Skip to main content
Skip table of contents

Creating a Role

To create a new role in Signum, navigate in the Admin Web Console to Access>Roles and select New.

image-20240603-115041.png

This will bring up the role creation wizard which will walk you through the steps of creating a new role.

General Role Settings

image-20240603-115102.png

General Role Settings

Description

Name

The name for the new role.

Description

An optional field to enter additional descriptive information about this role.

Priority

Here is how Signum handles Role priority assignments:

  • A user directly assigned to a role i.e. not as part of a group will always have the highest priority. For example, if a user is directly assigned a role AND is a member of a group assigned a different role, the direct role assignment will be the effective role, even if the group role assignment is a higher priority.

  • If a user is a member of multiple groups and each group has different role assignments then the role with the highest priority will be the effective role.

  • Do not assign two groups of users roles with the same level of priority as this can cause the roles to be applied inconsistently.

  • Priority levels are numbered with 0 being the highest priority.

For more information about how priority impacts role assignment see the Roles Example.

Assigning Users & Groups to a Role

This field allows for selecting the users this role will apply to. These are the users that will ultimately have the permissions defined in the last step of the role creation wizard. It is not required that users are assigned immediately during the Role creation, they can be added later by editing the role.

image-20240603-115221.png

Users of the Role

Description

Domains

The Domain the users you want to assign this role to are in. Start typing the name of your Domain and it will auto-populate. You can select multiple Domains if needed.

Users (Or Groups)

The specific users or groups of users that are part of the selected domain you want to assign this role to. Start typing the name of your users or groups and they will auto-populate. You can select multiple users or groups of users.

Assigning the Scope of the Role.

This field allows for defining the Domain scope for this role. It does not have to be set immediately during Role creation, this property can be changed later by editing the Role.

image-20240603-115325.png

Domain Scope

Description

Domains

The Domains assignment for the role defines which domains will be in scope for this role. If a domain is in the scope, the users of this role will be able to search for and see this domain's users when assigning policies. If required, multiple Domains can be selected.

Assigning Certificate Groups

Certificate Groups assigned to the role give this role's users the ability to use those certificates when creating policies.

image-20240603-115355.png

To add a certificate group select the Add Certificates Group icon and any available certificate groups will be shown in the table where they can be selected. You can select a certificate group by selecting the check box for each group that you want to add and once finished select Add to add the selected certificate groups to the role.

image-20240603-115812.png

You can also create a new certificate group from the same window by selecting Add Certificate Group. This will bring up a new window allowing you to enter the name for the new certificate group and optionally a limit on the number of certificates it can contain.

image-20240603-115841.png

With a certificate group selected, you can then set the certificate group permissions for users who are being assigned the role that is being created.

image-20240603-115919.png

Certificate Group Permissions

Description

Add

Will give users with this role the ability to add certificates to this group.

Remove

Will give users with this role the ability to remove certificates from this group.

Assign to Policies

Will give users with this role the ability to assign certificates in this group to policies.

None

Setting none of these properties will just let users of this role see the certificates.

If you need to delete a certificate group from the role, click on the actions button of the row you want to exclude and you will be presented with the option to remove it.

image-20240603-120026.png

Assigning Permissions to a Role

The Permissions settings section of the Role creation wizard allows you to define granular permissions for users of the role. These settings apply to the Admin Web Console and any associated APIs.

  • To enable a permission for a user select the checkbox next to the permission you want to enable.

  • To disable a permission for a user do not select the checkbox.

Quick Tip A user assigned a role with no certificate group(s) and no permissions will be able to authenticate to the Admin Web Console but will be unable to view or access anything.

Certificates Permissions

Certificate

Description

Edit

Gives users the permissions to:

  • Disable / Enable a certificate

  • Edit Certificate Settings:

    • Alias of the Certificate

    • Certificate use reason

    • Set a Pin on Certificate

Delete

Can delete a certificate which will delete the associated private key material. This is permanent.

Manage Owners

Gives users the permissions to:

  • Edit or assign an Owner to a certificate

Quick Tip The Owner of a certificate can use the certificate superseding all policies.

Alerts

Description

View

Gives a user the ability to view any configured Certificate Alerts.

Create

Gives a user the ability to create Certificate Alerts.

Edit

Gives a user the ability to edit any Certificate Alerts that have been created.

Delete

Gives a user the ability to delete any Certificate Alerts that have been created.

Certificate Signing Request

Description

Generate

Gives a user the ability to generate a CSR. This permission also allows a user to renew an existing certificate which generates a new key pair/CSR.

Import Signed Certificate

Give a user the ability to import a signed certificate against a pending CSR.

Delete

Gives a user the ability to delete a CSR, which will delete the associated private key material. This is permanent.

Policies Permissions

User Policies

Description

View

Gives a user the ability to view policies.

Edit

Gives a user the ability to edit policies.

Delete

Gives a user the ability to delete policies.

Create

Give a user the ability to create policies

Quick Tip The users role will also need to be assigned to the policy for these settings to be applicable, for more information see Policy Operations.

Applications

Description

View

Gives a user the ability to view applications.

Edit

Gives a user the ability to edit applications.

Delete

Gives a user the ability to delete applications.

Create

Gives a user the ability to create applications.

Events Permissions

Certificates

Description

Users

Gives a user the ability to see events related only to other users that are part of the Domain that is scoped by this role.

Certificates

Give a user the ability to see events related only to the certificates that are in the certificate group assigned to this role.

Policies

Gives a user the ability to see events related only to the policies that are assigned to this role.

All

Gives a user the ability to view all event logs.

Access Permissions

Domain Users

Description

View

Gives a user the ability to view the Domain settings and users.

Edit

Gives a user the ability to edit the Domain settings and users.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close