Skip to main content

Account user permissions

The purpose of an account user is generally to perform cryptographic actions and sign.

There are two categories of account users. Below is a comparison between the users and service users:

User

Service user

Can access DigiCert​​®​​ Software Trust Manager UI?

Yes

No

Can use DigiCert​​®​​ Software Trust Manager clients?

Yes

Yes

Can perform cryptographic actions?

Yes

Yes

Can manage own credentials?

Yes

No

Who is this user?

A person

An alias and associated email for alerts. Generally used for automation of workflows on a machine such as a build server.

Note

Only System users can onboard or provision accounts.

The following article outlines account user permissions which may be useful if you are creating a custom user role. Alternatively, refer to user roles for a list of preconfigured user roles that allow you to assign permission sets to new and existing users.

Tip

The permission descriptions below assume that the Teams feature is not enabled on your account. If teams are enabled on your account, refer to Teams permissions for more information.

General permissions

Permission

Description

Manage account settings

User can update DigiCert​​®​​ Software Trust Manager > Accounts > Account settings.

Manage CertCentral API key

User can delete, disable, enable, setup, update and validate a CertCentral API key.

Manage all teams

User can:

  • Create new teams.

  • View, update, deactivate, delete, and map resources to all teams within the account, provided that they have relevant resource permissions.

Manage my teams

User can view, update, deactivate, and map resources to existing teams that they are part of, provided that they have relevant resource permissions.

View audit log

User can view audit and signature logs in the account.

Export audit logs

User can export audit and signature logs in the account.

Note

View audit log is required as an additional permission to be able to export audit logs.

Certificate permissions

Permission

Description

View certificate

User can view certificate details for all certificates assigned to them.

Note

Users with Manage keypair permission can view all certificates within the account.

Generate certificate

User can create a new certificate using keypairs that they are assigned to.

Note

Users with Manage keypair permission can create a new certificate using any keypair within the account.

Import certificate

User can import certificates for keypairs that they are assigned to.

Note

Users with Manage keypair permission can import a certificate to any keypair within the account.

Revoke certificate

User can revoke certificates associated with keypairs that they are assigned to.

Note

Users with Manage keypair permission can revoke certificates associated to any keypair within the account.

Manage certificate hierarchy

User can create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies.

View certificate profile

User can view certificate profile details in the account.

Manage certificate profiles

User can:

  • Create, update, enable, disable, and delete certificate profiles.

  • Update and delete certificates.

View certificate template

User can view certificate template details in the account.

Keypair permissions

Permission

Description

View keypair

User can view keypairs and key rotations relying on keypairs assigned to them.

Note

Users with Manage keypair permission can view all keypairs and key rotations within the account.

Generate keypair

User can create a new keypair.

Import keypair

User can import keypairs into the account.

Note

To import a GPG secring, Manage master key is also required.

Request keypair export

User can request to export keypairs that they are assigned to.

Approve keypair export

User can approve requests to export keypairs.

Approve keypair delete

User can approve requests to delete keypairs.

Manage keypair

User can:

  • Update, suspend or unsuspend keypairs.

  • Create, update, enable, and disable keypair profiles.

  • Create and update user groups.

  • Create, update, and refresh key rotation.

  • Generate a CSR

Sign

User can sign.

Note

  • View keypair is required as an additional permission to sign by referencing the keypair in your command when it has a default certificate.

  • View certificate is required as an additional permission to sign by referencing the certificate in your command.

Manage master keypair

User can:

  • Create GPG master key, provided that the user also has Generate keypair permission.

  • Import a GPG secring, provided that the user also has Import keypair permission.

  • Update, suspend, unsuspend master keys that they are assigned to.

    Note

    Users with Manage keypair permission can update, suspend, unsuspend any master keys within the account.

  • Delete master keys assigned to them, provided that the user also has Approve keypair delete permission.

    Note

    Users with Manage keypair permission can delete any master key within the account.

  • Revoke master keys assigned to them, provided that the user also has Revoke certificate permission.

    Note

    Users with Manage keypair permission can revoke any master key within the account.

Release permissions

Permission

Description

View release windows

User can view releases that they are assigned to and associated signature logs.

Request release

User can request to create an offline release.

Approve release window

User can:

  • View all releases in the account.

  • View associated signature logs.

  • Request offline releases.

  • Approve requests to create offline releases.

Threat detection

Permission

Description

View Threat detection

User can view threat detection scans in the account.

Run Threat detection scans

User can run scans on software using Threat detection.

Manage threat detection

User can download threat detection reports and assign threat detection reports to projects.

In this section: