Skip to main content

Team user critical operations

This document explains the various actions and permissions available for members of a team.

Before you begin, familiarize yourself with the following common terms:

tabel 1. Terms to understand

Term

Description

UCO

  • User Critical Operation

  • Refers to operations that are critical and may require specific permissions

Lead

  • A member with the MANAGE_SM_ALL_TEAMS permission

  • Manages all teams in their account

  • Excluded from UCO restrictions

Team lead

  • A member with the MANAGE_SM_MY_TEAMS permission

  • Manages only the teams that they are associated with


Teams

tabel 2. Teams

Teams action

Permission

System scope user

User with MANAGE_SM_ALL_TEAMS

User with MANAGE_SM_MY_TEAMS

UCO

Create and delete

MANAGE_SM_ALL_TEAMS

Not applicable

Can create or delete any team, regardless if the team is enabled or disabled.

Not applicable

UCO activities cannot be performed on users during team creation.

Update

MANAGE_SM_MY_TEAMS or MANAGE_SM_ALL_TEAMS

Not applicable

Can update any team and perform UCO activities on users, regardless if the team is enabled or disabled.

Can update associated teams and perform UCO activities on those users.

Users with MANAGE_SM_ALL_TEAMS are not subject to UCO activities, even from users with the same permission level.

If a user is assigned a Lead role, any previous team restrictions are still in effect for that user. To troubleshoot, anotehr Lead can enable all permissions for that user.

View lists and details

Not applicable

Can view lists and details of all teams in the account

Can view list and details of any team in the account, regardless if the team is enabled or disabled.

Can view lists and details for associated teams, regardless if the team is enabled or disabled.

Not applicable

Activate / deactivate

MANAGE_SM_ALL_TEAMS or MANAGE_SM_MY_TEAMS

Not applicable

Can activate or deactivate any team in the account, regardless if the team is enabled or disabled.

Can only activate or deactivate associated teams, regardless if the team is enabled or disabled.

Not applicable


Keypairs

tabel 3. Keypairs

Keypair action

Permission

System scope user

Open keypairs

Restricted keypairs

Generate

GENERATE_SM_KEYPAIR

Cannot perform this activity

  • Can be created by any user with GENERATE_SM_KEYPAIR permission.

  • UCO restrictions are not applicable.

  • Enabled teams:

    • GENERATE_KEYPAIR_CERT UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can create keypairs for any team.

    • MANAGE_SM_MY_TEAMS users can create keypairs for their own teams.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can create by adding specific users/groups.

Update

MANAGE_SM_KEYPAIR

Can update any keypair in the account

  • Can be updated by users with the MANAGE_SM_KEYPAIR permission.

  • UCO restrictions are not applicable.

  • Enabled teams:

    • MANAGE_KEYPAIR_CERT UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can update any team's keypair.

    • MANAGE_SM_MY_TEAMS users can update keypairs for their own teams

  • Disabled teams:

    • Users can update any keypair in the account, including orphaned ones.

View lists and details

VIEW_SM_KEYPAIR

Can view list and details of all keypairs

  • Visible to all users

  • Enabled teams:

    • Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view all keypairs.

    • MANAGE_SM_MY_TEAMS users can view keypairs in their own teams.

    • UCO restrictions do not apply.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can view all keypairs, including orphaned ones.

Sign

SIGN_SM_HASH

Not applicable

  • Any user can sign with open keypairs that they have access to.

  • Enabled teams:

    • SIGN UCO must be enabled.

    • Users can sign with keypairs in their own teams.

  • Disabled teams:

    • Users can sign with keypairs they are mapped to directly or via user groups.

Verify

SIGN_SM_HASH

Not applicable

Not applicable

Not applicable

Delete

APPROVE_SM_KEYPAIR_DELETE

Cannot perform this activity

  • Can be deleted by users with the APPROVE_SM_KEYPAIR_DELETE permission.

  • Enabled teams:

    • APPROVE_DELETE_KEYPAIR UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can request to delte any team's keypair.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can delete any keypair, regardless of mapping.

Generate CSR

MANAGE_SM_KEYPAIR or GENERATE_SM_CERTIFICATE

Not applicable

  • Any user with mandatory permission can generate a CSR.

  • Enabled teams:

    • MANAGE_KEYPAIR_CERT UCO or GENERATE_KEYPAIR_CERT UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can generate CSR for any team's keypair.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can perform this for any keypair in the account.

Refresh keypair

MANAGE_SM_KEYPAIR or SIGN_SM_HASH

Not applicable

  • Any user with mandatory permission can refresh an open keypair.

  • Enabled teams:

    • MANAGE_KEYPAIR_CERT UCO or SIGN UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can refresh any team's keypair.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can refresh any keypair.

Suspend / unsuspend

MANAGE_SM_KEYPAIR

Not applicable

  • Any user with mandatory permission can suspend / unsuspend an open keypair.

  • Enabled teams:

    • MANAGE_KEYPAIR_CERT UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can suspend / unsuspend any team's keypair.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can suspend / unsuspend any keypair.

Import keypair

IMPORT_SM_KEYPAIR

Cannot perform this activity

  • Not applicable

  • Not applicable

Request keypair export

REQUEST_SM_KEYPAIR_EXPORT

Not applicable

  • Based on Approval flow

  • Based on Approval flow


GPG keypairs

tabel 4. GPG keypairs

GPG keypair action

Permission

System scope user

Open keypairs

Restricted keypairs

Generate master keypair

GENERATE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR

Cannot perform this activity

  • Can be created by any user with the required permissions, regardless of teams being enabled or disabled.

  • Enabled teams:

    • Requires GENERATE_KEYPAIR_CERT UCO and MANAGE_KEYPAIR_CERT UCO.

    • Users with MANAGE_SM_ALL_TEAMS can generate a keypair for any team.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can generate a keypair by adding users / groups.

Generate subkey

GENERATE_SM_KEYPAIR

Cannot perform this activity

  • Any open master keypair can be used to generate a subkey, regardless of team status.

  • Enabled teams:

    • GENERATE_KEYPAIR_CERT UCO must be enabled.

    • Users with MANAGE_SM_ALL_TEAMS can generate subkeys for any team.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can generate a keypair by adding users / groups.

Update master and subkey

MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR

Can update all master / subkeys in the account

  • Users with the required permission can update open master / subkeys.

  • Enabled teams:

    • Requires MANAGE_KEYPAIR_CERT UCO.

    • Users with MANAGE_SM_ALL_TEAMS can update any master / subkey.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can update any master / subkey, including orphaned ones.

View lists and details

VIEW_SM_KEYPAIR

Can view lists and details for all master / subkeys

  • All users can view open master / subkeys.

  • Enabled teams:

    • Users with MANAGE_SM_ALL_TEAMS can view all master / subkeys.

    • MANAGE_SM_MY_TEAMS users can view master / subkeys for their own teams.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can view all master / subkeys, including orphaned master / subkeys.

Sign

SIGN_SM_HASH

Not applicable

  • Any user can sign using an open master / subkey if its purpose is set to sign.

  • Enabled teams:

    • Requires SIGN UCO.

    • Users can sign with a master / subkey that is associated with their team

  • Disabled teams:

    • Users can sign with master / subkeys that are directly mapped or through user groups.

Revoke master / subkey

REVOKE_SM_CERTIFICATE and MANAGE_SM_MASTER_KEYPAIR

Cannot perform this activity

  • Can be revoked by users with the required permissions.

  • Enabled teams:

    • APPROVE_REVOKE_CERT UCO required.

    • Users with MANAGE_SM_ALL_TEAMS can revoke master / subkeys for any team.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can revoke any master / subkey in their account, including orphaned ones.

Suspend / unsuspend

MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR

Can perform these activities

  • Any user with the required permissions can suspend / unsuspend an open master / subkey.

  • Enabled teams:

    • Requires MANAGE_KEYPAIR_CERT UCO.

