Teams
Select users, groups, or both to form a team and then map relevant resources to them. You can restrict team resources such as keypairs, releases, and enforce keypair profiles and certificate profiles.
注記
Enable teams on your account to use this feature.
Enable Teams
You require the Manage license
or Manage account settings
to enable teams on your account.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Account settings.
Select the edit icon.
Select the checkboxes under the Teams section according to your requirements.
注記
To enforce that a keypair profile must be selected for keypair generation:
Enable Allow team mapping for keypairs and certificate profiles under the Teams section.
Enable Require keypair profile to generate keypair under the Keypair section.
Select Update settings.
Create team
You require the Manage all teams
permission to create a team.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to Account > Teams.
Select Create team.
Complete the following fields, and then select Create team.
Field | Description |
---|---|
Team name | Name to uniquely identify this team. |
Users | Select users who are allowed to access this team's resources. |
Groups | Select groups allowed to access this team's resources. |
Approvals required | Select the number of approvals required for this team to approve:
|
Keypairs | Select keypairs that this team can use. 注記The drop-down list only shows keypairs that are not assigned to any team. |
GPG keypairs | Select GPG keypairs that this team can use. 注記The drop-down list only shows GPG keypairs that are not assigned to any team. |
Keypair profiles | Select keypairs profiles that this team can use. |
Certificate profiles | Select certificate profiles that this team can use. |
Projects | Select projects to assign to the team. 注記The drop-down list only shows projects that are not assigned to any team. |
License limitations | Set a maximum number of signature and HSM units this team can use. |
Expiry date | Set an expiry date for this team. |
Team approvals workflows and permissions
When teams are enabled for your account, the specific actions need to be requested and approved by the team. The number of approvals required before the action is considered approved can be changed by updating the team.
The following actions require approval:
Create offline releases
Export keypairs
Delete keypairs
Revoke certificates
The following permissions determines which user can request or approve these actions:
Request an above action for the team they belong to:
User must have the one of the following permissions:
request release
,request keypair export
,request keypair delete
and, orrevoke certificate
.Approve an above action for the team they belong to:
User must have one of the following permissions:
approve release window
,approve keypair export
,approve keypair delete
and, orrevoke certificate
.
Approval procedure for team actions
When teams are enabled and a user requests to complete an action, the following approval procedure will occur:
All users on the team with the permission to approve the action receives an email with the request.
The approver must click View request in the email.
The approver must review the request and click Approve or Reject.
Once the required amount of approvals are received, depending on the request:
The certificate will be revoked.
The keypair will be deleted.
The offline release will be created.
The requester will receive an email with a link to export the keypair.
注記
If one user rejects the request, the entire request will be canceled and the user has to request the action again.
Team permissions
There are two team permissions:
Permission | Description |
---|---|
Manage all teams | User can:
|
Manage my teams | User can view, update, deactivate, and map resources to teams that they are part of. |
Permissions affected when teams are enabled
Both of the above mentioned team permissions are assigned to users who manage teams. Team members do not require a specific team permission, however their permissions and workflows are affected once teams are enabled.
The following permissions and workflows are affected when teams are enabled:
General permissions
Manager of all teams | Manager of specific teams | Team member | |
---|---|---|---|
Create and delete teams | Can create and delete teams within the account. | Cannot perform this action. | Cannot perform this action. |
View list of teams | Can view all teams within the account. | Can view teams they are assigned to. | Can view teams they are assigned to. |
Activate or deactivate team | Can activate or deactivate any teams within the account. | Can activate or deactivate teams they are assigned to. | Cannot perform this action. |
Update team | Can update any teams within the account. | Can update teams they are assigned to. | Cannot perform this action. |
Keypair, certificate, and sign permissions
Manager of all teams | Manager of specific teams | Team member | |
---|---|---|---|
Create keypair | Can create keypair and assign to any team in the account, provided that they also have the | Can create keypair and assign to a team that they are part of, provided that they also have the | Can create keypair and assign to a team that they are part of, provided that they also have the |
Can create keypair and assign to a team that they are part of, provided that they also have the | |||
Generate CSR | Can generate a CSR for any keypair in the account, provided that they also have the | Can generate a CSR for keypairs assigned to a team that they are part of, provided that they also have the | Can generate a CSR for keypairs assigned to a team that they are part of, provided that they also have the |
Update keypairs and key rotations | Can update any keypair and key rotation in the account, provided that they also have the 注記This includes keypairs that were assigned to specific users or a user group before teams were enabled and is not assigned to a team now. | Can update any keypair and key rotation assigned to a team that they are part of, provided that they also have the | Can update any keypair and key rotation assigned to a team that they are part of, provided that they also have the |
View standard keypairs, GPG keys and key rotations | Can view all standard keypairs, GPG keys, and key rotations within the account, provided that they also have the | Can view all standard keypairs, GPG keys, and key rotations assigned to a team that they are part of, provided that they also have the | Can view all standard keypairs, GPG keys, and key rotations assigned to a team that they are part of, provided that they also have the |
