Administrators, Auditors, and Members
Fortanix Data Security Manager (DSM) defines four roles that may be assigned to users: administrator, auditor, and member, custom role. These roles may be assigned at either the account or group level.
When the administrator (or auditor) role is assigned to a user at the account level, that user automatically becomes an administrator (or auditor) of every group in the account, including groups added subsequently.
When the administrator (or auditor) role is assigned to a user at the group level, the user has administrator (or auditor) permissions on that group, but not on any other group unless also assigned the role on the other group.
An auditor of a group can perform the following operations:
- View applications in the group
- View users in the group
- View security objects in the group
- View and search logs of Fortanix DSM activity for the group itself, and for users, applications, and security objects assigned to the group.
An administrator of a group can perform all of the auditor operations and the following additional operations:
- Create, modify, or delete applications in the group
- Retrieve the authentication credential for applications in the group
- Change the authentication method (API key or certificate) for applications in the group, regenerate the API key, or configure a new certificate
- Create, modify, or delete security objects in the group (but not perform cryptographic operations; only applications may perform cryptographic operations)
- Add or remove users from the group
- Modify group properties or delete the group
A regular member has no permission to view or modify any object until granted either auditor or administrator permission in some group.
A custom user role can have an arbitrary set of permissions at the account or group level. For more details on how to create and manage Custom user roles, refer to User’s Guide: Custom Roles.
For more information on authorization, refer to User's Guide: Authorization.
Administrative operations on the account can only be performed by an account administrator. These operations include:
- Changing billing information or subscription level
- Inviting new users to the account
- Enabling or disabling users
- Creating new groups
- Deleting the account
For a tabular view of the actions allowed for every role please refer to the User's Guide: Authorization.
An Account Administrator can also create external roles for the account using LDAP integrations in account authentication settings. Account administrators can import group objects from an LDAP directory add them as external roles into Fortanix DSM. For more details refer to LDAP Authorizations for Users and LDAP Authorization for Applications.