User permissions
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
User permissions
When setting up a GCP service account, specify the Next-Gen Trust Security user permissions based on your authentication method.
Next-Gen Trust Security Generated Key authentication permissions
| Action(s) | Required permissions |
|---|---|
| Allow Next-Gen Trust Security to create (provision) a new certificate for the certificate manager. | certificatemanager.certs.create |
| Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
| Verify access to the certificate manager. | certificatemanager.certs.list |
| Allow Next-Gen Trust Security to replace/reprovision a certificate. | certificatemanager.certs.update |
| Allow Next-Gen Trust Security to list certificate manager locations. | certificatemanager.locations.list |
| Allow Next-Gen Trust Security to check an operation status (for example, certificate creation/replace). | certificatemanager.operations.get |
| To allow Next-Gen Trust Security to obtain details of projects associated with the svcAccount. | resourcemanager.projects.get |
Workload Identity Federation - Built-in Identity authentication permissions
| Action(s) | Required permissions |
|---|---|
| Allow Next-Gen Trust Security to create (provision) a new certificate for the certificate manager. | certificatemanager.certs.create |
| Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
| Verify access to the certificate manager. | certificatemanager.certs.list |
| Allow Next-Gen Trust Security to replace/reprovision a certificate. | certificatemanager.certs.update |
| Allow Next-Gen Trust Security to list certificate manager locations. | certificatemanager.locations.list |
| Allow Next-Gen Trust Security to check an operation status (for example, certificate creation/replace). | certificatemanager.operations.get |
| To allow Next-Gen Trust Security to obtain details of projects associated with the svcAccount. | resourcemanager.projects.get |
| Allows access tokens to be issued for the service account. | iam.serviceAccounts.getAccessToken |
Workload Identity Federation – Azure Identity Provider authentication permissions
| Action(s) | Required permissions |
|---|---|
| Allow Next-Gen Trust Security to create (provision) a new certificate for Certificate Manager. | certificatemanager.certs.create |
| Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
| Verify access to Certificate Manager. | certificatemanager.certs.list |
| Allow Next-Gen Trust Security to replace or reprovision a certificate. | certificatemanager.certs.update |
| Allow Next-Gen Trust Security to list Certificate Manager locations. | certificatemanager.locations.list |
| Allow Next-Gen Trust Security to check an operation status (for example, certificate creation or replacement). | certificatemanager.operations.get |
| Allow Next-Gen Trust Security to obtain details of projects associated with the service account. | resourcemanager.projects.get |
| Allow issuance of access tokens for the service account (required for Azure WIF impersonation). | iam.serviceAccounts.getAccessToken |