Team user critical operations
This document explains the various actions and permissions available for members of a team.
Before you begin, familiarize yourself with the following common terms:
Term | Description |
---|---|
UCO |
|
Lead |
|
Team lead |
|
Teams
Teams action | Permission | System scope user | User with MANAGE_SM_ALL_TEAMS | User with MANAGE_SM_MY_TEAMS | UCO |
---|---|---|---|---|---|
Create and delete | MANAGE_SM_ALL_TEAMS | Not applicable | Can create or delete any team, regardless if the team is enabled or disabled. | Not applicable | UCO activities cannot be performed on users during team creation. |
Update | MANAGE_SM_MY_TEAMS or MANAGE_SM_ALL_TEAMS | Not applicable | Can update any team and perform UCO activities on users, regardless if the team is enabled or disabled. | Can update associated teams and perform UCO activities on those users. | Users with MANAGE_SM_ALL_TEAMS are not subject to UCO activities, even from users with the same permission level. If a user is assigned a Lead role, any previous team restrictions are still in effect for that user. To troubleshoot, anotehr Lead can enable all permissions for that user. |
View lists and details | Not applicable | Can view lists and details of all teams in the account | Can view list and details of any team in the account, regardless if the team is enabled or disabled. | Can view lists and details for associated teams, regardless if the team is enabled or disabled. | Not applicable |
Activate / deactivate | MANAGE_SM_ALL_TEAMS or MANAGE_SM_MY_TEAMS | Not applicable | Can activate or deactivate any team in the account, regardless if the team is enabled or disabled. | Can only activate or deactivate associated teams, regardless if the team is enabled or disabled. | Not applicable |
Keypairs
Keypair action | Permission | System scope user | Open keypairs | Restricted keypairs |
---|---|---|---|---|
Generate | GENERATE_SM_KEYPAIR | Cannot perform this activity |
|
|
Update | MANAGE_SM_KEYPAIR | Can update any keypair in the account |
|
|
View lists and details | VIEW_SM_KEYPAIR | Can view list and details of all keypairs |
|
|
Sign | SIGN_SM_HASH | Not applicable |
|
|
Verify | SIGN_SM_HASH | Not applicable | Not applicable | Not applicable |
Delete | APPROVE_SM_KEYPAIR_DELETE | Cannot perform this activity |
|
|
Generate CSR | MANAGE_SM_KEYPAIR or GENERATE_SM_CERTIFICATE | Not applicable |
|
|
Refresh keypair | MANAGE_SM_KEYPAIR or SIGN_SM_HASH | Not applicable |
|
|
Suspend / unsuspend | MANAGE_SM_KEYPAIR | Not applicable |
|
|
Import keypair | IMPORT_SM_KEYPAIR | Cannot perform this activity |
|
|
Request keypair export | REQUEST_SM_KEYPAIR_EXPORT | Not applicable |
|
|
GPG keypairs
GPG keypair action | Permission | System scope user | Open keypairs | Restricted keypairs |
---|---|---|---|---|
Generate master keypair | GENERATE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity |
|
|
Generate subkey | GENERATE_SM_KEYPAIR | Cannot perform this activity |
|
|
Update master and subkey | MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Can update all master / subkeys in the account |
|
|
View lists and details | VIEW_SM_KEYPAIR | Can view lists and details for all master / subkeys |
|
|
Sign | SIGN_SM_HASH | Not applicable |
|
|
Revoke master / subkey | REVOKE_SM_CERTIFICATE and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity |
|
|
Suspend / unsuspend | MANAGE_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Can perform these activities |
|
|
Delete master / subkey | APPROVE_SM_KEYPAIR_DELETE and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity |
|
|
Import Sec Ring | IMPORT_SM_KEYPAIR and MANAGE_SM_MASTER_KEYPAIR | Cannot perform this activity |
|
|
Download a keyring collection | VIEW_SM_KEYPAIR | Can perform this activity |
|
|
Certificates
Certificate action | Permission | System scope user | Open keypairs | Restricted keypairs |
---|---|---|---|---|
View lists and details | VIEW_SM_CERTIFICATE | Can view all certificates for all keypairs in the account. |
|
|
Import certificate | IMPORT_SM_CERTIFICATE | Cannot perform this activity |
|
|
Generate certificate | GENERATE_SM_CERTIFICATE | Cannot perform this activity |
|
|
Update / delete certificate | MANAGE_SM_CERTIFICATE_PROFILE | Can update or delete any certificate in the account |
|
|
Revoke certificate | REVOKE_SM_CERTIFICATE | Cannot perform this activity |
|
|
Update hierarchy mappings for certificates | MANAGE_SM_HIERARCHY | Only system scope user can perform this activity | Not applicable | Not applicable |
Key rotations
Key rotation action | Permission | System scope user | Enabled teams | Disabled teams |
---|---|---|---|---|
View list and details | VIEW_SM_KEYPAIR | Can view list and details of all key rotations in the account |
|
|
Create / update | MANAGE_SM_KEYPAIR | Cannot perform these actions |
|
|
Software projects
Action | Permission | System scope user | Enabled team | Disabled team |
---|---|---|---|---|
Generate | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity |
| Any user part of the account can create a project. |
Update | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity |
| Users can update any project in the account, including orphan projects. |
View lists and details | Not applicable | Can perform this activity |
| Users can view lists and details of all projects in the account, including orphan projects. |
Delete | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity |
| Users can delete any project in the account. |
Suspend / unsuspend | MANAGE_SM_ACCOUNT_SETTINGS | Can perform this activity |
| Users can suspend or unsuspend any project in the account. |
Scans
Action | Permission | System scope user | Enabled team | Disabled teams |
---|---|---|---|---|
Generate | SCAN_SM_SOFTWARE_SCAN | Cannot perform this activity |
| Users can create a scan using any project in the account. |
View lists and details | VIEW_SM_SOFTWARE_SCAN | Can view lists and details of all scans in the account |
| Users can view list and details of all scans in the account. |
Delete | MANAGE_SM_SOFTWARE_SCAN | Cannot perform this activity |
| Users can delete any scan in the account, regardless of project mappings. |
Download | VIEW_SM_SOFTWARE_SCAN | Not applicable |
| Users can download any scan in the account. |
Release windows
Release action | Permission | System scope user | Enabled teams | Disabled teams |
---|---|---|---|---|
Create a release window Update release window | APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW | Cannot perform this action |
|
|
View lists, details, and signature logs | APPROVE_SM_RELEASE_WINDOW or VIEW_SM_RELEASE_WINDOW | Can view list, details, and signature logs for all releases in the account |
|
|
Release compare and baseline release creation | APPROVE_SM_RELEASE_WINDOW | Cannot perform this action |
|
|
Approve and reject release | APPROVE_SM_RELEASE_WINDOW | Cannot perform this action |
|
|
Close release window | APPROVE_SM_RELEASE_WINDOW or REQUEST_SM_RELEASE_WINDOW | Cannot perform this action |
|
|
Notifications
Notification type | Enabled teams | Disabled teams |
---|---|---|
Keypair expiry |
| Users with MANAGE_SM_KEYPAIR receive notifications for all restricted and open keypairs set to expire in the account. |
Certificate about to expire |
| Users with MANAGE_SM_KEYPAIR receive notifications for default certificates about to expire for all restricted and open keypairs in the account. |
Auto-renewing for certificates expiring in 15 and 30 days |
| Users with MANAGE_SM_KEYPAIR receive notifications for certificates corresponding to all restricted and open keypairs getting renewed in the account. |
Auto-renewing complete Auto-renewing blocked |
| Users with MANAGE_SM_KEYPAIR permission receive notifications for certificates corresponding to all restricted and open keypairs, including Auto Renew Complete (Public/Private) and Auto Renewal Blocked statuses. |