Sign | Can sign with any standard or GPG key assigned to a team that they are part of, provided that they also have the | Can sign with any standard or GPG keypair assigned to a team that they are part of, provided that they also have the | Can sign with any standard or GPG keypair assigned to a team that they are part of, provided that they also have the |
Suspend or unsuspend keypair | Can suspend or unsuspend any keypair in the account, provided that they also have the | Can suspend or unsuspend keypairs assigned to a team that they are part of, provided that they also have the | Can suspend or unsuspend keypairs assigned to a team that they are part of, provided that they also have the |
Refresh keypair | Can refresh any dynamic keypair in the account, provided that they also have the | Can refresh dynamic keypairs assigned to a team that they are part of, provided that they also have the | Can refresh dynamic keypairs assigned to a team that they are part of, provided that they also have the |
Request keypair export, keypair deletion, or certificate revocation | Can request these actions for any team within the account, provided that they have the associated permissions. | Can request these actions for any team they are assigned to, provided that they have the associated permissions. | Can request these for any team they are assigned to, provided that they have the associated permissions. |
View certificates | Can view all certificates within the account, provided that they also have the | Can view all certificates assigned to a team that they are part of, provided that they also have the | Can view all certificates assigned to a team that they are part of, provided that they also have the |
Update and delete certificates | Can update and delete all certificates within the account, provided that they also have the | Can update and delete all certificates associated to keypairs assigned to a team that they are part of, provided that they also have the | Can update and delete all certificates associated with keypairs assigned to a team that they are part of, provided that they also have the |
Can update and delete all certificates associated to keypairs assigned to a team that they are part of, provided that they also have the | |||
Import certificate | Can import a certificate to any keypair in the account, provided that they also have the | Can import a certificate to any keypair assigned to a team that they are part of, provided that they also have the | Can import a certificate to any keypair assigned to a team that they are part of, provided that they also have the |
Can import a certificate to any keypair assigned to a team that they are part of, provided that they also have the | |||
Create certificate | Can create certificate for any keypair within the account, provided that they also have the | Can create certificate for keypairs assigned to a team that they are part of, provided that they also have the | Can create certificate for keypairs assigned to a team that they are part of, provided that they also have the |
Can create certificate for keypairs assigned to a team that they are part of, provided that they also have the | |||
Revoke certificate | Can revoke any certificate in the account, provided that they also have the | Can revoke certificates assigned to a team that they are part of, provided that they also have the | Can revoke certificates assigned to a team that they are part of, provided that they have the |
Can revoke certificates assigned to a team that they are part of, provided that they also have the | |||
Generate GPG master key | Can create GPG master keypair and assign to any team in the account, provided that they also have the | Can create GPG master keypair and assign to a team that they are part of, provided that they also have the | Can create GPG master keypair and assign to a team that they are part of, provided that they also have the |
Can create GPG master key and assign to a team that they are part of, provided that they also have the | |||
Generate GPG subkey | Can create GPG subkey using any GPG master key and assign to any team in the account, provided that they also have the | Can create GPG subkey for GPG master keys assigned to a team that they are part of, provided that they also have the 注記This includes creating a subkey using team A's master key and assigning it to team B, provided that this user is part of both teams. | Can create GPG subkey for GPG master keys assigned to a team that they are part of, provided that they also have the 注記This includes creating a subkey using team A's master key and assigning it to team B, provided that this user is part of both teams. |
Can create GPG subkey and assign to a team that they are part of, provided that they also have the 注記This includes creating a subkey using team A's master key and assigning it to team B, provided that this user is part of both teams. | |||
Update GPG master key | Can update GPG master and assign to any team in the account, provided that they also have the 注記This includes GPG master keys that were assigned to specific users or a user group before teams were enabled and is not assigned to a team now. | Can update GPG master keys assigned to a team that they are part of, provided that they also have the | Can update GPG master keys assigned to a team that they are part of, provided that they also have the |
Update GPG subkey | Can update GPG subkeys and assign to any team in the account, provided that they also have the 注記This includes GPG subkeys that were assigned to specific users or a user group before teams were enabled and is not assigned to a team now. | Can update GPG subkeys assigned to a team that they are part of, provided that they also have the | Can update GPG subkeys assigned to a team that they are part of, provided that they also have the |
Revoke GPG master | Can revoke any GPG master in the account, provided that they also have the | Can revoke GPG master keys assigned to a team that they are part of, provided that they also have the | Can revoke GPG master keys assigned to a team that they are part of, provided that they also have the |
Can revoke GPG master keys assigned to a team that they are part of, provided that they also have the | |||
Revoke GPG subkey | Can revoke any GPG subkey in the account, provided that they also have the | Can revoke GPG subkeys assigned to a team that they are part of, provided that they also have the | Can revoke GPG subkeys assigned to a team that they are part of, provided that they also have the |
Can revoke GPG subkeys assigned to a team that they are part of, provided that they also have the | |||
