Team user critical operations

This document explains the various actions and permissions available for members of a team.

Before you begin, familiarize yourself with the following common terms:

tabel 1. Terms to understand

Term	Description
UCO	User Critical Operation Refers to operations that are critical and may require specific permissions
Lead	A member with the MANAGE_SM_ALL_TEAMS permission Manages all teams in their account Excluded from UCO restrictions
Team lead	A member with the MANAGE_SM_MY_TEAMS permission Manages only the teams that they are associated with

Teams

tabel 2. Teams

Teams action	Permission	System scope user	User with MANAGE_SM_ALL_TEAMS	User with MANAGE_SM_MY_TEAMS	UCO
Create and delete	MANAGE_SM_ALL_TEAMS	Not applicable	Can create or delete any team, regardless if the team is enabled or disabled.	Not applicable	UCO activities cannot be performed on users during team creation.
Update	MANAGE_SM_MY_TEAMS or MANAGE_SM_ALL_TEAMS	Not applicable	Can update any team and perform UCO activities on users, regardless if the team is enabled or disabled.	Can update associated teams and perform UCO activities on those users.	Users with MANAGE_SM_ALL_TEAMS are not subject to UCO activities, even from users with the same permission level. If a user is assigned a Lead role, any previous team restrictions are still in effect for that user. To troubleshoot, anotehr Lead can enable all permissions for that user.
View lists and details	Not applicable	Can view lists and details of all teams in the account	Can view list and details of any team in the account, regardless if the team is enabled or disabled.	Can view lists and details for associated teams, regardless if the team is enabled or disabled.	Not applicable
Activate / deactivate	MANAGE_SM_ALL_TEAMS or MANAGE_SM_MY_TEAMS	Not applicable	Can activate or deactivate any team in the account, regardless if the team is enabled or disabled.	Can only activate or deactivate associated teams, regardless if the team is enabled or disabled.	Not applicable

Keypairs

tabel 3. Keypairs

Keypair action	Permission	System scope user	Open keypairs	Restricted keypairs
Generate	GENERATE_SM_KEYPAIR	Cannot perform this activity	Can be created by any user with GENERATE_SM_KEYPAIR permission. UCO restrictions are not applicable.	Enabled teams: GENERATE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can create keypairs for any team. MANAGE_SM_MY_TEAMS users can create keypairs for their own teams. Disabled teams: Users with MANAGE_SM_KEYPAIR can create by adding specific users/groups.
Update	MANAGE_SM_KEYPAIR	Can update any keypair in the account	Can be updated by users with the MANAGE_SM_KEYPAIR permission. UCO restrictions are not applicable.	Enabled teams: MANAGE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can update any team's keypair. MANAGE_SM_MY_TEAMS users can update keypairs for their own teams Disabled teams: Users can update any keypair in the account, including orphaned ones.
View lists and details	VIEW_SM_KEYPAIR	Can view list and details of all keypairs	Visible to all users	Enabled teams: Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view all keypairs. MANAGE_SM_MY_TEAMS users can view keypairs in their own teams. UCO restrictions do not apply. Disabled teams: Users with MANAGE_SM_KEYPAIR can view all keypairs, including orphaned ones.
Sign	SIGN_SM_HASH	Not applicable	Any user can sign with open keypairs that they have access to.	Enabled teams: SIGN UCO must be enabled. Users can sign with keypairs in their own teams. Disabled teams: Users can sign with keypairs they are mapped to directly or via user groups.
Verify	SIGN_SM_HASH	Not applicable	Not applicable	Not applicable
Delete	APPROVE_SM_KEYPAIR_DELETE	Cannot perform this activity	Can be deleted by users with the APPROVE_SM_KEYPAIR_DELETE permission.	Enabled teams: APPROVE_DELETE_KEYPAIR UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can request to delte any team's keypair. Disabled teams: Users with MANAGE_SM_KEYPAIR can delete any keypair, regardless of mapping.
Generate CSR	MANAGE_SM_KEYPAIR or GENERATE_SM_CERTIFICATE	Not applicable	Any user with mandatory permission can generate a CSR.	Enabled teams: MANAGE_KEYPAIR_CERT UCO or GENERATE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can generate CSR for any team's keypair. Disabled teams: Users with MANAGE_SM_KEYPAIR can perform this for any keypair in the account.
Refresh keypair	MANAGE_SM_KEYPAIR or SIGN_SM_HASH	Not applicable	Any user with mandatory permission can refresh an open keypair.	Enabled teams: MANAGE_KEYPAIR_CERT UCO or SIGN UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can refresh any team's keypair. Disabled teams: Users with MANAGE_SM_KEYPAIR can refresh any keypair.
Suspend / unsuspend	MANAGE_SM_KEYPAIR	Not applicable	Any user with mandatory permission can suspend / unsuspend an open keypair.	Enabled teams: MANAGE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can suspend / unsuspend any team's keypair. Disabled teams: Users with MANAGE_SM_KEYPAIR can suspend / unsuspend any keypair.
Import keypair	IMPORT_SM_KEYPAIR	Cannot perform this activity	Not applicable	Not applicable
Request keypair export	REQUEST_SM_KEYPAIR_EXPORT	Not applicable	Based on Approval flow	Based on Approval flow

