Roles
Overview
Redtrust implements Role Based Access Control (RBAC) using roles to manage permissions. In Redtrust, a role defines a set of actions a user can perform, determining their access to the admin console and any associated APIs. This RBAC model enables fine-grained control over permissions, allowing administrators to tailor access for specific users and groups. For example, one role could allow a group of users to generate Certificate Signing Requests (CSRs) and import certificates, while another may restrict users to only view certificate usage events.
Role settings
| Setting | Description |
|---|---|
| Name | Name for the role. |
| Description | Optional field to enter additional descriptive information about this role. |
| Priority | Priority assigned to the role. Priority levels are numbered starting from 0, with 0 being the highest. |
Understanding role priority
Redtrust handles role priority assignments by giving direct role assignments the highest priority. If a user is directly assigned a role and is also a member of a group with a different role, the direct assignment will take precedence, even if the group role has a higher priority. When a user is a member of multiple groups with different role assignments, the role with the highest priority will be applied. To avoid inconsistencies, it's important not to assign multiple groups roles with the same priority level. For further details on how role priority impacts assignments, refer to the roles example.
Users & groups
This field allows for selecting the users this role will apply to. These are the users that will ultimately have the permissions defined in the last step of the role creation wizard. It's not required that users are assigned immediately during the Role creation, they can be added later by editing the role.
| Users of the role | Description |
|---|---|
| Domains | The Domain the users you want to assign this role to are in. Start typing the name of your Domain and it will auto-populate. You can select multiple Domains if needed. |
| Users (Or Groups) | The specific users or groups of users that are part of the selected domain you want to assign this role to. Start typing the name of your users or groups and they will auto-populate. You can select multiple users or groups of users. |
Scope of the role
The domains assignment for the role defines which domains will be in scope for this role. If a domain is in the scope, the users of this role will be able to search for and see this domain's users when assigning policies. If required, multiple Domains can be selected. This field allows for defining the domain scope for this role. It doesn't have to be set during the role creation, it can be changed later by editing the role.
Certificate groups
Certificate groups assigned to the role give this role's users the ability to use those certificates when creating policies.
To add a certificate group select the Add certificates group button and any available certificate groups will be shown. You can select the check box for each group you want to add. Once finished, click Add to assign the selected certificate groups to the role.
You can also create a new certificate group from the same window by clicking Create certificate group. This will bring up a dialog box to enter the name for the new certificate group and optionally a limit on the number of certificates it can contain.
With a certificate group selected, you can then set the certificate group permissions for users who are being assigned the role that is being created.
| Certificate Group Permissions | Description |
|---|---|
| Add | Gives users permission to add certificates to the group. |
| Remove | Gives users permission to remove certificates from the group. |
| Assign to Policies | Gives users permission to assign certificates in this group to policies. |
| None | Users with none of the above permissions are able to see the certificates. |
If you need to delete a certificate group from the role, click on the actions button of the row you want to exclude and you will be presented with the option to remove it.
Assigning permissions to a role
The Permissions settings section of the role creation wizard allows you to define granular permissions for users of the role. These settings apply to the admin console and any associated APIs.
- To enable a permission for a user select the checkbox next to the permission you want to enable.
- To disable a permission for a user do not select the checkbox.
A user assigned to a role with no certificate group and no permissions will be able to authenticate to the admin console but won't be able to view or access anything.
For more information on permission settings, check the role permission settings.