Azure Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on Azure resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Create Key | CreatKeyCCKM ReadKeyCCKM,ReadAzureVault | view keycreate |
| Delete Backup | ReadKeyCCKM DeleteKeyCCKM,ReadAzureVault | view deletebackup |
| Recover Azure Key | ReadKeyCCKM UpdateRecoverKeyCCKM ReadAzureVault | view keyrecover |
| Restore a key backup | ReadKeyCCKM UpdateRestoreKeyCCKM ReadAzureVault | view keyrestore |
| Soft delete a key | ReadKeyCCKM UpdateSoftDeleteKeyCCKM ReadAzureVault | view keydelete |
| Hard delete a key | ReadKeyCCKM UpdateHardDeleteKeyCCKM ReadAzureVault | view keypurge |
| Upload a key | • If source_key_tier is local: ReadKeyCCKM UploadKeyCCKM ReadAzureVault ReadKey UploadKey • If source_key_tier is dsm: ReadKeyCCKM UploadKeyCCKM ReadAzureVault GetDSMDomainCCKM • If source_key_tier is luna: ReadKeyCCKM UploadKeyCCKM ReadAzureVault | view keyupload view ACL in dsm domain (in case of source_key_tier is dsm domain) view ACL in luna partition (in case of source_key_tier is luna) |
| Enable Autorotation Job | ReadKeyCCKM UpdateKeyCCKM ReadAzureVault ReadJob | view keyupdate |
| Disable Autorotation job | ReadKeyCCKM UpdateKeyCCKM ReadAzureVault | view keyupdate |
| Create Sync Job | ReadAzureVault SyncKeysCCKM SyncStatusKeysCCKM | view keysynchronize |
| cancel sync job | SyncStatusKeysCCKM | keysynchronize |
| Create a Secret | CreatSecretCCKM ReadAzureVault | secretcreate secretview |
| Soft Delete Secret | UpdateSoftDeleteSecretCCKM ReadAzureVault | secretview secretdelete |
| Hard Delete Secret | UpdateHardDeleteSecretCCKM ReadAzureVault ReadSecretCCKM | secretview secretdeletebackup |
| Recover Secret | UpdateRecoverSecretCCKM ReadAzureVault | secretview secretrecover |
| Restore Secret | RestoreSecretCCKM ReadAzureVault | secretview secretrestore |
| Create Sync Job | ReadAzureVault SyncKeysCCKM SyncStatusKeysCCKM | secretview secretsynchronize |
| Cancel sync job | SyncStatusKeysCCKM | keysynchronize |
| Create Certificate | CreatAzureCertificateCCKM ReadAzureVault ReadAzureCertificateCCKM | certificatecreate certificateview |
| Soft delete azure Certificate | UpdateSoftDeleteAzureCertificateCCKM ReadAzureVault | certificatedelete certificateview |
| Hard delete azure Certificate | ReadAzureCertificateCCKM ReadAzureVault UpdateHardDeleteAzureCertificateCCKM | certificateview certificatePURGE |
| Restore Azure Certificate | RestoreAzureCertificateCCKM ReadAzureVault | certificaterestore certificateview |
| Recover Azure Certificate | UpdateRecoverAzureCertificateCCKM ReadAzureVault ReadAzureCertificateCCKM | certificaterecover certificateview |
| Import Azure Certificate | UploadAzureCertificateCCKM ReadAzureVault | certificateupload certificateview |
| Create sync job | ReadAzureVault SyncStatusKeysCCKM SyncKeysCCKM | certificatesynchronize certificateview |
| Cancel sync job | SyncStatusKeysCCKM | keysynchronize |
| Remove vault | ReadAzureVault DeleteVaultCCKM | |
| Add Vault | AddVaultCCKM ReadAzureVault | |
| Get Vaults | GetAzurevaultCCKM | |
| Enable autorotation | UpdateVaultCCKM ReadAzureVault | |
| Disable autorotation | UpdateVaultCCKM ReadAzureVault | |
| Update ACLs | ApplyAclsCCKM ReadAzureVault | |
| Add Reports | CreateReportCCKM ReadAzureVault ReportStatusCCKM | |
| Get Subscription | GetAzureSubscriptionCCKM |
Read Operations (get and list)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Get Secret by id | ReadSecretCCKM ReadAzureVault | secretview |
| List Secret | ReadSecretCCKM ReadAzureVault | secretview |
| List Sync Job | SyncStatusKeysCCKM | |
| Get syn job by id | SyncStatusKeysCCKM | |
| List Certificate | ReadAzureCertificateCCKM | certificateview |
| Get Certificate by id | ReadAzureCertificateCCKM ReadAzureVault | certificateview |
| List Sync Job | SyncStatusKeysCCKM | |
| Get sync job by id | SyncStatusKeysCCKM | |
| List Vault | ReadAzureVault | |
| Get vault by id | ReadAzureVault | |
| Get vault by id | UpdateVaultCCKM ReadAzureVault | |
| HsmGet Hsms | GetAzurevaultCCKM | |
| List Report | ReportStatusCCKM | |
| Get report by id | ReportStatusCCKM | |
| Get report contents by id | ReportStatusCCKM | |
| Download report | ReportStatusCCKM | |
| List Subscription | ReadSubscriptionCCKM | |
| Get Subscription by id | ReadSubscriptionCCKM |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update Secret | UpdateSecretCCKM ReadAzureVault | secretview secretupdate |
| Update Certificate | UpdateAzureCertificateCCKM ReadAzureVault | certificateupdate certificateview |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete Secret by id | DeleteSecretCCKM ReadAzureVault | secretview secretdelete |
| Delete Azure Certificate | DeleteAzureCertificateCCKM ReadAzureVault | certificatedeletebackup certificateview |
| Delete report by id ReportStatusCCKM | DeleteReportsCCKM |