GPG keypairs

tabel 4. GPG keypairs

GPG keypair action	Permission	System scope user	Open keypairs	Restricted keypairs
Generate master keypair	GENERATE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR	Cannot perform this activity	Can be created by any user with the required permissions, regardless of teams being enabled or disabled.	Enabled teams: Requires GENERATE_KEYPAIR_CERT UCO and MANAGE_KEYPAIR_CERT UCO. Users with MANAGE_SM_ALL_TEAMS can generate a keypair for any team. Disabled teams: Users with MANAGE_SM_KEYPAIR can generate a keypair by adding users / groups.
Generate subkey	GENERATE_SM_KEYPAIR	Cannot perform this activity	Any open master keypair can be used to generate a subkey, regardless of team status.	Enabled teams: GENERATE_KEYPAIR_CERT UCO must be enabled. Users with MANAGE_SM_ALL_TEAMS can generate subkeys for any team. Disabled teams: Users with MANAGE_SM_KEYPAIR can generate a keypair by adding users / groups.
Update master and subkey	MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR	Can update all master / subkeys in the account	Users with the required permission can update open master / subkeys.	Enabled teams: Requires MANAGE_KEYPAIR_CERT UCO. Users with MANAGE_SM_ALL_TEAMS can update any master / subkey. Disabled teams: Users with MANAGE_SM_KEYPAIR can update any master / subkey, including orphaned ones.
View lists and details	VIEW_SM_KEYPAIR	Can view lists and details for all master / subkeys	All users can view open master / subkeys.	Enabled teams: Users with MANAGE_SM_ALL_TEAMS can view all master / subkeys. MANAGE_SM_MY_TEAMS users can view master / subkeys for their own teams. Disabled teams: Users with MANAGE_SM_KEYPAIR can view all master / subkeys, including orphaned master / subkeys.
Sign	SIGN_SM_HASH	Not applicable	Any user can sign using an open master / subkey if its purpose is set to sign.	Enabled teams: Requires SIGN UCO. Users can sign with a master / subkey that is associated with their team Disabled teams: Users can sign with master / subkeys that are directly mapped or through user groups.
Revoke master / subkey	REVOKE_SM_CERTIFICATE and MANAGE_SM_MASTER_KEYPAIR	Cannot perform this activity	Can be revoked by users with the required permissions.	Enabled teams: APPROVE_REVOKE_CERT UCO required. Users with MANAGE_SM_ALL_TEAMS can revoke master / subkeys for any team. Disabled teams: Users with MANAGE_SM_KEYPAIR can revoke any master / subkey in their account, including orphaned ones.
Suspend / unsuspend	MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR	Can perform these activities	Any user with the required permissions can suspend / unsuspend an open master / subkey.	Enabled teams: Requires MANAGE_KEYPAIR_CERT UCO. Users with MANAGE_SM_ALL_TEAMS can suspend / unsuspend any team's master / subkey. Disabled teams: Users with MANAGE_SM_KEYPAIR can suspend / unsuspend any master/subkey.
Delete master / subkey	APPROVE_SM_KEYPAIR_DELETE and MANAGE_SM_MASTER_KEYPAIR	Cannot perform this activity	Users with the required permissions can delete open master/subkeys.	Enabled teams: APPROVE_DELETE_KEYPAIR UCO required. Users with MANAGE_SM_ALL_TEAMS can delete master / subkeys for any team. Disabled teams: Users with MANAGE_SM_KEYPAIR can delete any master / subkey, including orphaned ones.
Import Sec Ring	IMPORT_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR	Cannot perform this activity	Not applicable	Not applicable
Download a keyring collection	VIEW_SM_KEYPAIR	Can perform this activity	Public keyring of an open master / subkey can be downloaded by all users.	Enabled teams: Users with MANAGE_SM_ALL_TEAMS can download the public keyring for all master / subkeys. Disabled teams: Users with MANAGE_SM_KEYPAIR can download the keyring for all master / subkeys, including orphaned ones.

