Required User Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on Azure resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Create key | CreatKeyCCKM ReadKeyCCKM ReadAzureVault |
view keycreate |
| Delete backup | ReadKeyCCKM DeleteKeyCCKM ReadAzureVault |
view deletebackup |
| Recover Azure key | ReadKeyCCKM UpdateRecoverKeyCCKM ReadAzureVault |
view keyrecover |
| Restore a key backup | ReadKeyCCKM UpdateRestoreKeyCCKM ReadAzureVault |
view keyrestore |
| Soft delete a key | ReadKeyCCKM UpdateSoftDeleteKeyCCKM ReadAzureVault |
view keydelete |
| Hard delete a key | ReadKeyCCKM UpdateHardDeleteKeyCCKM ReadAzureVault |
view keypurge |
| Upload a key | • If source_key_tier is local: ReadKeyCCKM UploadKeyCCKM ReadAzureVault ReadKey UploadKey • If source_key_tier is dsm: ReadKeyCCKM UploadKeyCCKM ReadAzureVault GetDSMDomainCCKM • If source_key_tier is luna: ReadKeyCCKM UploadKeyCCKM ReadAzureVault |
view keyupload view ACL in dsm domain (in case of source_key_tier is dsm domain) view ACL in luna partition (in case of source_key_tier is luna) |
| Enable Autorotation job | ReadKeyCCKM UpdateKeyCCKM ReadAzureVault ReadJob |
view keyupdate |
| Disable Autorotation job | ReadKeyCCKM UpdateKeyCCKM ReadAzureVault |
view keyupdate |
| Create sync job | ReadAzureVault SyncKeysCCKM SyncStatusKeysCCKM |
view keysynchronize |
| cancel sync job | SyncStatusKeysCCKM |
keysynchronize |
| Create a secret | CreatSecretCCKM ReadAzureVault |
secretcreate secretview |
| Soft delete secret | UpdateSoftDeleteSecretCCKM ReadAzureVault |
secretview secretdelete |
| Hard delete secret | UpdateHardDeleteSecretCCKM ReadAzureVault ReadSecretCCKM |
secretview secretdeletebackup |
| Recover secret | UpdateRecoverSecretCCKM ReadAzureVault |
secretview secretrecover |
| Restore secret | RestoreSecretCCKM ReadAzureVault |
secretview secretrestore |
| Create sync job | ReadAzureVault SyncKeysCCKM SyncStatusKeysCCKM |
secretview secretsynchronize |
| Cancel sync job | SyncStatusKeysCCKM |
keysynchronize |
| Create certificate | CreatAzureCertificateCCKM ReadAzureVault ReadAzureCertificateCCKM |
certificatecreate certificateview |
| Soft delete azure certificate | UpdateSoftDeleteAzureCertificateCCKM ReadAzureVault |
certificatedelete certificateview |
| Hard delete azure certificate | ReadAzureCertificateCCKM ReadAzureVault UpdateHardDeleteAzureCertificateCCKM |
certificateview certificatePURGE |
| Restore Azure certificate | RestoreAzureCertificateCCKM ReadAzureVault |
certificaterestore certificateview |
| Recover Azure certificate | UpdateRecoverAzureCertificateCCKM ReadAzureVault ReadAzureCertificateCCKM |
certificaterecover certificateview |
| Import Azure certificate | UploadAzureCertificateCCKM ReadAzureVault |
certificateupload certificateview |
| Create sync job | ReadAzureVault SyncStatusKeysCCKM SyncKeysCCKM |
certificatesynchronize certificateview |
| Cancel sync job | SyncStatusKeysCCKM | keysynchronize |
| Remove vault | ReadAzureVault DeleteVaultCCKM |
|
| Add vault | AddVaultCCKM ReadAzureVault |
|
| Get vaults | GetAzurevaultCCKM | |
| Enable autorotation | UpdateVaultCCKM ReadAzureVault |
|
| Disable autorotation | UpdateVaultCCKM ReadAzureVault |
|
| Update ACLs | ApplyAclsCCKM ReadAzureVault |
|
| Add reports | CreateReportCCKM ReadAzureVault ReportStatusCCKM |
|
| Get subscription | GetAzureSubscriptionCCKM |
Read Operations (get and list)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Get secret by id | ReadSecretCCKM ReadAzureVault |
secretview |
| List secrets | ReadSecretCCKM ReadAzureVault |
secretview |
| List sync job | SyncStatusKeysCCKM | |
| Get sync job by id | SyncStatusKeysCCKM | |
| List certificate | ReadAzureCertificateCCKM | certificateview |
| Get certificate by id | ReadAzureCertificateCCKM ReadAzureVault |
certificateview |
| List sync job | SyncStatusKeysCCKM | |
| Get sync job by id | SyncStatusKeysCCKM | |
| List vault | ReadAzureVault | |
| Get vault by id | ReadAzureVault | |
| Get vault by id | UpdateVaultCCKM ReadAzureVault |
|
| HsmGet HSMs | GetAzurevaultCCKM | |
| List reports | ReportStatusCCKM | |
| Get report by id | ReportStatusCCKM | |
| Get report contents by id | ReportStatusCCKM | |
| Download report | ReportStatusCCKM | |
| List subscriptions | ReadSubscriptionCCKM | |
| Get subscription by id | ReadSubscriptionCCKM |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update secret | UpdateSecretCCKM ReadAzureVault |
secretview secretupdate |
| Update certificate | UpdateAzureCertificateCCKM ReadAzureVault |
certificateupdate certificateview |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete secret by id | DeleteSecretCCKM ReadAzureVault |
secretview secretdelete |
| Delete Azure certificate | DeleteAzureCertificateCCKM ReadAzureVault |
certificatedeletebackup certificateview |
| Delete report by id | ReportStatusCCKM DeleteReportsCCKM |