Suspend or unsuspend GPG master key | Can suspend or unsuspend all GPG master keys in the account, provided that they also have the | Can suspend or unsuspend all GPG master keys assigned to a team they are part of, provided that they also have the | Can suspend or unsuspend all GPG master keys assigned to a team they are part of, provided that they also have the |
Suspend or unsuspend GPG subkey | Can suspend or unsuspend all GPG subkeys in the account, provided that they also have the | Can suspend or unsuspend all GPG subkeys assigned to a team they are part of, provided that they also have the | Can suspend or unsuspend all GPG subkeys assigned to a team they are part of, provided that they also have the |
Request to delete GPG master key | Can request to delete any GPG master keys in the account, provided that they also have the | Can request to delete GPG master key assigned to teams they are part of, provided that they also have the | Can request to delete GPG master key assigned to teams they are part of, provided that they also have the |
Can request to delete GPG master key assigned to teams they are part of, provided that they also have the | |||
Request to delete GPG subkey | Can request to delete any GPG subkey assigned to any team in the account, provided that they also have the | Can request to delete GPG subkeys assigned to teams they are part of, provided that they also have the | Can request to delete GPG subkeys assigned to teams they are part of, provided that they also have the |
Release and signature log permissions
Manager of all teams | Manager of specific teams | Team member | |
---|---|---|---|
View releases and associated signature logs | Can view all releases and signature logs within the account, provided that they have | Can view all releases assigned to a team that they are part of, including signature logs related to those releases, provided that they have | Can view all releases that they are part of, including signature logs related to those releases, provided that they have |
Create and update releases | Can create and update all releases within the account, this includes selecting any baseline in the account, provided that they have | Can create and update all releases assigned to a team that they are part of. This includes selecting any baseline associated with a team they are part of, provided that they have | Can create and update all releases assigned to a team that they are part of. This includes selecting any baseline associated with a team they are a part of, provided that they have |
Approve and reject releases | Can approve or reject releases assigned to a team that they are part of, provided that they also have the | Can approve or reject releases assigned to a team that they are part of, provided that they also have the | Can approve or reject releases assigned to a team that they are part of, provided that they also have the |
Create release comparison and baseline | Can compare any releases within the account and create a baseline, provided that they also have | Can compare releases assigned to a team that they are part of and create a baseline, provided that they also have | Can compare releases assigned to a team that they are part of and create a baseline, provided that they also have |
Close release | Can close any release in the account, provided that they also have the | Can close releases assigned to a team that they are part of, provided that they also have the | Can close releases assigned to a team that they are part of, provided that they created the release, part of the release, and also have the |
Can close any release in the account, provided that they created the release and also have the | Can close releases assigned to a team that they are part of, provided that they created the release and also have the |
Update team
This section outlines team features can be updated.
注記
You require the following permission to update a team:
Manage all teams
permission allows you to change the approval amount on any team in the account.Manage my teams
permission allows you to change the approval amount on any team in the account that you are a part of.
Add or remove team resources
To add or remove resources assigned to a team:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to Account > Teams.
Select the desired team name.
Select the edit icon.
Update the following fields:
Field
Description
Keypairs
Select standard keypairs to assign to the team.
注記
The dropdown only shows GPG keypairs that are not assigned to any team.
GPG keypairs
Select GPG keypairs to assign to the team.
注記
The dropdown only shows GPG keypairs that are not assigned to any team.
Keypair profiles
Select keypair profiles to assign to the team.
Certificate profiles
Select certificate profiles to assign to the team.
Projects
Select projects to assign to the team.
注記
The dropdown only shows projects that are not assigned to any team.
Select Update team.
Change required approvals
To change the required amount of approvals to complete a specific action within a team:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to Account > Teams.
Select the desired team name.
Next to Approvals required, select the edit icon.
Navigate to the Approvals required section.
Make the desired changes for the corresponding approval action (Approve offline release, Export keypair, Delete keypair, Revoke certificate).
Select Update team.
注記
You require the following permission to update the approval amount:
Manage all teams
permission allows you to change the approval amount on any team in the account.Manage my teams
permission allows you to change the approval amount on any team in the account that you are a part of.
Update or remove signing limit
To update or remove the signing limit for the team:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to Account > Teams.
Select the desired team name.
Next to License limitations, select the edit icon.
Navigate to the License limitations section. Review the following options to set the maximum number of signature units that this team can use
Field
Description
No limit
This option allow the team to execute unlimited signing.
Limit
This option limits the team's signing, based on a configured number.
One signature unit is consumed every time a user signs.
Select Update team.
Delete team
You require the Manage all teams
permission to delete a team. When deleting a team, users and any resources such as keypairs, keypair profiles, projects, releases, and threat detection scans associated with the team will be disassociated with the team and become available to assign to an existing team.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to Account > Teams.
Select a team.
Select the Delete icon.