Applies to:
Versions 15.3 +
Summary:
In Venafi, all administrative permissions are managed at the object level. Every encryption system object such as Policies, Credentials, Workflows, CAs, Devices, Applications, Certificates, Symmetric Keys, SSH Server Keys, SSH Client Keys, Notifications, Channels, Logging Applications, and Discoveries has a Permissions tab. On the object Permissions tab, you select the users or groups you want to have permissions to the current object and its subordinate objects, then you select which permissions you want the user or group to have.
More info:
The following table provides an explanation of the available object permissions.
Permission |
Allows the user to... | |
---|---|---|
View |
The user can see the object in the tree, but cannot select the object or read the values. |
|
Read |
The user can see and select the object in the tree. Additionally, the user can read the object data, but no buttons are enabled; the user cannot edit or manage the object. In Certificate objects, users with Read permissions to the certificate can see only the associated applications to which they have View or higher permissions to the Application object. In Application objects, users with Read permissions to the application can see only the associated certificate if they have View or higher permissions to the Certificate object. |
|
Write |
The user can edit and modify object attributes. To move objects in the tree, the user must have Write permissions to the objects and Create permissions to the target folder. Read permissions are inferred. Rename is selected by default but can be deselected. In Certificate and Application objects, the user also has access to the following options in the designated pages: |
|
|
Certificate Summary Page |
Users with Write permissions to the Certificate object have access to the Restart, Retry, Reset, and Revoke options. |
|
Certificate Settings Page |
Users with Write permissions to the Certificate object have access to the Renew Now option. |
|
Certificate Associations Page |
Users with Write permissions to the Certificate object can see all associated applications, regardless of their permissions to the individual applications. Users with Write permissions to the Certificate object can add associations only those applications to which they have either Write or Associate and View permissions. Users with Write permissions to the Certificate object have access to the Retry Installation option only for those applications to which they have either Write or Associate and View permissions. Users with Write permissions to the Certificate object can push the certificate and private key only to those applications to which they have either Write or Associate and View permissions. Users with Write permissions to the Certificate object can enable or disable the certificate only on those applications to which they have either Write or Associate and View permissions. |
|
Application Settings Page |
Users with Write permissions to the Application object can add associations only if no certificate is currently associated with the Application object or if they have either Write or Associate and View permissions to the associated Certificate object. Users with Write permissions to the Application object have access to the Retry Installation option only if they have either Write or Associate and View permissions to the associated Certificate object. Users with Write permissions to the Application object can push the certificate and private key to the application only if they have either Write or Associate and View permissions to the associated Certificate object. |
Create |
The user can create subordinate objects, such as devices and applications. View is inferred. |
|
Manage Policy |
Lets users modify policy values on folders. Read and Write permissions are implied; the View permission is not. In order for the Manage Policy permission to be useful, users should be granted the View permission, as well. |
|
Delete |
Lets the user delete objects. |
|
Rename |
Lets the user rename objects or move them within the tree. To move an object, the holder must have the Create permission in the target location. When an object is moved, locked policy attributes are recalculated. |
|
Associate
|
If you have Write permissions to a Certificate object and both Associate and View permissions to the application(s) where the certificate is installed, you can perform the following functions in the Certificate object’s Certificate Associations page:
If you have Write permissions to an Application object and Associate and View permissions to the certificate installed on the application, you can perform the following functions in the Application object’s Settings page:
This permission is relevant only to Policy, Application and Certificate objects. |
|
Revoke |
Revoking a certificate makes it invalid. You must have Write permissions to the certificate. Once you Revoke a certificate, you cannot undo the action. |
|
Private Key Read |
You can download the private key from the Trust Protection Platform database, if the key is archived in the Trust Protection Platform database. This permission is relevant only to Policy and Certificate objects. |
|
Private Key Write |
You can upload a certificate private key file to the Trust Protection Platform database. This permission is relevant only to Policy, Certificate, and Private Key Credential objects. |
|
Admin |
Grant other user or group Identities permissions to the current object or subordinate objects. |
The following table provides a list of permissions specific to the Master Administrator. Master Administrator:
Object Permissions |
Allows user to: |
Create Encryption objects |
Create encryption objects under the encryption tree in the web console. |
Edit Encryption objects |
Edit encryption objects under the encryption tree in the web console. |
View Encryption objects |
View encryption objects under the encryption tree in the web console. |
Delete Encryption objects |
Delete encryption objects under the encryption tree in the web console. |
Assign Master Admin rights |
Only the master administrator has rights to assign the master admin right to other users. |
Join additional Servers/engines to environment |
Only a master administrator is able to connect and join another server to the Venafi environment. |
Upgrade server |
A master administrator is required to upgrade an existing Venafi server. |
Rights to 'VED' object |
The master administrator has access to the 'VED' object which is the root of the entire platform and is not viewable. |
Permissions Inheritance
Permissions flow down the policy tree. This allows for efficiency of design, allowing you to only have to set the permissions high in the policy tree. However, there are rules to how each object finds it's effective permissions.
Rules:
When you grant permissions to an object, all subordinate objects inherit those same permissions unless you explicitly set ( add or subtract) permissions to the same object further down the tree, in which case, permissions inheritance is determined as follows:
- Permissions assigned to users override permissions assigned to groups.
- Group permissions are cumulative. This means that if there are multiple group assignments, an object’s inherited permissions resolve to the combined group permissions.
- By default, the Master Admin permissions are granted to the install user, and the user used to setup the AD connection.
Determining effective rights:
1: In the Identity Tree look up your user. The General tab will allow you to see what explicit permissions have been granted to a user.
2: Running the Entitlement report gives you a snapshot of all users rights in all trees.
Note:
Rights are evaluated when you authenticate to the console.
Comments