Team user critical operations
This document explains the various actions and permissions available for members of a team.
Before you begin, familiarize yourself with the following common terms:
Tabella 1. Terms to understand
Term | Description |
---|
UCO | |
Lead | A member with the MANAGE_SM_ALL_TEAMS permission Manages all teams in their account Excluded from UCO restrictions
|
Team lead | |
Tabella 2. Teams
Teams action | Permission | System scope user | User with MANAGE_SM_ALL_TEAMS | User with MANAGE_SM_MY_TEAMS | UCO |
---|
Create and delete | MANAGE_SM_ALL_TEAMS | Not applicable | Can create or delete any team, regardless if the team is enabled or disabled. | Not applicable | UCO activities cannot be performed on users during team creation. |
Update | MANAGE_SM_MY_TEAMS or MANAGE_SM_ALL_TEAMS | Not applicable | Can update any team and perform UCO activities on users, regardless if the team is enabled or disabled. | Can update associated teams and perform UCO activities on those users. | Users with MANAGE_SM_ALL_TEAMS are not subject to UCO activities, even from users with the same permission level. If a user is assigned a Lead role, any previous team restrictions are still in effect for that user. To troubleshoot, anotehr Lead can enable all permissions for that user. |
View lists and details | Not applicable | Can view lists and details of all teams in the account | Can view list and details of any team in the account, regardless if the team is enabled or disabled. | Can view lists and details for associated teams, regardless if the team is enabled or disabled. | Not applicable |
Activate / deactivate | MANAGE_SM_ALL_TEAMS or MANAGE_SM_MY_TEAMS | Not applicable | Can activate or deactivate any team in the account, regardless if the team is enabled or disabled. | Can only activate or deactivate associated teams, regardless if the team is enabled or disabled. | Not applicable |
Tabella 3. Keypairs
Keypair action | Permission | System scope user | Open keypairs | Restricted keypairs |
---|
Generate | GENERATE_SM_KEYPAIR | Cannot perform this activity | | Enabled teams: GENERATE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can create keypairs for any team. MANAGE_SM_MY_TEAMS users can create keypairs for their own teams.
Disabled teams:
|
Update | MANAGE_SM_KEYPAIR | Can update any keypair in the account | | Enabled teams: MANAGE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can update any team's keypair. MANAGE_SM_MY_TEAMS users can update keypairs for their own teams
Disabled teams:
|
View lists and details | VIEW_SM_KEYPAIR | Can view list and details of all keypairs | | Enabled teams: Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view all keypairs. MANAGE_SM_MY_TEAMS users can view keypairs in their own teams. UCO restrictions do not apply.
Disabled teams:
|
Sign | SIGN_SM_HASH | Not applicable | | Enabled teams: Disabled teams:
|
Verify | SIGN_SM_HASH | Not applicable | Not applicable | Not applicable |
Delete | APPROVE_SM_KEYPAIR_DELETE | Cannot perform this activity | | Enabled teams: Disabled teams:
|
Generate CSR | MANAGE_SM_KEYPAIR or GENERATE_SM_CERTIFICATE | Not applicable | | Enabled teams: Disabled teams:
|
Refresh keypair | MANAGE_SM_KEYPAIR or SIGN_SM_HASH | Not applicable | | Enabled teams: Disabled teams:
|
Suspend / unsuspend | MANAGE_SM_KEYPAIR | Not applicable | | Enabled teams: Disabled teams:
|
Import keypair | IMPORT_SM_KEYPAIR | Cannot perform this activity | | |
Request keypair export | REQUEST_SM_KEYPAIR_EXPORT | Not applicable | | |
Tabella 4. GPG keypairs
GPG keypair action | Permission | System scope user | Open keypairs | Restricted keypairs |
---|
Generate master keypair | GENERATE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity | | Enabled teams: Disabled teams:
|
Generate subkey | GENERATE_SM_KEYPAIR | Cannot perform this activity | | Enabled teams: Disabled teams:
|
Update master and subkey | MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Can update all master / subkeys in the account | | Enabled teams: Disabled teams:
|
View lists and details | VIEW_SM_KEYPAIR | Can view lists and details for all master / subkeys | | Enabled teams: Disabled teams:
|
Sign | SIGN_SM_HASH | Not applicable | | Enabled teams: Disabled teams:
|
Revoke master / subkey | REVOKE_SM_CERTIFICATE and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity | | Enabled teams: Disabled teams:
|
Suspend / unsuspend | MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Can perform these activities | | Enabled teams: Disabled teams:
|
Delete master / subkey | APPROVE_SM_KEYPAIR_DELETE and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity | | Enabled teams: Disabled teams:
|
Import Sec Ring | IMPORT_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity | | |
Download a keyring collection | VIEW_SM_KEYPAIR | Can perform this activity | | Enabled teams: Disabled teams:
|
Tabella 5. Certificates
Certificate action | Permission | System scope user | Open keypairs | Restricted keypairs |
---|
View lists and details | VIEW_SM_CERTIFICATE | Can view all certificates for all keypairs in the account. | | Enabled teams: Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view certificates for all teams, including orphaned keypairs. MANAGE_SM_MY_TEAMS users can view certificates for their own teams.
