Understanding system roles

Trust Protection Platform includes predefined system roles designed with specific permissions that you can assign to existing users.

You can see which roles are directly assigned to an identity in Venafi Configuration Console on the System Roles node. See Managing system role assignments in Venafi Configuration Console.

These roles include the following:

  • Access Management Admin: grants a non-Master Admin user the permissions to modify the roles of users and groups. This role can be granted in VCC.

  • Auditor: grants read access to view objects that are public, such as certificates, CSRs, and public keys. Also grants read access to view certain metadata about objects with higher security requirements, such as private keys. Can also read and run existing reports. This role can be granted in Policy Tree or VCC.

    NOTE  If the Auditor role is assigned to a user, all other permission assignments to that user are ignored.

  • CodeSign Protect Administrator: grants a non-Master Admin full permissions to the CodeSign Protect product for creating and updating templates, flows, signing applications, etc. (This role is sometimes referred to as "Code Signing Administrator".) This role can be granted in VCC.

  • Master Admin: grants access to every object, certificate, key, identity, and permission in the system. This role can be granted in Aperture, Policy Tree, or VCC. See About the Master Admin role.

    WARNING!  Use the Master Admin role with extreme caution. Users to whom you assign the Master Admin role have full permissions to every object in the Trust Protection Platform database, including certificates, private keys, and credentials. You cannot hide any objects in the system from users who have been given this role.

  • Recycle Bin Administrator: grants a non-Master Admin user the permissions to manage the content and settings of the recycle bin. This role is particularly useful for delegating recycle bin management tasks to help desk staff without granting them full Master Admin privileges. This role can be granted in VCC.

    To use the MMC Venafi Recycle Bin Snap-In and related WebSDK APIs, the user needs to be granted access to the Venafi Recycle Bin API Integration.

    To set any engine list in the recycle bin configuration, the user must also have View permissions to the root of the Platform tree.

    A user with the Recycle Bin Administrator role can perform various actions, such as:

    • Purge, restore, empty and start operations in the recycle bin.

    • Configure the recycle bin settings.

    1. Open Venafi Configuration Console, click on System Roles.

    2. Click on Add Recycle Bin Administrator.

    3. Select a user or group to whom you want to assign the role.

    4. Open either the Access Management MMC snap-in or go to Aperture > API Integrations, and then add the user or group to the Venafi Recycle Bin integration.

    5. Ask the user to install VenafiMMC.msi on their local workstation.

    6. Instruct the user to launch mmc.exe and add the ‘Venafi Recycle Bin’ snap-in.

    7. (Alternatively) Instead of using the snap-in, they could also use the Recycle Bin WebSDK APIs.

  • Schema Administrator: allows non-Master Admins to modify the operational config schema of the TPP environment. This role enables delegating schema management tasks without granting full Master Admin access. This role can be granted in VCC.

    A user with the Schema Administrator role can perform the following actions: