Lead (AS)

Lead is the highest account scope (AS) role. Users with this role are responsible for managing cryptographic assets, enforcing policies, and monitoring compliance for other users in the account.

Permissions

The Lead role contains the following permissions:

Category	Permission	Description	Notes
User settings	Default	View their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	Manage account settings	Update Software Trust Manager > Accounts > Account settings.
Account settings	Manage CertCentral API key	Delete, disable, enable, setup, update and validate a CertCentral API key.
Teams	Manage all teams	Create teams. View, update, deactivate, delete, and assign resources to all teams within the account, if they have relevant resource permissions.
Audit logs	View audit log	View audit and signature logs.
Audit logs	Export audit logs	Export audit and signature logs.	`View audit log` is required as an additional permission to be able to export audit logs.
Certificates	Manage certificate hierarchy	View and create hierarchies. They can also activate and deactivate restricted hierarchies.
	Manage certificate profiles	View, create, update, clone, enable, and disable certificate profiles. View, update, and delete all certificates associated with a certificate profile that the user created.
	View certificate profile	View certificate profiles created.
	View certificate template	View certificate template details in the account.
	Generate certificate	Create a new certificate using keypairs that they're assigned to.	Users with `Manage keypair` permission can create a new certificate using any keypair within the account.
	Import certificate	Import certificates for keypairs that they're assigned to.	Users with `Manage keypair` permission can import a certificate to any keypair within the account.
	Revoke certificate	Revoke certificates associated with keypairs that they're assigned to.	Users with `Manage keypair` permission can revoke certificates associated with any keypair within the account.
	View certificate	View certificate details for all certificates assigned to them.	Users with `Manage keypair` permission can view all certificates within the account.
Keypairs	Request keypair export	Request to export keypairs that they're assigned to.	Users with `Manage keypair` permission can request to export any keypair within the account.
	Approve keypair export	Approve requests to export keypairs that they're assigned to.	Users with `Manage keypair` permission can approve keypair exports for any keypair within the account.
	Approve keypair delete	Approve requests to delete keypairs that they're assigned to.	Users with `Manage keypair` permission can approve keypair delete for any keypair within the account.
	Import keypair	Import keypairs into the account.	To import a GPG secring, the `Manage master key` permission is also required.
	Generate keypair	Create a new keypair.
	View keypair	View keypairs and key rotations relying on keypairs assigned to them.	Users with `Manage keypair` permission can view all keypairs and key rotations within the account.
	Manage keypair	Update, suspend or unsuspend keypairs. Create, update, enable, and disable keypair profiles. Create and update user groups. Create, update, and refresh key rotation. Generate a CSR.
	Manage master GPG key	Create GPG master key, if the user also has `Generate keypair` permission. Import a GPG secring, if the user also has `Import keypair` permission. Update, suspend, unsuspend master keys that they're assigned to. Delete master keys assigned to them, if the user also has `Approve keypair delete` permission. Revoke master keys assigned to them, if the user also has `Revoke certificate` permission.	Users with `Manage keypair` permission can update, suspend, unsuspend any master keys within the account. Users with `Manage keypair` permission can delete any master key within the account. Users with `Manage keypair` permission can revoke any master key within the account.
Signatures	Sign	Sign software with keypairs assigned to them.
Releases	View release	View all releases in the account.
	Request release	Request to create an offline release.
	Approve release	Create a release and approve or reject requests to create offline releases.
Threat detection	Manage threat detection	Download threat detection reports and assign threat detection scans to projects.