    • Users with MANAGE_SM_ALL_TEAMS can suspend / unsuspend any team's master / subkey.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can suspend / unsuspend any master/subkey.

Delete master / subkey

APPROVE_SM_KEYPAIR_DELETE and MANAGE_SM_MASTER_KEYPAIR

Cannot perform this activity

  • Users with the required permissions can delete open master/subkeys.

  • Enabled teams:

    • APPROVE_DELETE_KEYPAIR UCO required.

    • Users with MANAGE_SM_ALL_TEAMS can delete master / subkeys for any team.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can delete any master / subkey, including orphaned ones.

Import Sec Ring

IMPORT_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR

Cannot perform this activity

  • Not applicable

  • Not applicable

Download a keyring collection

VIEW_SM_KEYPAIR

Can perform this activity

  • Public keyring of an open master / subkey can be downloaded by all users.

  • Enabled teams:

    • Users with MANAGE_SM_ALL_TEAMS can download the public keyring for all master / subkeys.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can download the keyring for all master / subkeys, including orphaned ones.


Certificates

tabel 5. Certificates

Certificate action

Permission

System scope user

Open keypairs

Restricted keypairs

View lists and details

VIEW_SM_CERTIFICATE

Can view all certificates for all keypairs in the account.

  • Visible to users with the required permission.

  • Enabled teams:

    • Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view certificates for all teams, including orphaned keypairs.

    • MANAGE_SM_MY_TEAMS users can view certificates for their own teams.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can view certificates for all keypairs, including orphaned keypairs.

Import certificate

IMPORT_SM_CERTIFICATE

Cannot perform this activity

  • Any user with the required permission can import certificates.

  • Enabled teams:

    • Users with MANAGE_SM_ALL_TEAMS can import certificates for any team.

    • MANAGE_SM_MY_TEAMS users can import certificates for their own teams.

  • Disabled teams:

    • Users with MANAGE_SM_KEYPAIR can import certificates for any keypair.

Generate certificate

GENERATE_SM_CERTIFICATE

Cannot perform this activity

  • Any user with the required permission can generate certificates using a certificate profile.

  • Enabled teams

    • GENERATE_KEYPAIR_CERT UCO is required.

    • Users with MANAGE_SM_ALL_TEAMS can generate certificates for any team's keypairs.

    • MANAGE_SM_MY_TEAMS users can generate certificates for keypairs for their own teams.

  • Disabled teams

    • Users with MANAGE_SM_KEYPAIR can generate certificates for any keypair using a profile.

Update / delete certificate

MANAGE_SM_CERTIFICATE_PROFILE

Can update or delete any certificate in the account

  • Any user with the required permission can update or delete certificates for open keypairs.

  • Enabled teams

    • MANAGE_KEYPAIR_CERT UCO is required.

    • Users with MANAGE_SM_ALL_TEAMS can update or delete certificates for any team, including orphaned keypairs.

    • MANAGE_SM_MY_TEAMS users can update or delete certificates for keypairs for their own teams.

  • Disabled teams

    • Users with MANAGE_SM_KEYPAIR can update or delete certificates for any keypair, including orphaned ones.

Revoke certificate

REVOKE_SM_CERTIFICATE

Cannot perform this activity

  • Any user with the required permission can revoke certificates for open keypairs.

  • Enabled teams

    • APPROVE_REVOKE_CERT UCO is required.

    • Approval flow applies.

    • Users with MANAGE_SM_ALL_TEAMS can revoke certificates for any team.

  • Disabled teams

    • Users with MANAGE_SM_KEYPAIR can revoke certificates for any keypair, including orphaned ones.

Update hierarchy mappings for certificates

MANAGE_SM_HIERARCHY

Only system scope user can perform this activity

Not applicable

Not applicable


Key rotations

tabel 6. Key rotations

Key rotation action

Permission

System scope user

Enabled teams

Disabled teams

View list and details

VIEW_SM_KEYPAIR

Can view list and details of all key rotations in the account

  • Users with MANAGE_SM_ALL_TEAMS and MANAGE_SM_KEYPAIR can view all key rotations in the account, regardless of team membership, including those created when teams were disabled.

