Account user permissions
The purpose of an account user is generally to perform cryptographic actions and sign.
There are two categories of account users. Below is a comparison between the users and service users:
User | Service user | |
---|---|---|
Can access DigiCert® Software Trust Manager UI? | Yes | No |
Can use DigiCert® Software Trust Manager clients? | Yes | Yes |
Can perform cryptographic actions? | Yes | Yes |
Can manage own credentials? | Yes | No |
Who is this user? | A person | An alias and associated email for alerts. Generally used for automation of workflows on a machine such as a build server. |
Note
Only System users can onboard or provision accounts.
The following article outlines account user permissions which may be useful if you are creating a custom user role. Alternatively, refer to user roles for a list of preconfigured user roles that allow you to assign permission sets to new and existing users.
Tip
The permission descriptions below assume that the Teams feature is not enabled on your account. If teams are enabled on your account, refer to Teams permissions for more information.
General permissions
Permission | Description |
---|---|
Manage account settings | User can update DigiCert® Software Trust Manager > Accounts > Account settings. |
Manage CertCentral API key | User can delete, disable, enable, setup, update and validate a CertCentral API key. |
Manage all teams | User can:
|
Manage my teams | User can view, update, deactivate, and map resources to existing teams that they are part of, provided that they have relevant resource permissions. |
View audit log | User can view audit and signature logs in the account. |
Export audit logs | User can export audit and signature logs in the account. Note
|
Certificate permissions
Permission | Description |
---|---|
View certificate | User can view certificate details for all certificates assigned to them. NoteUsers with |
Generate certificate | User can create a new certificate using keypairs that they are assigned to. NoteUsers with |
Import certificate | User can import certificates for keypairs that they are assigned to. NoteUsers with |
Revoke certificate | User can revoke certificates associated with keypairs that they are assigned to. NoteUsers with |
Manage certificate hierarchy | User can create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies. |
View certificate profile | User can view certificate profile details in the account. |
Manage certificate profiles | User can:
|
View certificate template | User can view certificate template details in the account. |
Keypair permissions
Permission | Description |
---|---|
View keypair | User can view keypairs and key rotations relying on keypairs assigned to them. NoteUsers with |
Generate keypair | User can create a new keypair. |
Import keypair | User can import keypairs into the account. NoteTo import a GPG secring, |
Request keypair export | User can request to export keypairs that they are assigned to. |
Approve keypair export | User can approve requests to export keypairs. |
Approve keypair delete | User can approve requests to delete keypairs. |
Manage keypair | User can:
|
Sign | User can sign. Note
|
Manage master keypair | User can:
|
Release permissions
Permission | Description |
---|---|
View release windows | User can view releases that they are assigned to and associated signature logs. |
Request release | User can request to create an offline release. |
Approve release window | User can:
|
Threat detection
Permission | Description |
---|---|
View Threat detection | User can view threat detection scans in the account. |
Run Threat detection scans | User can run scans on software using Threat detection. |
Manage threat detection | User can download threat detection reports and assign threat detection reports to projects. |