Teams

Select users, groups, or both to form a team and then map relevant resources to them. You can restrict team resources such as keypairs, releases, and enforce keypair profiles and certificate profiles.

Note

Enable teams on your account to use this feature.

Enable Teams

You require the Manage license or Manage account settings to enable teams on your account.

Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Select the edit icon.
Select the checkboxes under the Teams section according to your requirements.
Note
To enforce that a keypair profile must be selected for keypair generation:
- Enable Allow team mapping for keypairs and certificate profiles under the Teams section.
- Enable Require keypair profile to generate keypair under the Keypair section.
Select Update settings.

Create a team

You require the Manage all teams permission to create a team.

Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Teams.
Select Create.

Complete these fields:

Field	Description
Team name	Name to uniquely identify this team.
Users	Select users who are allowed to access this team's resources.
Groups	Select groups allowed to access this team's resources.
Approvals required	Select the number of approvals required for this team to approve: Offline releases Export keypairs Delete keypairs Revoke certificates
Keypairs	Select keypairs that this team can use. Note The drop-down list only shows keypairs that are not assigned to any team.
GPG keypairs	Select GPG keypairs that this team can use. Note The drop-down list only shows GPG keypairs that are not assigned to any team.
Keypair profiles	Select keypairs profiles that this team can use.
Certificate profiles	Select certificate profiles that this team can use.
Projects	Select projects to assign to the team. Note The drop-down list only shows projects that are not assigned to any team.
License limitations	Set a maximum number of signature and HSM units this team can use.
Expiry date	Set an expiry date for this team.

Team approvals workflows and permissions

When teams are enabled for your account, the specific actions need to be requested and approved by the team. The number of approvals required before the action is considered approved can be changed by updating the team.

The following actions require approval:

Create offline releases
Export keypairs
Delete keypairs
Revoke certificates

The following permissions determines which user can request or approve these actions:

Request an above action for the team they belong to:
User must have the one of the following permissions: request release, request keypair export, request keypair delete and, or revoke certificate.
Approve an above action for the team they belong to:
User must have one of the following permissions: approve release window, approve keypair export, approve keypair delete and, or revoke certificate.

Approval procedure for team actions

When teams are enabled and a user requests to complete an action, the following approval procedure will occur:

All users on the team with the permission to approve the action receives an email with the request.
The approver must click View request in the email.
The approver must review the request and click Approve or Reject.
Once the required amount of approvals are received, depending on the request:
1. The certificate will be revoked.
2. The keypair will be deleted.
3. The offline release will be created.
4. The requester will receive an email with a link to export the keypair.

Note

If one user rejects the request, the entire request will be canceled and the user has to request the action again.

Team permissions

There are two team permissions:

Permission	Description
Manage all teams	User can: Create new teams. View, update, deactivate, delete, and map resources to existing teams.
Manage my teams	User can view, update, deactivate, and map resources to teams that they are part of.

Permissions affected when teams are enabled

Both of the above mentioned team permissions are assigned to users who manage teams. Team members do not require a specific team permission, however their permissions and workflows are affected once teams are enabled.

The following permissions and workflows are affected when teams are enabled:

General permissions

	Manager of all teams `Manage all teams permission`	Manager of specific teams `Manage my teams permission`	Team member `No 'Manage all teams' or 'Manage my team' permission`
Create and delete teams	Can create and delete teams within the account.	Cannot perform this action.	Cannot perform this action.
View list of teams	Can view all teams within the account.	Can view teams they are assigned to.	Can view teams they are assigned to.
Activate or deactivate team	Can activate or deactivate any teams within the account.	Can activate or deactivate teams they are assigned to.	Cannot perform this action.
Update team	Can update any teams within the account.	Can update teams they are assigned to.	Cannot perform this action.

