>
    Strata Copilot
    Onboard Users
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Introduction to the Code Signing Capability
    6. Configuring the Code Signing Capability
    7. Onboard Users
    Next‑Gen Trust Security

    Onboard Users

    Table of Contents

    Onboard Users

    Setting up users for the code signing capability involves two types of onboarding, depending on what each user needs to do:
    • Users who manage Signing Keys or built-in accounts need a role on the TSG that grants access to the appropriate UI pages.
    • Users who only perform signing operations need the Code Sign Client installed and authenticated using a built-in account. They do not strictly require UI access, but granting at least read access to the Signing Keys page is recommended since it provides an easy way to download the Code Sign Client directly from the UI.

    Grant UI Access

    Users who need to create or manage Signing Keys or built-in accounts must have a role on the TSG that includes access to the relevant pages. This can be a system-defined role that already includes these permissions, or a custom role configured for your needs.
    The Code Signing permissions are found under Next-Gen Trust Security in the permissions list:
    • Signing Keys page — set to write access for users who will create and manage keys, view access for users who only need to view keys or download the Code Sign Client, or no access for users who do not need to interact with Signing Keys in the UI.
    • Built-in Accounts page — set to write access for users who will create and manage built-in accounts.
    For common role configurations, see Setting up access for code signing.

    Set Up Signing Access

    Users who perform signing operations need:
    1. The Code Sign Client installed on their signing workstation. See Install and configure the Code Sign Client.
    2. Authentication credentials from a built-in account (a Client ID and authentication keys). These can be provisioned by an administrator or created by the signer if they have write access to the Built-in Accounts page. See Create a built-in account.

    What's Next

    If you plan to have your code signing certificates signed by DigiCert, Microsoft AD CS, or Zero Touch PKI, start by setting up a certificate authority.
    If you're going to use the Built-in CA or not request a certificate at all, then you can create a Signing Key.

    © 2026 Palo Alto Networks, Inc. All rights reserved.