Breadcrumbs

Roles

Signum supports Role Based Access Control (RBAC) through the concept of “Roles”. A role in Signum is a set of permissions for a user that defines what they are able to edit and access in the Signum Admin Web Console and any associated APIs.

This method of RBAC allows for granular permissions settings to be defined for specific users and groups. For example, one role may be configured that allows a group of users to generate Certificate Signing Requests (CSRs) and import certificates, while another role may be configured that only allows users to view certificate usage events.

Getting Started with Roles

Some helpful items to keep in mind when working with roles:

  • A user can only have one role at a time. If a user belongs to multiple IdP groups that are each assigned different roles, the role with the highest priority (lowest number) applies. See Roles Example for details.

  • Only users who need to access the Admin Web Console need a role. Users who only sign files through a Signum Agent do not need a role. Signing access is controlled entirely by Policies.

  • A role can be assigned to individual users or to IdP user groups.

  • A user assigned a role with no certificate groups and no permissions can authenticate to the Admin Web Console but cannot view or access anything.

How Groups and Roles Fit Together

Before working with roles, it helps to understand the two types of groups in Signum and what each one does:

User Groups: Come from your Identity Provider (Azure AD, Okta) and are passed into Signum when a user authenticates through a SAML2 or OAuth2 domain. Signum does not create or manage user groups, it just receives them at login. Their purpose in Signum is role assignment: you can assign a role to an IdP group so that every member of that group gets the role automatically, without listing each user individually. Local Users and Certificate Users domains do not have groups. Users in those domains must be assigned roles individually.

Certificate Groups: Collections of signing certificates, created and managed in Signum by the Signum Administrator. Their purpose is visibility and delegation: a certificate must be in a group before any non-administrator user can see it or assign it to a policy. When you create a role, you assign it one or more certificate groups. This determines which certificates that role's users can work with.

The relationship between them runs through the Role: user groups (or individual users) are assigned to a role, and certificate groups are assigned to a role. A user who has a role gains visibility of the certificates in that role's certificate groups, and can assign those certificates to policies, subject to the permissions also set on the role.


User Groups

Certificate Groups

What they contain

Users from your IdP

Signing certificates

Created in

Your Identity Provider

Signum Admin Web Console

Assigned to

A Role (Creating a Role | Step 2 )

A Role (Creating a Role | Step 4 )

Purpose

Assign a role to many users at once

Control which certificates a role can see and use in policies

For a full explanation of Certificate Groups, see Certificate Groups.

In this section

  • Creating a Role: Step-by-step guide to configuring role permissions, certificate group assignments, and user assignments

  • Roles Example: Example showing how priority and group membership interact when a user belongs to multiple groups