Skip to main content

Granting Permissions to Key Manager Accounts

Each Key Manager permission describes a management action that can be performed using Key Manager accounts that have the permission. Before a Key Manager account can be used to perform management actions, the account must be given the necessary permissions for performing those actions.

Key Manager permissions can be configured to allow a user to perform an action in the entire managed environment, or only in certain host groups:

  • Global permissions allow the user of the Key Manager account to perform the specified action on any host in the managed environment. Global permissions can be given to Key Manager accounts using roles. A role is a collection of permissions that is used for performing a logical set of management tasks (for example, tasks that constitute a job description). When a Key Manager account is given a role, that account gains all the permissions that belong to the role.

  • Host group-specific permissions allow the user of the Key Manager account to perform the specified actions to the hosts/host groups under the target host group. Host group-specific permissions can be set to apply to a certain account, or to every account with a specific role.

Modifying the Global Permissions of an Account

Global permissions are given to Key Manager accounts through Key Manager roles: A Key Manager account gains all the permissions provided by the roles the account belongs to.

To change the roles that a Key Manager account is associated to, navigate to the Accounts→Accounts page, and perform an Edit action on the target account.

For information on managing Key Manager roles, see Managing Key Manager Roles.

Managing Host-Group Permissions

A Key Manager account or role can be given permissions for a certain host group. A host-group permission is valid on the hosts of the host group, allowing the designated account or role to perform management actions on any host that belongs in the host group, and on any key belonging to the hosts in the host group.

To modify host-group permissions, navigate to the Hosts→Host groups page, and perform a Permissions action on the target host group.

note

Host-group permissions pertaining to host actions and key actions only apply to the hosts of the associated host group and to the user keys on those hosts. However, host-group-management permissions (such as Create hostgroups under the current one) may apply to other host groups than the group it was defined for; check the name of the permission for indications of its scope.

List of Key Manager Permissions

This section covers the list of Key Manager permissions. All the listed permissions are usable as global permissions. Those permissions that can additionally be set as host-group permissions are emphasized.

Alert permissions

  • Edit alerts: Allows the user to manage Key Manager alerts.

Application permissions

  • Create and edit applications: The user can create new applications, as well as edit existing applications in the Key Manager system.

Audit-event permissions

  • Delete audit events: The user can delete audit events from the audit log.

  • View audit events: Allows the user to view the Key Manager key activity, jobs, and audit logs.

Authorization permissions

  • Blacklist keys: Allow blacklisting keys.

  • Move keys to managed state: Keys in the states Legacy or Unmanaged can be changed to the Managed state.

Authorized key permissions

  • Approve authorized keys: The user can approve new authorized keys.

  • Authorize keys: The user has the permission to authorize keys.

  • Delete authorized keys: The user has the permission to delete authorized keys.

  • Edit authorized keys: The user can manage authorized keys, such as set authorized-key options. Also required for Set notes action targeting an authorized key, and for Set label action.

Global permissions

  • Administer the users, groups and permissions: Allows the user to perform administrative tasks pertaining to Key Manager accounts. The user is also allowed to create and configure roles and their associated permissions.

  • Approve site configuration*: Approve Key Manager system settings.

  • Connect through external API: The user can connect to the Key Manager API. Note that this permission only allows the user to connect to the API. Performing actions using the API may require additional permissions.

  • Edit secure settings: Allows the user to modify secure host settings, such as host-deployment credentials, privilege-elevation settings, and group and user list commands on Unix and Linux hosts.

  • Edit settings: Allows the user to modify Key Manager system settings, excluding host-deployment credentials and privilege-elevation settings.

  • Use the web GUI: Allows the user to log into the web based Graphical User Interface.

  • View secure settings: Allows the user to view secure host settings, such as host-deployment credentials and privilege-elevation settings.

  • View settings: Allows the user to view Key Manager system settings, excluding host-deployment credentials and privilege-elevation settings.

