Skip to main content

Account scope (AS) user permissions

The purpose of an account user is generally to perform cryptographic actions and sign.

There are two categories of account users. Below is a comparison between the users and service users:

User

Service user

Can access DigiCert​​®​​ Software Trust Manager UI?

Yes

No

Can use DigiCert​​®​​ Software Trust Manager clients?

Yes

Yes

Can perform cryptographic actions?

Yes

Yes

Can manage own credentials?

Yes

No

Who is this user?

A person

An alias and associated email for alerts. Generally used for automation of workflows on a machine such as a build server.

Note

Only System users can onboard or provision accounts.

The following article outlines account user permissions which may be useful if you are creating a custom user role. Alternatively, refer to user roles for a list of preconfigured user roles that allow you to assign permission sets to new and existing users.

Astuce

The permission descriptions below assume that the Teams feature is not enabled on your account. If teams are enabled on your account, refer to Team permissions for more information.

Permission

User can

Notes

Manage account settings

Update Software Trust Manager > Accounts > Account settings.

Manage CertCentral API key

Delete, disable, enable, setup, update and validate a CertCentral API key.

Manage all teams

  • Create teams.

  • View, update, deactivate, delete, and assign resources to all teams within the account, provided that they have relevant resource permissions.

Manage my teams

View, update, deactivate, and map resources to existing teams that they are part of, provided that they have relevant resource permissions.

View audit log

View audit and signature logs in the account.

Export audit logs

Export audit and signature logs in the account.

View audit log is required as an additional permission to be able to export audit logs.

Permission

User can

Notes

View certificate

View certificate details for all certificates assigned to them.

Users with Manage keypair permission can view all certificates within the account.

Generate certificate

Create a new certificate using keypairs that they are assigned to.

Users with Manage keypair permission can create a new certificate using any keypair within the account.

Import certificate

Import certificates for keypairs that they are assigned to.

Users with Manage keypair permission can import a certificate to any keypair within the account.

Revoke certificate

Revoke certificates associated with keypairs that they are assigned to.

Users with Manage keypair permission can revoke certificates associated to any keypair within the account.

Manage certificate hierarchy

View and create hierarchies. They can also activate and deactivate restricted hierarchies.

View certificate profile

View certificate profiles created by the user.

Manage certificate profiles

  • View, create, update, clone, enable, and disable certificate profiles that are created by the user.

  • View, update, and delete all certificates associated with a certificate profile that the user created.

View certificate template

View certificate template details in the account.

Permission

User can

Notes

View keypair

View keypairs and key rotations relying on keypairs assigned to them.

Users with Manage keypair permission can view all keypairs and key rotations within the account.

Generate keypair

Create a new keypair.

Import keypair

Import keypairs into the account.

To import a GPG secring, Manage master key is also required.

Request keypair export

Request to export keypairs that they are assigned to.

Users with Manage keypair permission can request to export any keypair within the account.

Approve keypair export

Approve requests to export keypairs that they are assigned to.

Users with Manage keypair permission can approve keypair exports for any keypair within the account.

Approve keypair delete

Approve requests to delete keypairs that they are assigned to.

Users with Manage keypair permission can approve keypair delete for any keypair within the account.

Manage keypair

  • Update, suspend or unsuspend keypairs.

  • Create, update, enable, and disable keypair profiles.

  • Create and update user groups.

  • Create, update, and refresh key rotation.

  • Generate a CSR.

Sign

Sign software with keypairs assigned to them.

Manage master GPG key

  • Create GPG master key, provided that the user also has Generate keypair permission.

  • Import a GPG secring, provided that the user also has Import keypair permission.

  • Update, suspend, unsuspend master keys that they are assigned to.

  • Delete master keys assigned to them, provided that the user also has Approve keypair delete permission.

  • Revoke master keys assigned to them, provided that the user also has Revoke certificate permission.

Users with Manage keypair permission can update, suspend, unsuspend any master keys within the account.

Users with Manage keypair permission can delete any master key within the account.

Users with Manage keypair permission can revoke any master key within the account.

Permission

Description

View release

View all releases in the account.

Request release

Request to create an offline release.

Approve release

Create a release and approve or reject requests to create offline releases.

Permission

Description

View Threat detection

View all threat detection scans in the account.

Run Threat detection scans

Scan software using Threat detection.

Manage threat detection

Download threat detection reports and assign threat detection scans to projects.