Disabled teams:
|
Import certificate | IMPORT_SM_CERTIFICATE | Cannot perform this activity | | Enabled teams: Disabled teams:
|
Generate certificate | GENERATE_SM_CERTIFICATE | Cannot perform this activity | | Enabled teams GENERATE_KEYPAIR_CERT UCO is required. Users with MANAGE_SM_ALL_TEAMS can generate certificates for any team's keypairs. MANAGE_SM_MY_TEAMS users can generate certificates for keypairs for their own teams.
Disabled teams
|
Update / delete certificate | MANAGE_SM_CERTIFICATE_PROFILE | Can update or delete any certificate in the account | | Enabled teams MANAGE_KEYPAIR_CERT UCO is required. Users with MANAGE_SM_ALL_TEAMS can update or delete certificates for any team, including orphaned keypairs. MANAGE_SM_MY_TEAMS users can update or delete certificates for keypairs for their own teams.
Disabled teams
|
Revoke certificate | REVOKE_SM_CERTIFICATE | Cannot perform this activity | | Enabled teams Disabled teams
|
Update hierarchy mappings for certificates | MANAGE_SM_HIERARCHY | Only system scope user can perform this activity | Not applicable | Not applicable |
Tabella 6. Key rotations
Key rotation action | Permission | System scope user | Enabled teams | Disabled teams |
---|
View list and details | VIEW_SM_KEYPAIR | Can view list and details of all key rotations in the account | Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view all key rotations in the account, regardless of team membership, including those created when teams were disabled. UCO is not applicable MANAGE_SM_MY_TEAMS users can view key rotations for their own teams.
| Users with MANAGE_SM_KEYPAIR can view all key rotations in their account, including those created when teams were enabled. Users with other permission can view key rotations that they are part of.
|
Create / update | MANAGE_SM_KEYPAIR | Cannot perform these actions | MANAGE_KEYPAIR_CERT UCO must be enabled for users in the team. Users with MANAGE_SM_ALL_TEAMS can create and update key rotations for any team, and adjust mappings for rotations created when teams were disabled. MANAGE_SM_MY_TEAMS users can create and update rotations for their own teams.
| |
Tabella 7. Software projects
Action | Permission | System scope user | Enabled team | Disabled team |
---|
Generate | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity | UCO is not applicable. Users with MANAGE_SM_ALL_TEAMS can create projects for any team in the account, regardless of their team membership. Users with MANAGE_SM_MY_TEAMS can create projects for their associated teams.
| Any user part of the account can create a project. |
Update | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity | UCO is not applicable. Users with MANAGE_SM_ALL_TEAMS can update any team's project, including orphan projects. Users with MANAGE_SM_MY_TEAMS can update projects for their associated teams.
| Users can update any project in the account, including orphan projects. |
View lists and details | Not applicable | Can perform this activity | Users with MANAGE_SM_ALL_TEAMS can view details of all projects across teams, including orphan projects. Users with MANAGE_SM_MY_TEAMS can view details only for projects within their teams.
| Users can view lists and details of all projects in the account, including orphan projects. |
Delete | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity | Users with MANAGE_SM_ALL_TEAMS can delete any team's project, regardless of team membership. Users with MANAGE_SM_MY_TEAMS can delete projects for their associated teams.
