Assigning permissions to objects
Permissions for an object (certificate, device, folder, credential, or identity) can be viewed and updated easily. Venafi Platform provides all the information that is available for these objects plus it shows the cumulative permissions that are applied based on other permissions granted further up the folder structure.
To assign local permissions to a folder
-
From the TLS Protect menu bar, click Configuration > Folders.
- Navigate the folder structure by clicking the folder icon to expand the folder, and then click the folder name you want to edit.
- Click the Permissions link on the left.
- If the identity already exists in the Local Permissions section, add or remove permissions by selecting or deselecting the appropriate check boxes.
-
If the identity doesn't exist in the Local Permissions section, do the following:
- Click Add Identity.
- In the Identity field, search for the identity that you want to the Local Permissions for this object.
- Select the permissions that you want to add for this identity.
- Click OK to close the window and preview your changes on the main permissions screen.
-
Click the Save button at the bottom of the screen.
IMPORTANT If you don't click Save, these settings will not be saved, including any identities you've added to Local Permissions.
Reviewing permissions and assigning permissions to a non-folder item
- In TLS Protect, open the certificate, device, credential, or folder whose effective permissions you want to review.
-
Click the Permissions link on the left.
-
Review the identities and the permissions that are granted to an identity at either the local level, or permissions that are granted to the object cumulatively.
For a given identity, a permission is granted to that identity if a check appears in the box for either the local or the cumulative permission.
-
To review the permissions for a specific identity or group of identities, enter the identity (or part of the identity) in the identity filter, then press Enter.
If you have a large number of identities in the list, you can easily filter the list of identities to find a specific user or group by adding multiple identities to the filter. When multiple identities are in the filter, they are treated as an implied OR search, so you will see results that match any identity, not only results that match all included identities.
- On the TLS Protect menu bar, click Inventory > Identities.
-
Use the filters on the left to search for a name or account. Click on the identity name you want to edit.
TIP The Name or Account filter lets you enter the name of a user or a group to review the settings for that individual or group. The Groups filter lets you enter the name of a group, and see all the users that are part of that group.
- Click the Permissions Granted link on the left.
-
Review the objects where this identity (or a group this identity belongs to) has been granted explicit permissions to an object.
IMPORTANT You need to have Master Admin permissions in order to edit Permissions Granted.
For more information on identity permissions, see Managing permissions for identities.
The recommended best practice is that you assign permissions to the folders that contain the certificate and devices, rather than explicitly assigning permissions to certificates and devices. This makes permissions management easier and more scalable for the system administrators. However, TLS Protect does allow you to assign local permissions to a specific certificate or device. If you need to assign permissions directly to these items, use the following steps.
To assign local permissions to a certificate or device
- From the TLS Protect menu bar, click Inventory > Certificatesor Inventory > Devices.
- Locate the certificate or the device, using a filter if necessary, and click the name of the object to open the object details screen.
- Click the Permissions link on the left.
- If the identity already exists in the Local Permissions section, add or remove permissions by selecting or clearing the appropriate check boxes.
-
If the identity doesn't exist in the Local Permissions section, do the following:
- Click Add Identity.
- In the Identity field, search for the identity that you want to the Local Permissions for this object.
- Select the permissions that you want to add for this identity.
- Click OK to close the window and preview your changes on the main permissions screen.
-
Click the Save button at the bottom of the screen.
IMPORTANT If you don't click Save, these settings will not be saved, including any identities you've added to Local Permissions.