Access Management
The access management node in Venafi Configuration Console (and the matching MMC snap-in) allows you to configure and manage access to Trust Protection Platform by way of Venafi's public APIs.
Equivalent functionality can be accessed using the OAUTH endpoints in the public API. For detailed information, see Grant management endpoints.
The access management overview page gives you a brief overview of the access that has already been granted, as well as a list of current global access management settings.
There are several possible actions on the overview page. Your ability to see or use them will depend on the role assigned to your identity. For information about roles in access management, see Using roles for access management in Venafi Configuration Console. Possible actions include:
-
Change Global Settings
-
Revoke User Grants
-
Delete Identity Rules
Depending on your role, you may have the ability to view or edit global settings.
Filtering the table
Click a tab button to see the settings for that tab.
Tab | Field | Description |
---|---|---|
General | Username + Password |
The client passes a username and password to the VEDAuth server. This is the same username and password that could be used to log in to the web console. |
General | Integrated (Windows) Authentication |
The client passes Windows credentials to Venafi for access. |
General | Json Web Token (JWT) |
A token in JSON format that is used to communicate between a trusted identity provider and Venafi Platform. |
Certificate | Enabled |
The caller passes a client certificate to Venafi for access. |
Certificate | User identity field | The field from the X.509 certificate used to match the certificate with an identity in the system. |
Certificate | Client certificate issuers | The CA(s) that are approved to issue client certificates for authentication. |
Device | Enabled |
Device authorization allows for manual approval of devices in accordance with RFC 8628. |
Device | Verification URI | The URI used for device authorization. This is the URI the device can use for verification, but doesn't include the user code. This response complies with section 3.2 of RFC 8628. |
Device | Usercode verification URI | A verification URI that includes the user code, but is designed for non-textual transmission. |
Grants |
Access token validity |
The duration of time between authentication prompts. Must be equal to or less than the grant validity. Access tokens automatically expire when the grant validity expires. This setting allows you to increase security by requiring periodic authentication to the system. When a token expires, if the access grant is still valid, a user can obtain a new token. Access tokens have a minimum validity period of one minute. They have an effective maximum validity period of the grant validity, since even if access tokens are still valid, once the grant validity expires, no access is granted. |
Grants | Grant validity |
The duration of time that the application will be able to access Venafi Platform. After the grant validity expires, an administrator will need to create a new application. A grant length can exceed the access token validity to require users to confirm their credentials more frequently. |
Grants | Refresh enabled |
When disabled, the system uses the grant validity period as both the grant validity and the access token validity. When enabled, the system allows the token validity to expire, requiring reauthentication for continued access. |
Grants | Revoke if... | Allows you to conditionally revoke the grant if the access token is not used for a specified period of time. |
WebSDK | API Statistics |
Controls whether statistical information about your API usage is sent to Venafi. These statistics only include these three things:
No sensitive data is accessible to the statistics engine. See our statement on user analytics. Venafi uses this data to help us understand how Trust Protection Platform's APIs are being used so we can target our development efforts in the areas where our customers are using the product. Statistics are collected using a product called Pendo. Their data privacy policies apply in addition to the Venafi Trust Protection Platform privacy policy. |
WebSDK | Session cache size |
(Called Session pool size in the web console.) Specifies the number of concurrent sessions for API calls. If the number of simultaneous API calls exceeds the pool size, the oldest unused session is removed from the pool. |
WebSDK |
Validate/Expire every |
The number of minutes each access token remains in memory. This functions essentially like a session cache, ensuring callers remain authorized to access the system. The default is five minutes. This field is used in conjunction with the Validate Grant on Every API Access setting. If the Validate Grant on Every API Access setting is enabled, this setting is ignored. If the Validate Grant on Every API Access setting is disabled (recommended), this setting applies. |
WebSDK | Drop inactive sessions after | If a token is not used for this period of time, it is access permission is dropped. When the client reconnects, they will need to authenticate again. |
WebSDK | Refresh user rights every |
Determines how often user permissions are validated. While a token may remain valid, a caller's permissions within a scope may have changed. This setting determines how often the system validates these permissions. Longer times are more performant. Shorter times are more secure. The default is five minutes. |
WebSDK | Validate grant on every API access |
When unchecked (normal mode), credentials are cached for a specified amount of time (determined by the Validate/Expire every setting, above). When checked (strict mode), credentials are checked on every single API call, which has a measurable decrease in performance.1 This setting is called Expiration Mode in the web console. |
WebSDK | Enable API documentation |
When you access the documentation on the Trust Protection Platform server in your environment, you can see detailed API documentation in Open API format when you visit the following URL:
You can disable is feature if you don't want users to be able to access the OpenAPI version of the documentation at the page listed above. When enabled, you can determine if you want the default viewer to use OpenAPI Epxlorer, Swagger, or ReDoc. Default: enabled, Open API 3.0. If this feature is enabled and users go to the |
Applies to the following roles: Admin
and Grant Admin
. Application owners need to click on their application in the Client Applications list to revoke user grants tied to their application.
If you want to immediately remove an identity's current grants (but not prevent them from obtaining new grants), use this action to specify which user should have their current grants revoked.
As in all identity fields, you can only see identities from the identity provider your current account is associated with. For example, the local admin
user can't see active directory users, and a user logged in through active directory as an admin can't see local users.
Using the MMC snapin, you can configure your local machine to connect to your Venafi server using multiple identities at the same time, making it easy to see how different combinations of roles and scopes provide different access.
DID YOU KNOW? You can have snap-ins for multiple servers, allowing you to easily manage a complete cluster of Venafi servers, as well as servers in lower (development, test, etc.) environments.
Additionally, since identities cannot see identities from other identity providers (local admins cannot see identities managed by Active Directory, for example), you can add multiple instances of the same snap-in for the same Venafi server, but with different user credentials. This allows you to manage users from multiple identity providers, or even see the rights and permissions granted to users within the same identity provider, but with different roles.
Applies to the following roles: Admin
and Grant Admin
. Application owners need to click on their application in the Client Applications list to delete the rules tied to their application.
If you want to immediately remove an identity's ability to obtain new or refreshed grants, use this action to specify which user should prevented from obtaining any grants.
As in all identity fields, you can only see identities from the identity provider your current account is associated with. For example, the local admin
user can't see active directory users, and a user logged in through active directory as an admin can't see local users.
DID YOU KNOW? You can have snap-ins for multiple servers, allowing you to easily manage a complete cluster of Venafi servers, as well as servers in lower (development, test, etc.) environments.
Additionally, since identities cannot see identities from other identity providers (local admins cannot see identities managed by Active Directory, for example), you can add multiple instances of the same snap-in for the same Venafi server, but with different user credentials. This allows you to manage users from multiple identity providers, or even see the rights and permissions granted to users within the same identity provider, but with different roles.