  • UCO is not applicable

  • MANAGE_SM_MY_TEAMS users can view key rotations for their own teams.

  • Users with MANAGE_SM_KEYPAIR can view all key rotations in their account, including those created when teams were enabled.

  • Users with other permission can view key rotations that they are part of.

Create / update

MANAGE_SM_KEYPAIR

Cannot perform these actions

  • MANAGE_KEYPAIR_CERT UCO must be enabled for users in the team.

  • Users with MANAGE_SM_ALL_TEAMS can create and update key rotations for any team, and adjust mappings for rotations created when teams were disabled.

  • MANAGE_SM_MY_TEAMS users can create and update rotations for their own teams.

  • Users can create rotations with keypairs and their corresponding mapped users.


Software projects

tabel 7. Software projects

Action

Permission

System scope user

Enabled team

Disabled team

Generate

MANAGE_SM_ACCOUNT_SETTINGS

Can perform this activity

  • UCO is not applicable.

  • Users with MANAGE_SM_ALL_TEAMS can create projects for any team in the account, regardless of their team membership.

  • Users with MANAGE_SM_MY_TEAMS can create projects for their associated teams.

Any user part of the account can create a project.

Update

MANAGE_SM_ACCOUNT_SETTINGS

Can perform this activity

  • UCO is not applicable.

  • Users with MANAGE_SM_ALL_TEAMS can update any team's project, including orphan projects.

  • Users with MANAGE_SM_MY_TEAMS can update projects for their associated teams.

Users can update any project in the account, including orphan projects.

View lists and details

Not applicable

Can perform this activity

  • Users with MANAGE_SM_ALL_TEAMS can view details of all projects across teams, including orphan projects.

  • Users with MANAGE_SM_MY_TEAMS can view details only for projects within their teams.

Users can view lists and details of all projects in the account, including orphan projects.

Delete

MANAGE_SM_ACCOUNT_SETTINGS

Can perform this activity

  • Users with MANAGE_SM_ALL_TEAMS can delete any team's project, regardless of team membership.

  • Users with MANAGE_SM_MY_TEAMS can delete projects for their associated teams.

Users can delete any project in the account.

Suspend / unsuspend

MANAGE_SM_ACCOUNT_SETTINGS

Can perform this activity

  • Users with MANAGE_SM_ALL_TEAMS can suspend or unsuspend any project, regardless of their team membership.

  • Users with MANAGE_SM_MY_TEAMS can suspend or unsuspend projects for their associated teams.

Users can suspend or unsuspend any project in the account.


Scans

tabel 8. Scans

Action

Permission

System scope user

Enabled team

Disabled teams

Generate

SCAN_SM_SOFTWARE_SCAN

Cannot perform this activity

  • SCAN UCO must be enabled for users in the team.

  • Users with MANAGE_SM_ALL_TEAMS or MANAGE_SM_MY_TEAMS can use a project for a software scan if the project is mapped to their team.

Users can create a scan using any project in the account.

View lists and details

VIEW_SM_SOFTWARE_SCAN

Can view lists and details of all scans in the account

  • Users with MANAGE_SM_ALL_TEAMS can view scans for all teams, regardless of their membership.

  • Users with MANAGE_SM_MY_TEAMS can view scans only associated teams.

Users can view list and details of all scans in the account.

Delete

MANAGE_SM_SOFTWARE_SCAN

Cannot perform this activity

  • UCO is not applicable.

  • Users with MANAGE_SM_ALL_TEAMS can delete scans for any team.

  • Users with MANAGE_SM_MY_TEAMS can delete scans for associated teams.

Users can delete any scan in the account, regardless of project mappings.

Download

VIEW_SM_SOFTWARE_SCAN

Not applicable

  • Users with MANAGE_SM_ALL_TEAMS can download scans, regardless of team membership.

  • Users with MANAGE_SM_MY_TEAMS can download scans for associated projects.

Users can download any scan in the account.


