Access Management

The access management node in Venafi Configuration Console (and the matching MMC snap-in) allows you to configure and manage access to Trust Protection Platform by way of Venafi's public APIs.

Equivalent functionality can be accessed using the OAUTH endpoints in the public API. For detailed information, see Grant management endpoints.

The access management overview page gives you a brief overview of the access that has already been granted, as well as a list of current global access management settings.

There are several possible actions on the overview page. Your ability to see or use them will depend on the role assigned to your identity. For information about roles in access management, see Using roles for access management in Venafi Configuration Console. Possible actions include:

  • Change Global Settings

  • Revoke User Grants

  • Delete Identity Rules

Depending on your role, you may have the ability to view or edit global settings.

Filtering the table

Click a tab button to see the settings for that tab.

Tab Field Description
General Username + Password

The client passes a username and password to the VEDAuth server.

This is the same username and password that could be used to log in to the web console.

Learn more about username and password authentication.
General Integrated (Windows) Authentication

The client passes Windows credentials to Venafi for access.

Learn more about Windows authentication.
General Json Web Token (JWT)

A token in JSON format that is used to communicate between a trusted identity provider and Venafi Platform.

Learn more about JWT authentication.
Certificate Enabled

The caller passes a client certificate to Venafi for access.

Learn more about certificate authentication.
Certificate User identity field

The field from the X.509 certificate used to match the certificate with an identity in the system.

  • You can specify an SID as the certificate field and specify a backup field if the SID is not found.

  • You can choose to always use a selected certificate field.
Certificate Client certificate issuers The CA(s) that are approved to issue client certificates for authentication. You can select one or more client certificate issuers to trust.
Device Enabled

Device authorization allows for manual approval of devices in accordance with RFC 8628.

Learn more about device authentication.
Device Verification URI The URI used for device authorization. This is the URI the device can use for verification, but doesn't include the user code. This response complies with section 3.2 of RFC 8628.
Device Usercode verification URI A verification URI that includes the user code, but is designed for non-textual transmission.
Grants

Access token validity

The duration of time between authentication prompts. Must be equal to or less than the grant validity.

Access tokens automatically expire when the grant validity expires. This setting allows you to increase security by requiring periodic authentication to the system. When a token expires, if the access grant is still valid, a user can obtain a new token.

Access tokens have a minimum validity period of one minute. They have an effective maximum validity period of the grant validity, since even if access tokens are still valid, once the grant validity expires, no access is granted.

Learn more about the terms used on this tab.
Grants Grant validity

The duration of time that the application will be able to access Venafi Platform. After the grant validity expires, an administrator will need to create a new application.

A grant length can exceed the access token validity to require users to confirm their credentials more frequently.
Grants Refresh enabled

When disabled, the system uses the grant validity period as both the grant validity and the access token validity.

When enabled, the system allows the token validity to expire, requiring reauthentication for continued access.

Grants Revoke if... Allows you to conditionally revoke the grant if the access token is not used for a specified period of time.
WebSDK API Statistics

Controls whether statistical information about your API usage is sent to Venafi. These statistics only include these three things:

  • The name of the endpoint.

  • The date and time the endpoint was accessed.

  • The duration of time it took for the endpoint to return data to you (if timing is enabled).

No sensitive data is accessible to the statistics engine. See our statement on user analytics.

Venafi uses this data to help us understand how Trust Protection Platform's APIs are being used so we can target our development efforts in the areas where our customers are using the product.

Statistics are collected using a product called Pendo. Their data privacy policies apply in addition to the Venafi Trust Protection Platform privacy policy.

WebSDK Session cache size

(Called Session pool size in the web console.) Specifies the number of concurrent sessions for API calls. If the number of simultaneous API calls exceeds the pool size, the oldest unused session is removed from the pool.

Learn more about the terms used on this tab.
WebSDK

Validate/Expire every

The number of minutes each access token remains in memory. This functions essentially like a session cache, ensuring callers remain authorized to access the system.

The default is five minutes.

This field is used in conjunction with the Validate Grant on Every API Access setting.

If the Validate Grant on Every API Access setting is enabled, this setting is ignored.

If the Validate Grant on Every API Access setting is disabled (recommended), this setting applies.

WebSDK Drop inactive sessions after If a token is not used for this period of time, it is access permission is dropped. When the client reconnects, they will need to authenticate again.
WebSDK Refresh user rights every

Determines how often user permissions are validated. While a token may remain valid, a caller's permissions within a scope may have changed. This setting determines how often the system validates these permissions.

Longer times are more performant. Shorter times are more secure. The default is five minutes.

Learn more about scopes and restrictions.
WebSDK Validate grant on every API access

When unchecked (normal mode), credentials are cached for a specified amount of time (determined by the Validate/Expire every setting, above).

When checked (strict mode), credentials are checked on every single API call, which has a measurable decrease in performance.1

This setting is called Expiration Mode in the web console.

WebSDK Enable API documentation

When you access the documentation on the Trust Protection Platform server in your environment, you can see detailed API documentation in Open API format when you visit the following URL:

https://your-server_url/vedsdk

You can disable is feature if you don't want users to be able to access the OpenAPI version of the documentation at the page listed above.

When enabled, you can determine if you want the default viewer to use OpenAPI Epxlorer, Swagger, or ReDoc.

Default: enabled, Open API 3.0.

If this feature is enabled and users go to the /vedsdk URL, they will see the default viewer. However, they can use a different viewer by using an alternative URL. See Testing the Web SDK from the browser.

Applies to the following roles: Admin and Grant Admin. Application owners need to click on their application in the Client Applications list to revoke user grants tied to their application.

If you want to immediately remove an identity's current grants (but not prevent them from obtaining new grants), use this action to specify which user should have their current grants revoked.

As in all identity fields, you can only see identities from the identity provider your current account is associated with. For example, the local admin user can't see active directory users, and a user logged in through active directory as an admin can't see local users.

Using the MMC snapin, you can configure your local machine to connect to your Venafi server using multiple identities at the same time, making it easy to see how different combinations of roles and scopes provide different access.

DID YOU KNOW?  You can have snap-ins for multiple servers, allowing you to easily manage a complete cluster of Venafi servers, as well as servers in lower (development, test, etc.) environments.

Additionally, since identities cannot see identities from other identity providers (local admins cannot see identities managed by Active Directory, for example), you can add multiple instances of the same snap-in for the same Venafi server, but with different user credentials. This allows you to manage users from multiple identity providers, or even see the rights and permissions granted to users within the same identity provider, but with different roles.

Applies to the following roles: Admin and Grant Admin. Application owners need to click on their application in the Client Applications list to delete the rules tied to their application.

If you want to immediately remove an identity's ability to obtain new or refreshed grants, use this action to specify which user should prevented from obtaining any grants.

As in all identity fields, you can only see identities from the identity provider your current account is associated with. For example, the local admin user can't see active directory users, and a user logged in through active directory as an admin can't see local users.

DID YOU KNOW?  You can have snap-ins for multiple servers, allowing you to easily manage a complete cluster of Venafi servers, as well as servers in lower (development, test, etc.) environments.

Additionally, since identities cannot see identities from other identity providers (local admins cannot see identities managed by Active Directory, for example), you can add multiple instances of the same snap-in for the same Venafi server, but with different user credentials. This allows you to manage users from multiple identity providers, or even see the rights and permissions granted to users within the same identity provider, but with different roles.