Assigning permissions to an object in Policy Tree

The Permissions tab allows you to assign access permissions to the current object. You can also manage permissions via parent objects, including folder.

TIP Because permissions assigned in parent objects flow down the tree to the subordinate objects, defining admin permissions in a parent object, such as a Policy object, is an efficient way to manage administrative permissions to your encryption resources. It is not necessary to assign permissions to individual objects unless you want to override the permissions inherited from the parent object.

For more information on permissions management in Trust Protection Foundation, see Working with identities, permissions, and teams in the CyberArk Trust Protection Foundation Administration Guide. For information on assigning permissions in folder, see Using policies to manage encryption assets in the CyberArk Trust Protection Foundation Administration Guide.

IMPORTANT You must have the View, Admin, and Write permissions to assign object permissions.

To assign permissions to an object

From the Certificate Manager - Self-Hosted menu bar, click Policy Tree.
Select the Policy tree from the Tree drop-down menu.
In the Policy tree, select the Certificate object.
Click the General > Permissions tab.
Click Add.

If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Foundation can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, enter the wildcard character (*).
Select a User or Group Identity.

Press Shift+click to select multiple, contiguous users and groups.

Press Ctrl+click to select multiple, discontiguous users and groups.
In the Policy Tree, click to move the users to the Selected list, and then click Select to add the users to the object’s Permissions tab.
Select the permissions you want the User or Group Identity to have, and then click Apply/Save.

In the Policy Tree, permissions assignments are updated the next time the affected user logs in to the console or when the user clicks Refresh in a grid or tree view.

Object permissions

An overview of permissions
Permission	Allows the user to...
View	The user can see the object in the tree, but cannot select the object or read the values.
Read	The user can see and select the object in the tree. Additionally, the user can read the object data, but no buttons are enabled; the user cannot edit or manage the object. In Certificate objects, users with Read permissions to the certificate can see only the associated applications to which they have View or higher permissions to the Application object. In Application objects, users with Read permissions to the application can see only the associated certificate if they have View or higher permissions to the Certificate object. For SSH keysets, users with Read permissions to the keyset (if in a policy folder) can view all keys in the keyset. If the keyset is not in a policy folder, then the user can see all the keys in the keyset if they have Read permissions on all devices in the keyset.
Write	The user can edit and modify object attributes. To edit an object or its properties, you must have Write permission on the object. Note that if View permission is not granted to the device object where the application is created, the Install button will not be available for the user in Aperture. To move objects in the tree, the user must have Write permissions to the objects and Create permissions to the target folder. Read permissions are inferred. Rename is selected by default but can be deselected. In Certificate and Application objects, the user also has access to the following options in the designated pages:
	Certificate Summary Page	Users with Write permissions to the Certificate object have access to the Restart, Retry, Reset, and Revoke options.
	Certificate Settings Page	Users with Write permissions to the Certificate object have access to the Renew Now option.
	Certificate Associations Page	Users with Write permissions to the Certificate object can see all associated applications, regardless of their permissions to the individual applications. Users with Write permissions to the Certificate object can add associations only to those applications to which they have either Write, or both Associate and View permissions. Users with Write permissions to the Certificate object have access to the Retry Installation option only for those applications to which they have either Write or both Associate and View permissions. Users with Write permissions to the Certificate object can push the certificate and private key only to those applications to which they have either Write or both Associate and View permissions. Users with Write permissions to the Certificate object can enable or disable the certificate only on those applications to which they have either Write or both Associate and View permissions.
	Application Settings Page	Users with Write permissions to the Application object can add associations only if no certificate is currently associated with the Application object or if they have either Write or both Associate and View permissions to the associated Certificate object. Users with Write permissions to the Application object have access to the Retry Installation option only if they have either Write or Associate and View permissions to the associated Certificate object. Users with Write permissions to the Application object can push the certificate and private key to the application only if they have either Write or Associate and View permissions to the associated Certificate object.
	For SSH keys, users with Write permissions to a keyset can rotate keys, delete keys from a keyset, add a new key, and can add a passphrase to a key. However, if the user doesn't have Write permissions to write to the key's associated device, then the user cannot add keys.
Create	The user can create subordinate objects, such as devices and applications. View is inferred. For SSH keys, you must have the Create permission in the target folder to move a keyset into that folder.
Manage Policy	Lets users modify policy values on folders. Read and Write permissions are implied; the View permission is not. In order for the Manage Policy permission to be useful, users should be granted the View permission, as well. For SSH keys, you must have the Manage Policy permission in the target folder to move a keyset into that folder.
Delete	Lets the user delete objects. For SSH keys, you need to have the Delete permission to remove keysets from all folders (returning the keyset to device-level permissions). For SSH keys, you need the Delete permission in the source folder when moving a keyset from one folder to another.
Rename	Lets the user rename objects or move them within the tree. To move an object, the holder must have the Create permission in the target location. When an object is moved, locked policy attributes are recalculated.
Associate	If you have Write permissions to a Certificate object and both Associate and View permissions to the application(s) where the certificate is installed, you can perform the following functions in the Certificate object’s Certificate Associations page: Associate or disassociate the application with the certificate Push the certificate and private key to that application Retry the certificate installation Enable or disable the processing of certificates on the application. When you disable processing, Trust Protection Foundation does not attempt to install, renew, process, or validate certificates for the current application. If you have Write permissions to an Application object and Associate and View permissions to the certificate installed on the application, you can perform the following functions in the Application object’s Settings page: Associate or disassociate the certificate with the application Push the certificate and private key to that application Retry the certificate installation This permission is relevant only to Policy, Application and Certificate objects. To associate an object with another object, you must have View permission on both objects. Additionally, to push a certificate to an installation, a user must also have View permissions to the device object where the application is created. Note that if View permission is not granted to the device object where the application is created, the Install button will not be available for the user in Aperture.
Revoke	Revoking a certificate makes it invalid. You must have Write permissions to the certificate. Once you Revoke a certificate, you cannot undo the action.
Private Key Read	You can download the private key from the Trust Protection Foundation database, if the key is archived in the Trust Protection Foundation database. This permission is relevant only to Policy and Certificate objects.
Private Key Write	You can upload a certificate private key file to the Trust Protection Foundation database. This permission is relevant only to Policy, Certificate, and Private Key Credential objects.
Admin (Policy Tree only)	Grant other user or group Identities permissions to the current object or subordinate objects. In the Aperture console, this permission is called Manage Permissions.
Manage Permissions (Aperture console only)	Grant other user or group Identities permissions to the current object or subordinate objects. In Policy Tree, this permission is called Admin.