Keypair, certificate, and sign permissions

Release and signature log permissions

	Manager of all teams `Manage all teams permission`	Manager of specific teams `Manage my teams permission`	Team member `No 'Manage all teams' or 'Manage my team' permission`
View releases and associated signature logs	Can view all releases and signature logs within the account, provided that they have `View release` or `Approve release` permission.	Can view all releases assigned to a team that they are part of, including signature logs related to those releases, provided that they have `View release` or `Approve release` permission.	Can view all releases that they are part of, including signature logs related to those releases, provided that they have `View release` or `Approve release` permission.
Create and update releases	Can create and update all releases within the account, this includes selecting any baseline in the account, provided that they have `Approve release` or `Request release` permission.	Can create and update all releases assigned to a team that they are part of. This includes selecting any baseline associated with a team they are part of, provided that they have `Approve release` or `Request release` permission.	Can create and update all releases assigned to a team that they are part of. This includes selecting any baseline associated with a team they are a part of, provided that they have `Approve release` or `Request release` permission.
Approve and reject releases	Can approve or reject releases assigned to a team that they are part of, provided that they also have the `Approve release` permission.	Can approve or reject releases assigned to a team that they are part of, provided that they also have the `Approve release` permission.	Can approve or reject releases assigned to a team that they are part of, provided that they also have the `Approve release` permission.
Create release comparison and baseline	Can compare any releases within the account and create a baseline, provided that they also have `Approve release` permission.	Can compare releases assigned to a team that they are part of and create a baseline, provided that they also have `Approve release` permission.	Can compare releases assigned to a team that they are part of and create a baseline, provided that they also have `Approve release` permission.
Close release	Can close any release in the account, provided that they also have the `Approve release` permission.	Can close releases assigned to a team that they are part of, provided that they also have the `Approve release` permission.	Can close releases assigned to a team that they are part of, provided that they created the release, part of the release, and also have the `Request release` or `Approve release` permission.
Close release	Can close any release in the account, provided that they created the release and also have the `Request release` permission.	Can close releases assigned to a team that they are part of, provided that they created the release and also have the `Request release` permission.

Update team

This section outlines team features can be updated.

Note

You require the following permission to update a team:

Manage all teams permission allows you to change the approval amount on any team in the account.
Manage my teams permission allows you to change the approval amount on any team in the account that you are a part of.

Add or remove team resources

To add or remove resources assigned to a team:

Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Teams.
Click on the team name you want to update.
Click the edit icon.

Update the following fields:

Field	Description
Keypairs	Select standard keypairs to assign to the team. Note The drop-down list only shows GPG keypairs that are not assigned to any team.
GPG keypairs	Select GPG keypairs to assign to the team. Note The drop-down list only shows GPG keypairs that are not assigned to any team.
Keypair profiles	Select keypair profiles to assign to the team.
Certificate profiles	Select certificate profiles to assign to the team.
Projects	Select projects to assign to the team. Note The drop-down list only shows projects that are not assigned to any team.

Select Update team.

Change required approvals

To change the required amount of approvals to complete a specific action within a team:

Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Teams.
Click on the team name you want to update.
Click the edit icon.
Change the approval amount for the action.
Select Update team.

Note

You require the following permission to update the approval amount:

Manage all teams permission allows you to change the approval amount on any team in the account.
Manage my teams permission allows you to change the approval amount on any team in the account that you are a part of.

Update or remove signing limit

To update or remove the signing limit for the team:

Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Teams.
Click on the team name you want to update.
Click the edit icon.

To set the maximum number of signature units that this team can use, select one of the following options under License limitations:

Field	Description
No limit	Select this radio button to enable the team to do unlimited signing.
Limit	Select this radio button and enter the amount of signing units the team is allowed to do. One signature unit is consumed every time a user signs.

Select Update team.

In this section:

