docs/documentation/platform/pki/concepts/access-control.mdx
Certificate Manager uses a layered access model that separates infrastructure management from day-to-day operations.
| Role | What they can do |
|---|---|
| Product Admin | Full control: create and manage CAs, Policies, Profiles, Applications, and Signers. Assign members to Applications and Signers. |
| Product Member | Operate within the Applications and Signers they're assigned to. |
Product Admins manage the shared infrastructure that all teams use:
Product Members are assigned to specific Applications and Signers by Product Admins. They operate within those assigned resources.
This separation means teams can issue certificates and sign code without needing access to the underlying CAs or policies.
Applications are where teams issue and manage certificates. Members are assigned with one of three roles:
| Role | What they can do |
|---|---|
| Admin | Configure enrollment methods, alerting, syncs, and approval policies. Manage Application members. |
| Operator | Issue, renew, and revoke certificates within the Application. |
| Auditor | View certificates and Application configuration (read-only). |
Only members assigned to an Application can see or interact with its certificates.
Signers are where teams sign code artifacts. Similar to Applications, members are assigned directly to Signers with specific permissions.
Product Admins create Signers and assign members. Assigned members can then use the Signer to sign artifacts through the PKCS#11 module or request signing through approval workflows.
Signing Policies can add additional controls, requiring approval before signing operations are allowed.
This model follows the principle of least privilege: