Assigning permissions to an object in Policy Tree

The Permissions tab allows you to assign access permissions to the current object. You can also manage permissions via parent objects, including folder.

TIP Because permissions assigned in parent objects flow down the tree to the subordinate objects, defining admin permissions in a parent object, such as a Policy object, is an efficient way to manage administrative permissions to your encryption resources. It is not necessary to assign permissions to individual objects unless you want to override the permissions inherited from the parent object.

For more information on permissions management in Trust Protection Platform, see Working with identities, permissions, and teams in the Venafi Trust Protection Platform Administration Guide. For information on assigning permissions in folder, see Using policies to manage encryption assets in the Venafi Trust Protection Platform Administration Guide.

IMPORTANT You must have the View, Admin, and Write permissions to assign object permissions.

To assign permissions to an object

From the TLS Protect menu bar, click Policy Tree.
Select the Policy tree from the Tree drop-down menu.
In the Policy tree, select the Certificate object.
Click the General > Permissions tab.
Click Add.

If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, enter the wildcard character (*).
Select a User or Group Identity.

Press Shift+click to select multiple, contiguous users and groups.

Press Ctrl+click to select multiple, discontiguous users and groups.
In the Policy Tree, click to move the users to the Selected list, and then click Select to add the users to the object’s Permissions tab.
Select the permissions you want the User or Group Identity to have, and then click Apply/Save.

In the Policy Tree, permissions assignments are updated the next time the affected user logs in to the console or when the user clicks Refresh in a grid or tree view.

Object permissions

The following table provides an explanation of the available permissions:

Object Permissions table
Permission	Allows the holder to...
View	The user can see the object in the tree, but cannot select the object or read the values.
Read	The user can see and select the object in the tree. Additionally, the user can read the object data, but no buttons are enabled; the user cannot edit or manage the object. View permissions are inferred. In Certificate objects, users with Read permissions to the certificate can see only the associated applications to which they have View or higher permissions to the Application object. In Application objects, users with Read permissions to the application can see only the associated certificate if they have View or higher permissions to the Certificate object.
Write	The user can edit and modify object attributes. To move objects in the tree, the user must have Write permissions to the objects and Create permissions to the target folder. View and Read permissions are inferred. In Certificate and Application objects, the user also has access to the following options in the designated pages:
	Certificate Summary Page	Users with Write permissions to the Certificate object have access to the Restart, Retry, Reset, and Revoke options.
	Certificate Settings Page	Users with Write permissions to the Certificate object have access to the Renew Now option.
	Certificate Associations Page	Users with Write permissions to the Certificate object can see all associated applications, regardless of their permissions to the individual applications. Users with Write permissions to the Certificate object can add associations only those applications to which they have either Write or Associate and View permissions. Users with Write permissions to the Certificate object have access to the Retry Installation option only for those applications to which they have either Write or Associate and View permissions. Users with Write permissions to the Certificate object can push the certificate and private key only to those applications to which they have either Write or Associate and View permissions. Users with Write permissions to the Certificate object can enable or disable the certificate only on those applications to which they have either Write or Associate and View permissions.
	Application Settings Page	Users with Write permissions to the Application object can add associations only if no certificate is currently associated with the Application object or if they have either Write or Associate and View permissions to the associated Certificate object. Users with Write permissions to the Application object have access to the Retry Installation option only if they have either Write or Associate and View permissions to the associated Certificate object. Users with Write permissions to the Application object can push the certificate and private key to the application only if they have either Write or Associate and View permissions to the associated Certificate object.
Create	Create subordinate objects. View is inferred.
Delete	Delete the object.
Rename	Rename the object or move it within the tree. To move an object, the holder must have the Create permission in the target location. When an object is moved, locked policy attributes are recalculated.
Associate	If you have Write permissions to a Certificate object and both Associate and Read permissions to the application(s) where the certificate is installed, you can perform the following functions in the Certificate object’s Certificate Associations page: Associate the application with the certificate Push the certificate and private key to that application Retry the certificate installation Enable or disable the processing of certificates on the application. When you disable processing, Trust Protection Platform does not attempt to install, renew, process, or validate certificates for the current application. If you have Write permissions to an Application object and Associate permissions to the certificate installed on the application, you can perform the following functions in the Application object’s Settings page: Associate the certificate with the application Push the certificate and private key to that application Retry the certificate installation This permission is relevant only to Policy, Application and Certificate objects.
Private Key Read	You can download the private key from the Trust Protection Platform database, if the key is archived in the Trust Protection Platform database. This permission is relevant only to Policy and Certificate objects.
Private Key Write	You can upload a certificate private key file to the Trust Protection Platform database. This permission is relevant only to Policy, Certificate, and Private Key Credential objects.
Admin	Grant other user or group Identities permissions to the current object or subordinate objects.