	Manager of all teams `Manage all teams permission`	Manager of specific teams `Manage my teams permission`	Team member `No 'Manage all teams' or 'Manage my team' permission`
Create keypair	Can create keypair and assign to any team in the account, provided that they also have the `Generate keypair` and `Manage keypair` permission.	Can create keypair and assign to a team that they are part of, provided that they also have the `Generate keypair` permission.	Can create keypair and assign to a team that they are part of, provided that they also have the `Generate keypair` permission.
Create keypair	Can create keypair and assign to a team that they are part of, provided that they also have the `Generate keypair` permission.
Generate CSR	Can generate a CSR for any keypair in the account, provided that they also have the `Manage keypair` or `Generate certificate` permission.	Can generate a CSR for keypairs assigned to a team that they are part of, provided that they also have the `Manage keypair` or `Generate certificate` permission.	Can generate a CSR for keypairs assigned to a team that they are part of, provided that they also have the `Manage keypair` or `Generate certificate` permission.
Update keypairs and key rotations	Can update any keypair and key rotation in the account, provided that they also have the `Manage keypair` permission. Note This includes keypairs that were assigned to specific users or a user group before teams were enabled and is not assigned to a team now.	Can update any keypair and key rotation assigned to a team that they are part of, provided that they also have the `Manage keypair` permission.	Can update any keypair and key rotation assigned to a team that they are part of, provided that they also have the `Manage keypair` permission.
View standard keypairs, GPG keys and key rotations	Can view all standard keypairs, GPG keys, and key rotations within the account, provided that they also have the `Manage keypair` and `View keypair` permission.	Can view all standard keypairs, GPG keys, and key rotations assigned to a team that they are part of, provided that they also have the `View keypair` permission.	Can view all standard keypairs, GPG keys, and key rotations assigned to a team that they are part of, provided that they also have the `View keypair` permission.
Sign	Can sign with any standard or GPG key assigned to a team that they are part of, provided that they also have the `Sign` permission.	Can sign with any standard or GPG keypair assigned to a team that they are part of, provided that they also have the `Sign` permission.	Can sign with any standard or GPG keypair assigned to a team that they are part of, provided that they also have the `Sign` permission.
Suspend or unsuspend keypair	Can suspend or unsuspend any keypair in the account, provided that they also have the `Manage keypair` permission.	Can suspend or unsuspend keypairs assigned to a team that they are part of, provided that they also have the `Manage keypair` permission.	Can suspend or unsuspend keypairs assigned to a team that they are part of, provided that they also have the `Manage keypair` permission.
Refresh keypair	Can refresh any dynamic keypair in the account, provided that they also have the `Manage keypair` or `Sign` permission.	Can refresh dynamic keypairs assigned to a team that they are part of, provided that they also have the `Manage keypair` or `Sign` permission.	Can refresh dynamic keypairs assigned to a team that they are part of, provided that they also have the `Manage keypair` or `Sign` permission.
Request keypair export, keypair deletion, or certificate revocation	Can request these actions for any team within the account, provided that they have the associated permissions.	Can request these actions for any team they are assigned to, provided that they have the associated permissions.	Can request these for any team they are assigned to, provided that they have the associated permissions.
View certificates	Can view all certificates within the account, provided that they also have the `View certificate` and `Manage keypair` permission.	Can view all certificates assigned to a team that they are part of, provided that they also have the `View certificate` permission.	Can view all certificates assigned to a team that they are part of, provided that they also have the `View certificate` permission.
Update and delete certificates	Can update and delete all certificates within the account, provided that they also have the `Manage certificate profile` and `Manage keypairs` permission.	Can update and delete all certificates associated to keypairs assigned to a team that they are part of, provided that they also have the `Manage certificate profile` permission.	Can update and delete all certificates associated with keypairs assigned to a team that they are part of, provided that they also have the `Manage certificate profile` permission.
Update and delete certificates	Can update and delete all certificates associated to keypairs assigned to a team that they are part of, provided that they also have the `Manage certificate profile` permission.
Import certificate	Can import a certificate to any keypair in the account, provided that they also have the `Import certificate` and `Manage keypair` permission.	Can import a certificate to any keypair assigned to a team that they are part of, provided that they also have the `Import certificate` permission.	Can import a certificate to any keypair assigned to a team that they are part of, provided that they also have the `Import certificate` permission.
Import certificate	Can import a certificate to any keypair assigned to a team that they are part of, provided that they also have the `Import certificate` permission.
Create certificate	Can create certificate for any keypair within the account, provided that they also have the `Generate certificate` and `Manage keypair` permission.	Can create certificate for keypairs assigned to a team that they are part of, provided that they also have the `Generate certificate` permission.	Can create certificate for keypairs assigned to a team that they are part of, provided that they also have the `Generate certificate` permission.
Create certificate	Can create certificate for keypairs assigned to a team that they are part of, provided that they also have the `Generate certificate` permission.
Revoke certificate	Can revoke any certificate in the account, provided that they also have the `Manage keypair` and `Revoke certificate` permission.	Can revoke certificates assigned to a team that they are part of, provided that they also have the `Revoke certificate` permission.	Can revoke certificates assigned to a team that they are part of, provided that they have the `Revoke certificate` permission.
