Administrators, auditors, and members
SDKMS defines three roles that may be assigned to users: administrator, auditor, and member. These roles may be assigned at either the account or group level.
When the administrator (or auditor) role is assigned to a user at the account level, that user automatically becomes an administrator (or auditor) of every group in the account, including newly added groups.
When the administrator (or auditor) role is assigned to a user at the group level, the user has adminstrator (or auditor) permissions on that group, but not on any other group unless also assigned the role on the other group.
An auditor of a group can perform the following operations:
- View applications in the group
- View users in the group
- View security objects in the group
- View and search logs of SDKMS activity for the group itself, and for users, applications, and security objects assigned to the group.
An administrator of a group can perform all of the auditor operations, and the following additonal operations:
- Create, modify, or delete applications in the group
- Retrieve the authentication credential for applications in the group
- Change the authentication method (API key or certificate) for applications in the group, regenerate the API key, or configure a new certificate
- Create, modify, or delete security objects in the group (but not perform cryptographic operations; only applications may perform cryptographic operations)
- Add or remove users from the group
- Modify group properties or delete the group
A regular member has no permission to view or modify any object until granted either auditor or administrator permission in some group.
Administrative operations on the account can only be performed by an account administrator. These operations include:
- Changing billing information or subscription level
- Inviting new users to the account
- Enabling or disabling users
- Creating new groups
- Deleting the account