User roles and permissions
DigiCert® Device Trust Manager uses Role-Based Access Control (RBAC) to ensure users have the appropriate permissions for their responsibilities within the platform. This model restricts or grants access based on a user’s assigned role, enabling a secure and organized structure for managing IoT devices.
Role assignment is managed in DigiCert® Account Manager by an Account Administrator. See Account Manager documentation for more detail about user creation and management.
An account administrator is responsible for creating users and assigning roles in Device Trust Manager. Below is a quick breakdown of each role to help you understand each one and best practices for assigning them:
Solution Administrator: This is the primary administrator role for Device Trust Manager, with full access to all permissions. Assign this role carefully, as users in this position have the ability to perform any action within Device Trust Manager.
Device Creator: This role is intended for users responsible for registering devices individually or in bulk. It’s commonly assigned to production managers or staff at manufacturing facilities where devices are initialized and registered.
Device Administrator: Assigned to users who need control over device lifecycle management, including enabling, disabling, deleting, and undeleting devices. This role is often designated to users involved in ongoing device operations and support.
Artifact Manager: Artifact Managers are typically firmware developers or software engineers who create and upload device update packages. They handle the software artifacts that are deployed to devices, making this role essential for maintaining and updating device functionality.
Note
The Solution Administrator and Account Administrator roles do not need to be held by the same individual. An Account Administrator—usually from IT, IT Security, or PKI Ops—administers DigiCert® ONE and controls access to the various management applications, including Device Trust Manager. The Solution Administrator, however, is more likely part of the product or operational team responsible for managing devices.
Detailed roles and permissions
The table below provides a detailed breakdown of permissions associated with each role in Device Trust Manager:
Solution Administrator | Device Creator | Device Administrator | Artifact Manager | |
---|---|---|---|---|
General permissions | ||||
Dashboard | View/Edit | View/Edit | View/Edit | View/Edit |
Divisions | View/Edit | View | View | View |
Notifications | View/Edit | View/Edit | View/Edit | View/Edit |
License | View | - | - | - |
System audit log | View | View | View | View |
Certificate management permissions | ||||
Authentication CAs | View/Edit | - | - | - |
CA connector | View/Edit | - | - | - |
Certificate management policy | View/Edit | View | View | - |
Certificate profile | View/Edit | View | View | - |
Certificate template | View/Edit | View | View | - |
Certificate renew | View/Edit | - | View/Edit | - |
Certificate request | View/Edit | View/Edit | View/Edit | - |
Certificate revoke | View/Edit | - | View/Edit | - |
OCSP groups | View/Edit | - | - | - |
Device management permissions | ||||
Devices | View/Edit | View | View/Edit | - |
Download bootstrap configuration | View/Edit | View/Edit | View/Edit | - |
Download certificates | View/Edit | View/Edit | View/Edit | - |
Register many devices | View/Edit | View/Edit | - | - |
Register single device | View/Edit | View/Edit | - | - |
Device groups | View/Edit | View | View | - |
Software update permissions | ||||
Artifacts | View/Edit | View | View | View/Edit |
Releases | View/Edit | View | View | View |
Deployments | View/Edit | View | View | View |
Job permissions | ||||
Batch certificate issuance jobs | View/Edit | - | View/Edit | - |
Batch device registration jobs | View/Edit | View/Edit | - | - |
Deployment jobs | View/Edit | - | - | - |
DigiCert® Gateway management | ||||
DigiCert® Gateway | View/Edit | View | View | - |