Revoke certificate	Can revoke certificates assigned to a team that they are part of, provided that they also have the `Revoke certificate` permission.
Generate GPG master key	Can create GPG master keypair and assign to any team in the account, provided that they also have the `Generate keypair` and `Manage master key` permission.	Can create GPG master keypair and assign to a team that they are part of, provided that they also have the `Generate keypair` and `Manage master key` permission.	Can create GPG master keypair and assign to a team that they are part of, provided that they also have the `Generate keypair` and `Manage master key` permission.
Generate GPG master key	Can create GPG master key and assign to a team that they are part of, provided that they also have the `Manage master key` permission.
Generate GPG subkey	Can create GPG subkey using any GPG master key and assign to any team in the account, provided that they also have the `Generate keypair` and `Manage keypair` permission.	Can create GPG subkey for GPG master keys assigned to a team that they are part of, provided that they also have the `Generate keypair` permission. Note This includes creating a subkey using team A's master key and assigning it to team B, provided that this user is part of both teams.	Can create GPG subkey for GPG master keys assigned to a team that they are part of, provided that they also have the `Generate keypair` permission. Note This includes creating a subkey using team A's master key and assigning it to team B, provided that this user is part of both teams.
Generate GPG subkey	Can create GPG subkey and assign to a team that they are part of, provided that they also have the `Generate keypair` permission. Note This includes creating a subkey using team A's master key and assigning it to team B, provided that this user is part of both teams.
Update GPG master key	Can update GPG master and assign to any team in the account, provided that they also have the `Manage master key` and `Manage keypair` permission. Note This includes GPG master keys that were assigned to specific users or a user group before teams were enabled and is not assigned to a team now.	Can update GPG master keys assigned to a team that they are part of, provided that they also have the `Manage master key` permission.	Can update GPG master keys assigned to a team that they are part of, provided that they also have the `Manage master key` permission.
Update GPG subkey	Can update GPG subkeys and assign to any team in the account, provided that they also have the `Manage keypair` permission. Note This includes GPG subkeys that were assigned to specific users or a user group before teams were enabled and is not assigned to a team now.	Can update GPG subkeys assigned to a team that they are part of, provided that they also have the `Manage keypair` permission.	Can update GPG subkeys assigned to a team that they are part of, provided that they also have the `Manage keypair` permission.
Revoke GPG master	Can revoke any GPG master in the account, provided that they also have the `Revoke certificate`, `Manage master key` and `Manage keypair` permission.	Can revoke GPG master keys assigned to a team that they are part of, provided that they also have the `Revoke certificate` and `Manage master key` permission.	Can revoke GPG master keys assigned to a team that they are part of, provided that they also have the `Revoke certificate` and `Manage master key` permission.
Revoke GPG master	Can revoke GPG master keys assigned to a team that they are part of, provided that they also have the `Revoke certificate` and `Manage master key` permission.
Revoke GPG subkey	Can revoke any GPG subkey in the account, provided that they also have the `Revoke certificate` and `Manage keypair` permission.	Can revoke GPG subkeys assigned to a team that they are part of, provided that they also have the `Revoke certificate` permission.	Can revoke GPG subkeys assigned to a team that they are part of, provided that they also have the `Revoke certificate` permission.
Revoke GPG subkey	Can revoke GPG subkeys assigned to a team that they are part of, provided that they also have the `Revoke certificate` and permission.
Suspend or unsuspend GPG master key	Can suspend or unsuspend all GPG master keys in the account, provided that they also have the `Manage keypair` and `Manage master key` permission.	Can suspend or unsuspend all GPG master keys assigned to a team they are part of, provided that they also have the `Manage keypair` and `Manage master key` permission.	Can suspend or unsuspend all GPG master keys assigned to a team they are part of, provided that they also have the `Manage keypair` and `Manage master key` permission.
Suspend or unsuspend GPG subkey	Can suspend or unsuspend all GPG subkeys in the account, provided that they also have the `Manage keypair` permission.	Can suspend or unsuspend all GPG subkeys assigned to a team they are part of, provided that they also have the `Manage keypair` permission.	Can suspend or unsuspend all GPG subkeys assigned to a team they are part of, provided that they also have the `Manage keypair` permission.
Request to delete GPG master key	Can request to delete any GPG master keys in the account, provided that they also have the `Approve keypair delete` , `Manage keypair` , and `Manage master key` permission.	Can request to delete GPG master key assigned to teams they are part of, provided that they also have the `Approve keypair delete` and `Manage master key` permission.	Can request to delete GPG master key assigned to teams they are part of, provided that they also have the `Approve keypair delete` and `Manage master key` permission.
Request to delete GPG master key	Can request to delete GPG master key assigned to teams they are part of, provided that they also have the `Approve keypair delete` and `Manage master key` permission.
Request to delete GPG subkey	Can request to delete any GPG subkey assigned to any team in the account, provided that they also have the `Approve keypair delete` and `Manage keypair` permission.	Can request to delete GPG subkeys assigned to teams they are part of, provided that they also have the `Approve keypair delete` and `Manage master key` permission.	Can request to delete GPG subkeys assigned to teams they are part of, provided that they also have the `Approve keypair delete` and `Manage master key` permission.

Teams

Note

Enable Teams

Note

Create a team

Note

Note

Note

Team approvals workflows and permissions

Approval procedure for team actions

Note

Team permissions

Permissions affected when teams are enabled

General permissions

Keypair, certificate, and sign permissions

Note

Note

Note

Note

Note

Note

Release and signature log permissions

Update team

Note

Add or remove team resources

Note

Note

Note

Change required approvals

Note

Update or remove signing limit

Search results