Software Trust Manager user roles

Assign one or more roles to a Software Trust Manager user when you add or update the user.

Account roles for standard and service users

The following user roles are available in your account:

Lead

Lead is the highest account scope (AS) role. Users with this role are responsible for managing cryptographic assets, enforcing policies, and monitoring compliance for other users in the account.

Category	Permission	Description	Notes
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	Manage account settings	Update Software Trust Manager > Accounts > Account settings.
Account settings	Manage CertCentral API key	Delete, disable, enable, setup, update and validate a CertCentral API key.
Teams	Manage all teams	Create teams. View, update, deactivate, delete, and assign resources to all teams within the account, if they have relevant resource permissions.
Audit logs	View audit log	View audit and signature logs.
Audit logs	Export audit logs	Export audit and signature logs.	`View audit log` is required as an additional permission to be able to export audit logs.
Certificates	Manage certificate hierarchy	View and create hierarchies. They can also activate and deactivate restricted hierarchies.
	Manage certificate profiles	View, create, update, clone, enable, and disable certificate profiles. View, update, and delete all certificates associated with a certificate profile that the user created.
	View certificate profile	View certificate profiles created.
	View certificate template	View certificate template details in the account.
	Generate certificate	Create a new certificate using keypairs that they're assigned to.	Users with `Manage keypair` permission can create a new certificate using any keypair within the account.
	Import certificate	Import certificates for keypairs that they're assigned to.	Users with `Manage keypair` permission can import a certificate to any keypair within the account.
	Revoke certificate	Revoke certificates associated with keypairs that they're assigned to.	Users with `Manage keypair` permission can revoke certificates associated with any keypair within the account.
	View certificate	View certificate details for all certificates assigned to them.	Users with `Manage keypair` permission can view all certificates within the account.
Keypairs	Request keypair export	Request to export keypairs that they're assigned to.	Users with `Manage keypair` permission can request to export any keypair within the account.
	Approve keypair export	Approve requests to export keypairs that they're assigned to.	Users with `Manage keypair` permission can approve keypair exports for any keypair within the account.
	Approve keypair delete	Approve requests to delete keypairs that they're assigned to.	Users with `Manage keypair` permission can approve keypair delete for any keypair within the account.
	Import keypair	Import keypairs into the account.	To import a GPG secring, the `Manage master key` permission is also required.
	Generate keypair	Create a new keypair.
	View keypair	View keypairs and key rotations relying on keypairs assigned to them.	Users with `Manage keypair` permission can view all keypairs and key rotations within the account.
	Manage keypair	Update, suspend or unsuspend keypairs. Create, update, enable, and disable keypair profiles. Create and update user groups. Create, update, and refresh key rotation. Generate a CSR.
	Manage master GPG key	Create GPG master key, if the user also has `Generate keypair` permission. Import a GPG secring, if the user also has `Import keypair` permission. Update, suspend, unsuspend master keys that they're assigned to. Delete master keys assigned to them, if the user also has `Approve keypair delete` permission. Revoke master keys assigned to them, if the user also has `Revoke certificate` permission.	Users with `Manage keypair` permission can update, suspend, unsuspend any master keys within the account. Users with `Manage keypair` permission can delete any master key within the account. Users with `Manage keypair` permission can revoke any master key within the account.
Signatures	Sign	Sign software with keypairs assigned to them.
Releases	View release	View all releases in the account.
	Request release	Request to create an offline release.
	Approve release	Create a release and approve or reject requests to create offline releases.
Threat detection	Manage threat detection	Download threat detection reports and assign threat detection scans to projects.

Team lead

The Team lead is an account scope (AS) role. Users with this role are responsible for managing the developers and engineering teams who work on signing and releasing software.