Certificates

tabel 5. Certificates

Certificate action	Permission	System scope user	Open keypairs	Restricted keypairs
View lists and details	VIEW_SM_CERTIFICATE	Can view all certificates for all keypairs in the account.	Visible to users with the required permission.	Enabled teams: Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view certificates for all teams, including orphaned keypairs. MANAGE_SM_MY_TEAMS users can view certificates for their own teams. Disabled teams: Users with MANAGE_SM_KEYPAIR can view certificates for all keypairs, including orphaned keypairs.
Import certificate	IMPORT_SM_CERTIFICATE	Cannot perform this activity	Any user with the required permission can import certificates.	Enabled teams: Users with MANAGE_SM_ALL_TEAMS can import certificates for any team. MANAGE_SM_MY_TEAMS users can import certificates for their own teams. Disabled teams: Users with MANAGE_SM_KEYPAIR can import certificates for any keypair.
Generate certificate	GENERATE_SM_CERTIFICATE	Cannot perform this activity	Any user with the required permission can generate certificates using a certificate profile.	Enabled teams GENERATE_KEYPAIR_CERT UCO is required. Users with MANAGE_SM_ALL_TEAMS can generate certificates for any team's keypairs. MANAGE_SM_MY_TEAMS users can generate certificates for keypairs for their own teams. Disabled teams Users with MANAGE_SM_KEYPAIR can generate certificates for any keypair using a profile.
Update / delete certificate	MANAGE_SM_CERTIFICATE_PROFILE	Can update or delete any certificate in the account	Any user with the required permission can update or delete certificates for open keypairs.	Enabled teams MANAGE_KEYPAIR_CERT UCO is required. Users with MANAGE_SM_ALL_TEAMS can update or delete certificates for any team, including orphaned keypairs. MANAGE_SM_MY_TEAMS users can update or delete certificates for keypairs for their own teams. Disabled teams Users with MANAGE_SM_KEYPAIR can update or delete certificates for any keypair, including orphaned ones.
Revoke certificate	REVOKE_SM_CERTIFICATE	Cannot perform this activity	Any user with the required permission can revoke certificates for open keypairs.	Enabled teams APPROVE_REVOKE_CERT UCO is required. Approval flow applies. Users with MANAGE_SM_ALL_TEAMS can revoke certificates for any team. Disabled teams Users with MANAGE_SM_KEYPAIR can revoke certificates for any keypair, including orphaned ones.
Update hierarchy mappings for certificates	MANAGE_SM_HIERARCHY	Only system scope user can perform this activity	Not applicable	Not applicable