| Users can delete any project in the account. |
Suspend / unsuspend | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity | Users with MANAGE_SM_ALL_TEAMS can suspend or unsuspend any project, regardless of their team membership. Users with MANAGE_SM_MY_TEAMS can suspend or unsuspend projects for their associated teams.
| Users can suspend or unsuspend any project in the account. |
Tabella 8. Scans
Action | Permission | System scope user | Enabled team | Disabled teams |
---|
Generate | SCAN_SM_SOFTWARE_SCAN | Cannot perform this activity | | Users can create a scan using any project in the account. |
View lists and details | VIEW_SM_SOFTWARE_SCAN | Can view lists and details of all scans in the account | Users with MANAGE_SM_ALL_TEAMS can view scans for all teams, regardless of their membership. Users with MANAGE_SM_MY_TEAMS can view scans only associated teams.
| Users can view list and details of all scans in the account. |
Delete | MANAGE_SM_SOFTWARE_SCAN | Cannot perform this activity | | Users can delete any scan in the account, regardless of project mappings. |
Download | VIEW_SM_SOFTWARE_SCAN | Not applicable | Users with MANAGE_SM_ALL_TEAMS can download scans, regardless of team membership. Users with MANAGE_SM_MY_TEAMS can download scans for associated projects.
| Users can download any scan in the account. |
Tabella 9. Release windows
Release action | Permission | System scope user | Enabled teams | Disabled teams |
---|
Create a release window Update release window | APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW | Cannot perform this action | APPROVE_RELEASE UCO for APPROVE_SM_RELEASE_WINDOW permission must be enabled in the team, or the REQUEST_SM_RELEASE_WINDOW permission is required. Users with MANAGE_SM_ALL_TEAMS can create and update releases for any team, and choose any baseline release. Users with MANAGE_SM_MY_TEAMS can only interact with teams they are associated with.
| |
View lists, details, and signature logs | APPROVE_SM_RELEASE_WINDOW or VIEW_SM_RELEASE_WINDOW | Can view list, details, and signature logs for all releases in the account | APPROVE_RELEASE UCO for APPROVE_SM_RELEASE_WINDOW permission must be enabled in the team, or the VIEW_SM_RELEASE_WINDOW permission is required. Users with MANAGE_SM_ALL_TEAMS can view logs for all releases, even if they are not part of the release. MANAGE_SM_MY_TEAMS users can view logs for teams they are assocaited with.
| Users with APPROVE_SM_RELEASE_WINDOW can view details and logs for all releases, regardless of team association. Users with other permissions can only view logs for releases they are associated with.
|
Release compare and baseline release creation | APPROVE_SM_RELEASE_WINDOW | Cannot perform this action | APPROVE_RELEASE UCO must be enabled for the user in the team. Users with MANAGE_SM_ALL_TEAMS can compare and set any release as a baseline. MANAGE_SM_MY_TEAMS users can compare and set any release as a baseline for teams they are associated with.
| |
Approve and reject release | APPROVE_SM_RELEASE_WINDOW | Cannot perform this action | | |
Close release window | APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW | Cannot perform this action | APPROVE_RELEASE UCO or REQUEST_SM_RELEASE_WINDOW must be enabled in the team. Users with MANAGE_SM_ALL_TEAMS can close any release, even if they are not associated with the release. MANAGE_SM_MY_TEAMS users can close releases for their own teams. Other users can close releases they are part of and created.
| |
Tabella 10. Notifications
Notification type | Enabled teams | Disabled teams |
---|
Keypair expiry | MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive notifications. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for all restricted and open keypairs set to expire in the account. Users with MANAGE_SM_KEYPAIR receive notifications only for restricted keypairs set to expire in teams they are members of.
| Users with MANAGE_SM_KEYPAIR receive notifications for all restricted and open keypairs set to expire in the account. |
Certificate about to expire | MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for default certificates about to expire for all restricted and open keypairs in the account. Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for restricted keypairs in teams they are members of.
| Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for all restricted and open keypairs in the account. |
Auto-renewing for certificates expiring in 15 and 30 days | MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for certificates corresponding to all restricted and open keypairs getting renewed. Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to restricted keypairs getting renewed in teams they are members of.
| Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to all restricted and open keypairs getting renewed in the account. |
Auto-renewing complete Auto-renewing blocked | MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses. Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to restricted keypairs in teams they are members of.
| Users with MANAGE_SM_KEYPAIR permission receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses. |