and clone certificate templates.

View certificate template is required as an additional permission to manage certificate templates.

View certificate profile

View certificate profile details in the account.

Manage certificate profiles

  • Create, update, enable, disable, and delete certificate profiles.

  • Update and delete certificates.

View certificate profile is required as an additional permission to manage certificate profiles.

Permission

User can

View release

View releases in the account.

Trust Lifecycle Manager user permissions

Assign one or more Trust Lifecycle Manager permissions when you create a custom role.

The following permissions are available in your account:

Permission

User can

Manage automation

Manage certificate lifecycle automation activities/features.

Manage business units

Manage business units.

View business units

View business units.

Manage certificate owners

Manage certificate owners.

View certificate owners

View certificate owners.

Manage connectors

Manage connectors.

View connectors

View connectors.

View custom attributes

View custom attributes.

Manage licensed seats

Manage seat allocations to business units.

View licensed seats

View seat allocations to business units.

Manage network scans

Manage network scans.

Manage report

Manage reports.

View report

View reports.

Manage seats

Manage seats.

View seats

View seats.

Manage system scans

Manage system scans.

View license

View available seat licenses in Account Manager.

View logs

View audit logs.

View SSP Portal config

View the self-service portal.

Manage CMDB Integration config

Manage ServiceNow connectors.

Manage client tools

Manage client tools.

View client tools

View client tools.

Permission

User can

Manage enrollment

Manage certificate enrollments.

View enrollment

View certificate enrollments.

Manage profile

Manage certificate profiles.

View profile

View certificate profiles.

Manage template

Manage certificate templates.

View template

View certificate templates.

Permission

User can

View certificate

View certificates and certificate details.

Manage create

Enroll certificates.

Manage import

Import certificates from external CAs.

Manage certificate

Manage certificates.

Manage recover

Recover escrowed certificates.

Manage renew

Renew certificates.

Manage resume

Re-enable suspended certificates.

Manage revoke

Revoke certificates.

Manage suspend

Temporarily disable certificates.

For on-premises customers, these permissions are available for custom user roles used for system administration.

Permission

User can

Manage business units

Manage business units.

View business units

View business units.

View business unit seat allocation

View seat allocations to business units.

Manage licensed seats

Manage seat allocations to business units.

Manage report

Manage reports.

View report

View reports.

View app health

View app health (API).

View audit logs

View audit logs.

View certificate owners

View certificate owners.

View CMDB Integration config

View ServiceNow connectors.

View connectors

View connectors.

View custom attributes

View custom attributes.

View network scans

View network scans.

View seats

View seats.

View SSP Portal config

View the self-service portal.

View system scans

View system scans.

Permission

User can

View enrollment

View certificate enrollments.

View profile

View certificate profiles.

Manage template

Manage certificate templates.

View template

View certificate templates.

Permission

User can

View certificate

View certificates and certificate details.

Manage resume

Re-enable suspended certificates.

Manage suspend

Temporarily disable certificates.