Key rotations

tabel 6. Key rotations

Key rotation action	Permission	System scope user	Enabled teams	Disabled teams
View list and details	VIEW_SM_KEYPAIR	Can view list and details of all key rotations in the account	Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view all key rotations in the account, regardless of team membership, including those created when teams were disabled. UCO is not applicable MANAGE_SM_MY_TEAMS users can view key rotations for their own teams.	Users with MANAGE_SM_KEYPAIR can view all key rotations in their account, including those created when teams were enabled. Users with other permission can view key rotations that they are part of.
Create / update	MANAGE_SM_KEYPAIR	Cannot perform these actions	MANAGE_KEYPAIR_CERT UCO must be enabled for users in the team. Users with MANAGE_SM_ALL_TEAMS can create and update key rotations for any team, and adjust mappings for rotations created when teams were disabled. MANAGE_SM_MY_TEAMS users can create and update rotations for their own teams.	Users can create rotations with keypairs and their corresponding mapped users.

Software projects

tabel 7. Software projects

Action	Permission	System scope user	Enabled team	Disabled team
Generate	MANAGE_SM_ACCOUNT_SETTINGS	Can perform this activity	UCO is not applicable. Users with MANAGE_SM_ALL_TEAMS can create projects for any team in the account, regardless of their team membership. Users with MANAGE_SM_MY_TEAMS can create projects for their associated teams.	Any user part of the account can create a project.
Update	MANAGE_SM_ACCOUNT_SETTINGS	Can perform this activity	UCO is not applicable. Users with MANAGE_SM_ALL_TEAMS can update any team's project, including orphan projects. Users with MANAGE_SM_MY_TEAMS can update projects for their associated teams.	Users can update any project in the account, including orphan projects.
View lists and details	Not applicable	Can perform this activity	Users with MANAGE_SM_ALL_TEAMS can view details of all projects across teams, including orphan projects. Users with MANAGE_SM_MY_TEAMS can view details only for projects within their teams.	Users can view lists and details of all projects in the account, including orphan projects.
Delete	MANAGE_SM_ACCOUNT_SETTINGS	Can perform this activity	Users with MANAGE_SM_ALL_TEAMS can delete any team's project, regardless of team membership. Users with MANAGE_SM_MY_TEAMS can delete projects for their associated teams.	Users can delete any project in the account.
Suspend / unsuspend	MANAGE_SM_ACCOUNT_SETTINGS	Can perform this activity	Users with MANAGE_SM_ALL_TEAMS can suspend or unsuspend any project, regardless of their team membership. Users with MANAGE_SM_MY_TEAMS can suspend or unsuspend projects for their associated teams.	Users can suspend or unsuspend any project in the account.

Scans

tabel 8. Scans

Action	Permission	System scope user	Enabled team	Disabled teams
Generate	SCAN_SM_SOFTWARE_SCAN	Cannot perform this activity	SCAN UCO must be enabled for users in the team. Users with MANAGE_SM_ALL_TEAMS or MANAGE_SM_MY_TEAMS can use a project for a software scan if the project is mapped to their team.	Users can create a scan using any project in the account.
View lists and details	VIEW_SM_SOFTWARE_SCAN	Can view lists and details of all scans in the account	Users with MANAGE_SM_ALL_TEAMS can view scans for all teams, regardless of their membership. Users with MANAGE_SM_MY_TEAMS can view scans only associated teams.	Users can view list and details of all scans in the account.
Delete	MANAGE_SM_SOFTWARE_SCAN	Cannot perform this activity	UCO is not applicable. Users with MANAGE_SM_ALL_TEAMS can delete scans for any team. Users with MANAGE_SM_MY_TEAMS can delete scans for associated teams.	Users can delete any scan in the account, regardless of project mappings.
Download	VIEW_SM_SOFTWARE_SCAN	Not applicable	Users with MANAGE_SM_ALL_TEAMS can download scans, regardless of team membership. Users with MANAGE_SM_MY_TEAMS can download scans for associated projects.	Users can download any scan in the account.

