Managing role and grant assignments in Policy Tree

While most system role management takes place in Venafi Configuration Console, there are a few roles you can modify directly in Trust Protection Platform's Policy Tree:

  • Master Admin

  • Auditor

  • Allow Team Creation

    NOTE  Allow Team Creation is technically a grant, not a system role, which is why it is assigned in Policy Tree rather than VCC)

To add a role/grant to a group in Policy Tree

  1. From the Platform menu bar, click Policy Tree, then open the Identity tree.

  2. Expand the Identity Providers group, and click the identity provider where the group is stored.

  3. Make sure the Users & Groups tab at the top is selected.

  4. Click the group identity.

  5. Click the Group > Settings tab in the bottom section of the screen.

  6. Select the checkbox next to the role or grant, then click Save.

To add a role/grant to a user in Policy Tree

  1. From the Platform menu bar, click Policy Tree, then open the Identity tree.
  2. Expand the Identity Providers group, and click the identity provider where the group is stored.

  3. Make sure the Users & Groups tab at the top is selected.

  4. Click on the user identity.

  5. In the Details > User tab, select the checkbox next to the role or grant, then click Save.

IMPORTANT  The checkbox is only checked if the user's identity has specifically been granted the role. Roles can be inherited via groups. In that case, the role will not be selected for the user identity, but the user will have the same access.