  • View the users, groups and permissions: Allows the user to view Key Manager users, roles, groups and permissions, but does not allow the user to execute any actions.

Host key permissions

  • Delete host keys: Allows the user to delete host keys.

  • Generate new host keys: Allows the user to generate new host keys.

  • Rotate host keys: Allows the user to rotate host keys.

Host permissions

  • Add hosts to backend groups: Allows the user to assign hosts under the exclusive management of certain back-end groups.

  • Create offline-scanned host entries using imported data: Allows the user to import offline-scan data for hosts that do not have a host entry yet. This permission is required when importing a host for the first time. Note that in order to perform additional offline-scan data imports for the host, you will also need the permission Update offline-scanned host entries using imported data.

  • Delete hosts and their related information: The user can delete hosts from the managed environment. Host information on the Key Manager system is irrevocably removed. This does not alter any data on the host, however.

  • Relocate user keys: The user is allowed to relocate user keys to central directories.

  • Set emergency job priority: The user is able to set the emergency priority (job priority 0) to jobs.

  • Update offline-scanned host entries using imported data: Allows the user to import new offline-scan data for hosts that have already been imported previously. Note that for importing new hosts, you will also need the permission Create offline-scanned host entries using imported data.

Host-group permissions

  • Create hostgroups under the current one: Allows the user to create subgroups under the host group where this permission is applied. If applied globally, allows the user to create subgroups under any existing host group.

  • Create top level hostgroups: The account can be used to create top-level host groups.

  • Delete hostgroups under the current one: The user can delete subgroups under the host group where this permission is applied. If applied globally, allows the user to delete subgroups under any existing host group.

  • Delete top level hostgroups: The user can delete host groups that are directly under the All Hosts group.

  • Deploy new hosts to the group: When deploying (adding) hosts to the managed environment, the user is allowed to add the new hosts to the host group where this permission is applied.

  • Insert hosts to hierarchies: The account can be used to add those hosts that are already in the managed environment, into host-group hierarchies.

  • Move hosts in a hierarchy: Allows the user to move a host to a super or subgroup in its current hierarchy branch. When this permission is given as a host-group permission, the user can move hosts from this group to its subgroups, and from the subgroups to this group.

  • Perform basic administration of hosts: The user can perform host-related management actions, such as adding hosts to the managed environment, changing host states, and initiating host scans. This permission does not grant host group-related permissions.

License permissions

  • View a license: View the installed Key Manager licenses.

Policy-rule permissions

  • Create policy: The user can create new policy rules.

Private-key permissions

  • Approve new private keys: Allows the user to approve new private user keys.

  • Create new private keys: Allows the user to create new private keys.

  • Delete private keys: Allows the user to delete private keys.

  • Edit private key passphrases: The user can modify private-key passphrases.

  • Edit private keys: The user can modify private-key labels, notes, and custom fields.

  • Renew private keys: The user is allowed to renew private keys.

  • View private key passphrases: The user is allowed to view private-key passphrases.

Request permissions

  • Process authorization requests: The account can be used to decide (approve, deny, cancel) authorization requests.

    Action requests are typically submitted by application owners via Key Manager User Portal. Note that to create the requested authorizations, you may also need other permissions, such as permissions for creating and/or modifying user keys.

  • Process key requests: Allows the user to decide (approve, deny, cancel) action requests.

    Action requests are typically submitted by application owners via Key Manager User Portal. Note that depending on the type of the request being processed, you may need other permissions for approving them (such as the Edit authorized keys permission for Remove-type action requests).

SSH-configuration permissions

  • Assign hosts to SSH configurations: Allows the user to assign hosts under existing SSH configurations.

  • Create/edit/delete SSH configurations: Allows the user to manage SSH configurations.

  • Deploy SSH configurations to hosts: The user is allowed to deploy SSH configurations to hosts.

Tag permissions

  • Create new tags: The user can create new tags for use in the Key Manager system.

* Site-configuration approval features are not available in this version of the product.