Category	Permission	Description	Notes
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Teams	Manage my teams	View, update, deactivate, and map resources to existing teams that they are part of, if they have relevant resource permissions.
Audit logs	View audit log	View audit and signature logs.
Audit logs	Export audit logs	Export audit and signature logs.	`View audit log` is required as an additional permission to be able to export audit logs.
Certificates	Manage certificate hierarchy	View and create hierarchies. They can also activate and deactivate restricted hierarchies.
	View certificate profile	View certificate profiles created.
	View certificate template	View certificate template details in the account.
	Import certificate	Import certificates for keypairs that they're assigned to.	Users with `Manage keypair` permission can import a certificate to any keypair within the account.
	Revoke certificate	Revoke certificates associated with keypairs that they're assigned to.	Users with `Manage keypair` permission can revoke certificates associated with any keypair within the account.
	Generate certificate	Create a new certificate using keypairs that they're assigned to.	Users with `Manage keypair` permission can create a new certificate using any keypair within the account.
	View certificate	View certificate details for all certificates assigned to them.	Users with `Manage keypair` permission can view all certificates within the account.
Keypairs	Import keypair	Import keypairs into the account.	To import a GPG secring, the `Manage master key` permission is also required.
	Request keypair export	Request to export keypairs that they're assigned to.	Users with `Manage keypair` permission can request to export any keypair within the account.
	Approve keypair export	Approve requests to export keypairs that they're assigned to.	Users with `Manage keypair` permission can approve keypair exports for any keypair within the account.
	Approve keypair delete	Approve requests to delete keypairs that they're assigned to.	Users with `Manage keypair` permission can approve keypair delete for any keypair within the account.
	Generate keypair	Create a new keypair.
	View keypair	View keypairs and key rotations relying on keypairs assigned to them.	Users with `Manage keypair` permission can view all keypairs and key rotations within the account.
	Manage keypair	Update, suspend or unsuspend keypairs. Create, update, enable, and disable keypair profiles. Create and update user groups. Create, update, and refresh key rotation. Generate a CSR.
	Manage master GPG key	Create GPG master key, if the user also has `Generate keypair` permission. Import a GPG secring, if the user also has `Import keypair` permission. Update, suspend, unsuspend master keys that they're assigned to. Delete master keys assigned to them, if the user also has `Approve keypair delete` permission. Revoke master keys assigned to them, if the user also has `Revoke certificate` permission.	Users with `Manage keypair` permission can update, suspend, unsuspend any master keys within the account. Users with `Manage keypair` permission can delete any master key within the account. Users with `Manage keypair` permission can revoke any master key within the account.
Signatures	Sign	Sign software with keypairs assigned to them.
Releases	View release	View all releases in the account.
	Request release	Request to create an offline release.
	Approve release	Create a release and approve or reject requests to create offline releases.
Threat detection	Manage threat detection	Download threat detection reports and assign threat detection scans to projects.

Build engineer

The Build engineer is an account scope (AS) role. Users with this role are responsible for signing and scanning software using threat detection.

Category	Permission	Description	Notes
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Audit logs	View audit log	View audit and signature logs.
Certificates	View certificate profile	View certificate profiles created.
	View certificate template	View certificate template details in the account.
	View certificate	View certificate details for all certificates assigned to them.	Users with `Manage keypair` permission can view all certificates within the account.
Keypairs	View keypair	View keypairs and key rotations relying on keypairs assigned to them.	Users with `Manage keypair` permission can view all keypairs and key rotations within the account.
Signatures	Sign	Sign software with keypairs assigned to them.
Releases	View release	View all releases in the account.
Threat detection	View threat detection	View all threat detection scans in the account.
	Manage threat detection	Download threat detection reports and assign threat detection scans to projects.
	Run threat detection scans	Scan software using threat detection.

Developer

The DigiCert® Software Trust Manager Developer is an account scope (AS) role for users responsible for signing, managing assets related to signing, and releasing software.

Category	Permission	User can	Notes
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Audit logs	View audit log	View audit and signature logs.
Certificates	View certificate profile	View certificate profiles created.
	View certificate template	View certificate template details in the account.
	Generate certificate	Create a new certificate using keypairs that they're assigned to.	Users with `Manage keypair` permission can create a new certificate using any keypair within the account.
	View certificate	View certificate details for all certificates assigned to them.	Users with `Manage keypair` permission can view all certificates within the account.
Keypairs	Generate keypair	Create a new keypair.
Keypairs	View keypair	View keypairs and key rotations relying on keypairs assigned to them.	Users with `Manage keypair` permission can view all keypairs and key rotations within the account.
Signatures	Sign	Sign software with keypairs assigned to them.
Releases	Request release	Request to create an offline release.
Releases	View release	View all releases in the account.
Threat detection	View threat detection	View all threat detection scans in the account.