Release windows

tabel 9. Release windows

Release action	Permission	System scope user	Enabled teams	Disabled teams
Create a release window Update release window	APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW	Cannot perform this action	APPROVE_RELEASE UCO for APPROVE_SM_RELEASE_WINDOW permission must be enabled in the team, or the REQUEST_SM_RELEASE_WINDOW permission is required. Users with MANAGE_SM_ALL_TEAMS can create and update releases for any team, and choose any baseline release. Users with MANAGE_SM_MY_TEAMS can only interact with teams they are associated with.	Users with APPROVE_SM_RELEASE_WINDOW can create and update releases, choosing any baseline release in the account and adding users/groups.
View lists, details, and signature logs	APPROVE_SM_RELEASE_WINDOW or VIEW_SM_RELEASE_WINDOW	Can view list, details, and signature logs for all releases in the account	APPROVE_RELEASE UCO for APPROVE_SM_RELEASE_WINDOW permission must be enabled in the team, or the VIEW_SM_RELEASE_WINDOW permission is required. Users with MANAGE_SM_ALL_TEAMS can view logs for all releases, even if they are not part of the release. MANAGE_SM_MY_TEAMS users can view logs for teams they are assocaited with.	Users with APPROVE_SM_RELEASE_WINDOW can view details and logs for all releases, regardless of team association. Users with other permissions can only view logs for releases they are associated with.
Release compare and baseline release creation	APPROVE_SM_RELEASE_WINDOW	Cannot perform this action	APPROVE_RELEASE UCO must be enabled for the user in the team. Users with MANAGE_SM_ALL_TEAMS can compare and set any release as a baseline. MANAGE_SM_MY_TEAMS users can compare and set any release as a baseline for teams they are associated with.	Users can compare and set any release in the account as a baseline release window.
Approve and reject release	APPROVE_SM_RELEASE_WINDOW	Cannot perform this action	APPROVE_RELEASE UCO must be enabled in the team. Approvals follow a multi-person flow; users approve or reject releases that belong to their own teams, even if created by someone with MANAGE_SM_ALL_TEAMS.	Users can approve or reject any pending releases in the account.
Close release window	APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW	Cannot perform this action	APPROVE_RELEASE UCO or REQUEST_SM_RELEASE_WINDOW must be enabled in the team. Users with MANAGE_SM_ALL_TEAMS can close any release, even if they are not associated with the release. MANAGE_SM_MY_TEAMS users can close releases for their own teams. Other users can close releases they are part of and created.	Users with APPROVE_SM_RELEASE_WINDOW can close any release in the account. Users with other permissions can only close releases they are part of and have created.

Notifications

tabel 10. Notifications

Notification type	Enabled teams	Disabled teams
Keypair expiry	MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive notifications. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for all restricted and open keypairs set to expire in the account. Users with MANAGE_SM_KEYPAIR receive notifications only for restricted keypairs set to expire in teams they are members of.	Users with MANAGE_SM_KEYPAIR receive notifications for all restricted and open keypairs set to expire in the account.
Certificate about to expire	MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for default certificates about to expire for all restricted and open keypairs in the account. Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for restricted keypairs in teams they are members of.	Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for all restricted and open keypairs in the account.
Auto-renewing for certificates expiring in 15 and 30 days	MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for certificates corresponding to all restricted and open keypairs getting renewed. Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to restricted keypairs getting renewed in teams they are members of.	Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to all restricted and open keypairs getting renewed in the account.
Auto-renewing complete Auto-renewing blocked	MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification. Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses. Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to restricted keypairs in teams they are members of.	Users with MANAGE_SM_KEYPAIR permission receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses.

In deze sectie: