Azure Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on Azure resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Create Key | CreatKeyCCKM ReadKeyCCKM,ReadAzureVault |
view keycreate |
| Delete Backup | ReadKeyCCKM DeleteKeyCCKM,ReadAzureVault |
view deletebackup |
| Recover Azure Key | ReadKeyCCKM UpdateRecoverKeyCCKM ReadAzureVault |
view keyrecover |
| Restore a key backup | ReadKeyCCKM UpdateRestoreKeyCCKM ReadAzureVault |
view keyrestore |
| Soft delete a key | ReadKeyCCKM UpdateSoftDeleteKeyCCKM ReadAzureVault |
view keydelete |
| Hard delete a key | ReadKeyCCKM UpdateHardDeleteKeyCCKM ReadAzureVault |
view keypurge |
| Upload a key | • If source_key_tier is local: ReadKeyCCKM UploadKeyCCKM ReadAzureVault ReadKey UploadKey • If source_key_tier is dsm: ReadKeyCCKM UploadKeyCCKM ReadAzureVault GetDSMDomainCCKM • If source_key_tier is luna: ReadKeyCCKM UploadKeyCCKM ReadAzureVault |
view keyupload view ACL in dsm domain (in case of source_key_tier is dsm domain) view ACL in luna partition (in case of source_key_tier is luna) |
| Enable Autorotation Job | ReadKeyCCKM UpdateKeyCCKM ReadAzureVault ReadJob |
view keyupdate |
| Disable Autorotation job | ReadKeyCCKM UpdateKeyCCKM ReadAzureVault |
view keyupdate |
| Create Sync Job | ReadAzureVault SyncKeysCCKM SyncStatusKeysCCKM |
view keysynchronize |
| cancel sync job | SyncStatusKeysCCKM |
keysynchronize |
| Create a Secret | CreatSecretCCKM ReadAzureVault |
secretcreate secretview |
| Soft Delete Secret | UpdateSoftDeleteSecretCCKM ReadAzureVault |
secretview secretdelete |
| Hard Delete Secret | UpdateHardDeleteSecretCCKM ReadAzureVault ReadSecretCCKM |
secretview secretdeletebackup |
| Recover Secret | UpdateRecoverSecretCCKM ReadAzureVault |
secretview secretrecover |
| Restore Secret | RestoreSecretCCKM ReadAzureVault |
secretview secretrestore |
| Create Sync Job | ReadAzureVault SyncKeysCCKM SyncStatusKeysCCKM |
secretview secretsynchronize |
| Cancel sync job | SyncStatusKeysCCKM |
keysynchronize |
| Create Certificate | CreatAzureCertificateCCKM ReadAzureVault ReadAzureCertificateCCKM |
certificatecreate certificateview |
| Soft delete azure Certificate | UpdateSoftDeleteAzureCertificateCCKM ReadAzureVault |
certificatedelete certificateview |
| Hard delete azure Certificate | ReadAzureCertificateCCKM ReadAzureVault UpdateHardDeleteAzureCertificateCCKM |
certificateview certificatePURGE |
| Restore Azure Certificate | RestoreAzureCertificateCCKM ReadAzureVault |
certificaterestore certificateview |
| Recover Azure Certificate | UpdateRecoverAzureCertificateCCKM ReadAzureVault ReadAzureCertificateCCKM |
certificaterecover certificateview |
| Import Azure Certificate | UploadAzureCertificateCCKM ReadAzureVault |
certificateupload certificateview |
| Create sync job | ReadAzureVault SyncStatusKeysCCKM SyncKeysCCKM |
certificatesynchronize certificateview |
| Cancel sync job | SyncStatusKeysCCKM | keysynchronize |
| Remove vault | ReadAzureVault DeleteVaultCCKM |
|
| Add Vault | AddVaultCCKM ReadAzureVault |
|
| Get Vaults | GetAzurevaultCCKM | |
| Enable autorotation | UpdateVaultCCKM ReadAzureVault |
|
| Disable autorotation | UpdateVaultCCKM ReadAzureVault |
|
| Update ACLs | ApplyAclsCCKM ReadAzureVault |
|
| Add Reports | CreateReportCCKM ReadAzureVault ReportStatusCCKM |
|
| Get Subscription | GetAzureSubscriptionCCKM |
Read Operations (get and list)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Get Secret by id | ReadSecretCCKM ReadAzureVault |
secretview |
| List Secret | ReadSecretCCKM ReadAzureVault |
secretview |
| List Sync Job | SyncStatusKeysCCKM | |
| Get syn job by id | SyncStatusKeysCCKM | |
| List Certificate | ReadAzureCertificateCCKM | certificateview |
| Get Certificate by id | ReadAzureCertificateCCKM ReadAzureVault |
certificateview |
| List Sync Job | SyncStatusKeysCCKM | |
| Get sync job by id | SyncStatusKeysCCKM | |
| List Vault | ReadAzureVault | |
| Get vault by id | ReadAzureVault | |
| Get vault by id | UpdateVaultCCKM ReadAzureVault |
|
| HsmGet Hsms | GetAzurevaultCCKM | |
| List Report | ReportStatusCCKM | |
| Get report by id | ReportStatusCCKM | |
| Get report contents by id | ReportStatusCCKM | |
| Download report | ReportStatusCCKM | |
| List Subscription | ReadSubscriptionCCKM | |
| Get Subscription by id | ReadSubscriptionCCKM |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update Secret | UpdateSecretCCKM ReadAzureVault |
secretview secretupdate |
| Update Certificate | UpdateAzureCertificateCCKM ReadAzureVault |
certificateupdate certificateview |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete Secret by id | DeleteSecretCCKM ReadAzureVault |
secretview secretdelete |
| Delete Azure Certificate | DeleteAzureCertificateCCKM ReadAzureVault |
certificatedeletebackup certificateview |
| Delete report by id ReportStatusCCKM | DeleteReportsCCKM |