Signer

The DigiCert® Software Trust Manager Signer is an account scope (AS) role for engineers or authenticated devices responsible for signing software.

Category	Permission	User can	Notes
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Audit logs	View audit log	View audit and signature logs.
Certificates	View certificate profile	View certificate profiles created.
	View certificate template	View certificate template details in the account.
	View certificate	View certificate details for all certificates assigned to them.	Users with `Manage keypair` permission can view all certificates within the account.
Keypair	View keypair	View keypairs and key rotations relying on keypairs assigned to them.	Users with `Manage keypair` permission can view all keypairs and key rotations within the account.
Signatures	Sign	Sign software with keypairs assigned to them.
Releases	View release	View all releases in the account.

System roles for on-premises administration

For on-premises customers, these roles are available for system administration.

Admin

DigiCert® Software Trust Manager Admin is a system scope (SS) role for users responsible for day-to-day account configuration and enabling Software Trust Manager.

Category	Permission	User can
User settings	View user	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	Manage CertCentral API key	Delete, disable, enable, setup, update and validate a CertCentral API key.
Account settings	View health	View app health (API).
Audit logs	View audit log	View audit and signature logs in the account.
Audit logs	Export audit logs	Export audit and signature logs in the account. Note `View audit log` is required as an additional permission to export audit logs.
Certificates	Manage certificate hierarchy	Create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies. Note `View certificate` permission is required as an additional permission to manage certificate hierarchy.
	Manage certificate profiles	Create, update, enable, disable, and delete certificate profiles. Update and delete certificates. Note `View certificate profile` is required as an additional permission to manage certificate profiles.
	Manage certificate profiles	Create, update, enable, disable, and delete certificate profiles. Update and delete certificates. Note `View certificate profile` is required as an additional permission to manage certificate profiles.
	Manage certificate template	Create, update, and clone certificate templates. Note `View certificate template` is required as an additional permission to manage certificate templates.
	View certificate	View certificate details in the account.
Keypairs	Manage keypair	Update, suspend or unsuspend keypairs. Create, update, enable, and disable keypair profiles. Create and update user groups. Create, update, and refresh key rotation. Generate a CSR Note `View keypair` is required as an additional permission to manage keypairs.
Keypairs	View keypair	View keypair details in the account.
Releases	View release	View releases in the account.

Support

DigiCert® Software Trust Manager Support is a system scope (SS) role for support teams responsible for assisting users with account setup and signing.

Category	Permission	User can
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	View health	View app health (API).
Audit logs	View audit log	View audit and signature logs in the account.
Audit logs	Export audit logs	Export audit and signature logs in the account. Note `View audit log` is required as an additional permission to export audit logs.
Certificates	View certificate profile	View certificate profile details in the account.
	View certificate template	View certificate template details in the account.
	View certificate	View certificate details in the account.
Keypairs	View keypair	View keypair details in the account.
Releases	View release	View releases in the account.

System auditor

DigiCert® Software Trust Manager System auditor is a system scope (SS) role for monitoring systems and applications for adherence to policies and compliance.

Category	Permission	User can
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	View health	View app health (API).
Audit logs	View audit log	View audit and signature logs in the account.
Audit logs	Export audit logs	Export audit and signature logs in the account. Note `View audit log` is required as an additional permission to export audit logs.
Certificates	View certificate	View certificate details in the account.
Keypairs	View keypair	View keypair details in the account.
Releases	View release	View releases in the account.

Software Trust Manager user roles

Account roles for standard and service users

Lead

Team lead

Build engineer

Developer

Signer

System roles for on-premises administration

Admin

Note

Note

Note

Note

Note

Note

Support

Note

System auditor

Note