Understanding roles

Trust Protection Platform includes predefined roles designed with specific permissions that you can assign to existing users.

You can see which roles are assigned to a user identity using the Roles filter on the Inventory > Identities page in Aperture. See Managing role assignments on one or more users or groups.

These roles include the following:

• Master Admin: grants access to every object, certificate, key, identity, and permission in the system. See About the Master Admin role.

  WARNING!  Use the Master Admin role with extreme caution. Users to whom you assign the Master Admin role have full permissions to every object in the Trust Protection Platform database, including certificates, private keys, and credentials. You cannot hide any objects in the system from users who have been given this role.

• WebSDK Access: grants users programmatic access to Venafi's Web SDK. See Configuring various authentication methods for OAuth token authorization.

• Auditor: grants read access to view objects that are public, such as certificates, CSRs, and public keys. Also grants read access to view certain metadata about objects with higher security requirements, such as private keys. Can also read and run existing reports. To assign the auditor role, see Adding the Auditor role to a user or group.

  NOTE  If the Auditor role is assigned to a user, all other permission assignments to that user are ignored.

• Recycle Bin Administrator: grants a non-Master Admin user the permissions to manage the content and settings of the TPP recycle bin. This role is particularly useful for delegating recycle bin management tasks to help desk staff without granting them full Master Admin privileges.

  Required access for Recycle Bin Administrator role

  To use the MMC Venafi Recycle Bin Snap-In and related WebSDK APIs, the user needs to be granted access to the Venafi Recycle Bin API Integration.

  To set any engine list in the recycle bin configuration, the user must also have View permissions to the root of the Platform tree.

  Available actions for Recycle Bin Administrator role

  A user with the Recycle Bin Administrator role can perform various actions, such as:

  • Purge, restore, empty and start operations in the recycle bin.

  • Configure the recycle bin settings.

  • Launch the recycle bin snap-in from their desktop if they have been granted permissions to the integration.

  • Perform actions using TppTool. See Using TppTool from the command line and script files.

  How to use the Recycle Bin Administrator role

  1. Open Venafi Configuration Console, click on System Roles.

  2. Click on Add Recycle Bin Administrator.

  3. Select a user or group to whom you want to assign the role.

  4. Open either the Access Management MMC snap-in or go to Aperture > API Integrations, and then add the user or group to the Venafi Recycle Bin integration.

  5. Ask the user to install VenafiMMC.msi on their local workstation.

  6. Instruct the user to launch mmc.exe and add the ‘Venafi Recycle Bin’ snap-in.

  7. (Alternatively) Instead of using the snap-in, they could also use the Recycle Bin WebSDK APIs.

• Schema Administrator: allows non-Master Admins to modify the operational config schema of the TPP environment. This role enables delegating schema management tasks without granting full Master Admin access.

  A user with the Schema Administrator role can perform the following actions:

  • Export and import TPP objects using TppTool, as long as they have permissions to the objects. See Using TppTool from the command line and script files.