Release windows

tabel 9. Release windows

Release action

Permission

System scope user

Enabled teams

Disabled teams

Create a release window

Update release window

APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW

Cannot perform this action

  • APPROVE_RELEASE UCO for APPROVE_SM_RELEASE_WINDOW permission must be enabled in the team, or the REQUEST_SM_RELEASE_WINDOW permission is required.

  • Users with MANAGE_SM_ALL_TEAMS can create and update releases for any team, and choose any baseline release.

  • Users with MANAGE_SM_MY_TEAMS can only interact with teams they are associated with.

  • Users with APPROVE_SM_RELEASE_WINDOW can create and update releases, choosing any baseline release in the account and adding users/groups.

View lists, details, and signature logs

APPROVE_SM_RELEASE_WINDOW or VIEW_SM_RELEASE_WINDOW

Can view list, details, and signature logs for all releases in the account

  • APPROVE_RELEASE UCO for APPROVE_SM_RELEASE_WINDOW permission must be enabled in the team, or the VIEW_SM_RELEASE_WINDOW permission is required.

  • Users with MANAGE_SM_ALL_TEAMS can view logs for all releases, even if they are not part of the release.

  • MANAGE_SM_MY_TEAMS users can view logs for teams they are assocaited with.

  • Users with APPROVE_SM_RELEASE_WINDOW can view details and logs for all releases, regardless of team association.

  • Users with other permissions can only view logs for releases they are associated with.

Release compare and baseline release creation

APPROVE_SM_RELEASE_WINDOW

Cannot perform this action

  • APPROVE_RELEASE UCO must be enabled for the user in the team.

  • Users with MANAGE_SM_ALL_TEAMS can compare and set any release as a baseline.

  • MANAGE_SM_MY_TEAMS users can compare and set any release as a baseline for teams they are associated with.

  • Users can compare and set any release in the account as a baseline release window.

Approve and reject release

APPROVE_SM_RELEASE_WINDOW

Cannot perform this action

  • APPROVE_RELEASE UCO must be enabled in the team. Approvals follow a multi-person flow; users approve or reject releases that belong to their own teams, even if created by someone with MANAGE_SM_ALL_TEAMS.

  • Users can approve or reject any pending releases in the account.

Close release window

APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW

Cannot perform this action

  • APPROVE_RELEASE UCO or REQUEST_SM_RELEASE_WINDOW must be enabled in the team.

  • Users with MANAGE_SM_ALL_TEAMS can close any release, even if they are not associated with the release.

  • MANAGE_SM_MY_TEAMS users can close releases for their own teams.

  • Other users can close releases they are part of and created.

  • Users with APPROVE_SM_RELEASE_WINDOW can close any release in the account.

  • Users with other permissions can only close releases they are part of and have created.


Notifications

tabel 10. Notifications 

Notification type

Enabled teams

Disabled teams

Keypair expiry

  • MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive notifications.

  • Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for all restricted and open keypairs set to expire in the account.

  • Users with MANAGE_SM_KEYPAIR receive notifications only for restricted keypairs set to expire in teams they are members of.

Users with MANAGE_SM_KEYPAIR receive notifications for all restricted and open keypairs set to expire in the account.

Certificate about to expire

  • MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification.

  • Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for default certificates about to expire for all restricted and open keypairs in the account.

  • Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for restricted keypairs in teams they are members of.

Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for all restricted and open keypairs in the account.

Auto-renewing for certificates expiring in 15 and 30 days

  • MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification.

  • Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for certificates corresponding to all restricted and open keypairs getting renewed.

  • Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to restricted keypairs getting renewed in teams they are members of.

Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to all restricted and open keypairs getting renewed in the account.

Auto-renewing complete

Auto-renewing blocked

  • MANAGE_KEYPAIR_CERT UCO needs to be enabled for users in the team to receive the notification.

  • Users with MANAGE_SM_KEYPAIR or MANAGE_SM_ALL_TEAMS receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses.

  • Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to restricted keypairs in teams they are members of.

Users with MANAGE_SM_KEYPAIR permission receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses.