1.0 Introduction
This article describes the steps to create named Custom user roles that allow fine-grained control over what users can do in Fortanix DSM accounts and groups.
1.1 Enabling Custom Roles
NOTE
In Fortanix DSM version 4.9:
The Custom user roles feature must be explicitly enabled by a System Administrator using the Sys Admin Settings after the software upgrade has finished successfully.
On-prem cluster – To enable this feature on your on-prem cluster, a System Administrator must do the following:
Go to the System Administration Settings page and click the NEW FEATURES tab from the left panel.
On the New Features page, enable the toggle for Custom Roles.
Figure 1: Enable custom roles
WARNING
Enable this feature only after verifying the software upgrade has finished successfully. If you later decide to downgrade to any version <= 4.8 after enabling this feature, then remove all custom roles in the cluster and disable this feature before proceeding with the downgrade.
2.0 Custom Roles
Custom user roles allow fine-grained control over what users can do in the Fortanix DSM accounts and groups. There are two types of Custom user roles: Custom account role and Custom group role.
Before the introduction of Custom user roles, Fortanix DSM only had five built-in roles for users. They are Account Administrator, Account Member, Account Auditor, Group Administrator, and Group Auditor. These are now referred to as “system roles”.
An Account Administrator can create an arbitrary number of Custom account roles, with custom account permissions.
A user with a Custom group role can have a user-defined set of permissions that will apply for operations requested by that user on objects within the group.
2.1 Custom Account Role
A Custom account role has the following properties:
permissions: the set of account-level permissions assigned to the user.
exclusive: this can be set to “true” or “false”. If a Custom account role is marked as “exclusive”, that is, its value is set to “true”, then it cannot be co-assigned with any other role.
all-groups role (optional): this is the unique ID of a Custom group role. If this is specified in the Custom account role, it means that the user will also have the selected group role for all the groups in Fortanix DSM.
NOTE
Each user can have multiple Custom account roles assigned to them as long as none of the assigned roles is marked “exclusive”, otherwise, only one exclusive role can be assigned to the user. The same restriction applies to “all-groups roles”.
All system account roles (Account Administrator, Account Member, and Account Auditor) are “exclusive”. See Section 2.4 below for the definition of system account roles in terms of the above properties.
2.2 Custom Group Role
A Custom group role has the following properties:
permissions: the set of group-level permissions assigned to the user.
exclusive: this can be set to “true” or “false”. If a Custom group role is marked as “exclusive”, that is, its value is set to “true”, then it cannot be co-assigned with any other role.
NOTE
Each user can have multiple Custom group roles in any given group (in addition to the “all-groups role” inherited from Custom account role(s)) as long as none of the assigned roles is marked “exclusive”, otherwise, only one exclusive role can be assigned to the user.
All system group roles (Group Administrator and Group Auditor) are “exclusive”. See Section 2.4 below for the definition of system account roles in terms of the above properties.
2.3 Managing Custom User Roles
Following are some restrictions on the role objects in order to maintain referential integrity and exclusivity rules explained earlier:
A Custom user role cannot be deleted if it is referenced anywhere, that is, assigned to a user, or in the case of Custom group roles, if it is referenced in a Custom account role as an “all-groups role”.
When updating Custom accounts or group roles, the “exclusive” flag cannot be changed once it is set.
When updating Custom account roles, the “all-groups role” ID cannot be changed.
Additionally, to prevent privilege escalation, a user is not allowed to add permissions that they do not currently have to a role. This includes both creating and updating account and group roles. Moreover, users are not allowed to assign a role that is more powerful that their role(s) to other users, for the same reason.
2.4 System Roles in Terms of Custom User Roles
The Fortanix DSM “system roles” can be expressed in terms of Custom user roles as follows:
Account Administrator:
permissions: all account permissions.
exclusive: true
all-groups role: Group Administrator
Account Member:
permissions: read as well as modify most objects in the account but does not have administrative privileges in the account.
exclusive: true
all-groups role: none
Account Auditor:
permissions: read permissions (such as getting audit logs, and so on.) at the account level but cannot modify anything.
exclusive: true
all-groups role: Group Auditor
Group Administrator:
permissions: all group permissions.
exclusive: true
Group Auditor:
permissions: read permissions in a group.
exclusive: true
To learn more about the system roles, refer to Role-Based Access Control Authorization (RBAC).
2.5 Creating a Custom Account Role
To create a Custom account role:
Click the Users
tab in the Fortanix DSM main menu.Select the CUSTOM ACCOUNT ROLES tab and click the Add
button to add a new custom role.In the “Add New Custom Account Role” form:
Enter a name for the Custom account role in the Custom Role Name field.
Select the toggle for Exclusive Role to keep this Custom account role exclusive, that is, it cannot be co-assigned with any other Custom account role. Disable it to allow adding more Custom account role to a user in addition to the current role.
You can configure the following permissions for the custom account role:
Account
Manage Logging: A user with this permission is allowed to update the Log management settings in the account configuration where the user can:
Add custom log management integrations.
Delete custom log management integrations.
Modify custom log management integrations.
Enable/Disable audit logging to debug an application against invalid API requests (4XX errors).
For more information, refer to the User’s Guide: Logging.
Manage Authentication: A user with this permission is allowed to update the Authentication settings in the account configuration where the user can:
Configure password authentication or
Configure Single Sign-On (SSO) authentication
For more information, refer to the User’s Guide: Authentication.
Manage Workspace CSE: A user with this permission is allowed to:
Create, update, and delete the Google Workspace CSE Client-Side Encryption API settings in the account configuration.
For more information, refer to the User’s Guide: Workspace CSE Client-Side Encryption.
Unwrap Workspace CSE Privileged: A user with this permission is allowed to:
Unwrap the Data Encryption Key (DEK) and decrypt the Google Workspace application’s data.
Call the privileged unwrap API. This permission is needed for exporting all of your organization's Workspace data.
Manage Account Client Configs: A user with this permission is allowed to:
Create, update, and delete the Client Configuration options for the PKCS#11, KMIP, and Common client in the account configuration
For more information, refer to the User’s Guide: Client Configurations.
Create Account Approval Policy: A user with this permission is allowed to
Create a Quorum approval policy for an account.
NOTE
Updating/Deleting account Quorum policy is managed by the policy itself.
For more information, refer to the User’s Guide: Quorum Policy.
Set Approval Request Expiry: A user with this permission is allowed to update Quorum approval request expiration time.
Update Account Custom Metadata Attributes: A user with this permission is allowed to update an account's custom metadata attributes.
Manage Account Subscription: A user with this permission is allowed to manage an account’s subscription (only relevant for SaaS accounts).
Manage Account Profile: A user with this permission is allowed to manage an account’s profile settings and allowed to:
Update the account name
Upload a custom logo for the account
Update the country, description, organization, phone, and notification preferences
For more information, refer to the User’s Guide: Account Customization.
Delete Account: A user with this permission is allowed to delete an account.
Administrative Apps
Create Admin Apps: A user with this permission is allowed to create an account administrative app.
Update Admin Apps: A user with this permission is allowed to update an account administrative app.
Delete Admin Apps: A user with this permission is allowed to delete an account administrative app.
Retrieve Admin App Secrets: A user with this permission is allowed to retrieve an account administrative app credentials.
Manage Admin Apps: A user with this permission is allowed to create, update, and delete account administrative apps, retrieve an account administrative app, and get all the account administrative apps.
For more information, refer to the User’s Guide: Authentication.
Custom Roles
Create Custom Roles: A user with this permission is allowed to create a custom account role for a user.
Update Custom Roles: A user with this permission is allowed to update a custom account role for a user.
Delete Custom Roles: A user with this permission is allowed to delete a custom account role for a user.
Manage Custom Roles: A user with this permission is allowed to create, update, and delete a custom account role for a user.
Users
Invite Users to Account: A user with this permission is allowed to invite users to an account.
Delete Users From Account: A user with this permission is allowed to delete users from an account.
Update Users Account Role: A user with this permission is allowed to update another user’s account role. When the user is assigning a new role to another user the principal user must themselves have that role in order to assign the new role.
Update Users Account Enabled State: A user with this permission is allowed to enable or disable a user in an account or tenant account.
Manage Account Users: A user with this permission is allowed to:
Invite users to an account.
Delete users from an account.
Update another user’s account role.
Enable/Disable a user in an account/tenant account.
Get all the users in an account.
External Roles
Create External Roles: A user with this permission is allowed to create an account external role.
Sync External Roles: A user with this permission is allowed to sync account external roles.
Delete External Roles: A user with this permission is allowed to delete an account external role.
Manage External Roles: A user with this permission is allowed to:
Create an account external role.
Sync account external roles.
Delete an account external role.
Get all the external roles.
Security Object Policies
Create Account Security Object Policies A user with this permission is allowed to create various account-level Security-object policies including Cryptographic-policy, key metadata policy, and key history policy.
Update Account Security Object Policies: A user with this permission is allowed to update various account-level security object policies including cryptographic policy, key metadata policy, and key history policy.
Delete Account Security Object Policies: A user with this permission is allowed to delete various account-level security object policies including cryptographic policy, key metadata policy, and key history policy.
Manage Account Security Object Policies: A user with this permission is allowed to create, update, and delete various account-level security object policies including cryptographic policy, key metadata policy, and key history policy.
For more information, refer to the User’s Guide: Cryptographic Policy, User’s Guide: Key Metadata Policy, and User’s Guide: Key Undo Policy.
Child Accounts
Create Child Accounts: A user with this permission is allowed to create a tenant account.
Update Child Accounts: A user with this permission is allowed to update a tenant account.
Delete Child Accounts: A user with this permission is allowed to delete a tenant account.
Create Child Accounts: A user with this permission is allowed to add users to a tenant account.
Get Child Accounts: A user with this permission is allowed to get all the tenant accounts.
Get Child Account Users: A user with this permission is allowed to get all the users from a tenant account.
Manage Child Accounts: A user with this permission is allowed to do all the operations in a tenant account.
NOTE
The above permissions are only applicable to Fortanix DSM SaaS accounts with reseller subscription.
Miscellaneous
Create Local Groups: A user with this permission is allowed to create a local group in the account.
Create External Groups: A user with this permission is allowed to create a new group backed by external HSM/KMS.
Allow Quorum Reviewer: A user with this permission is allowed to participate as a quorum approver in a Quorum approval policy for the account.
Allow Key Custodian: A user with this permission is allowed to participate in the key custodian policy to add and view a key component.
Read
Get Admin Apps: A user with this permission is allowed to get all the account administrative apps.
Get All Approved Requests: A user with this permission grants read access to all Quorum approval requests in the account.
Get Custom Roles: A user with this permission is allowed to get all the custom roles from the account.
Get External Roles: A user with this permission is allowed to get all the external roles from the account.
Get All Users: A user with this permission is allowed to get all the users from an account.
Get Account Usage: A user with this permission is allowed to get the usage metrics of a particular account.
All Groups Role (optional): Optionally, you can also select a Custom group role for the Custom account role. If selected, the user will have the specified group role in all the Fortanix DSM groups.
Click SAVE to save the new custom role.
The Custom account role is created successfully.
To view the Custom account role, click the Users tab from the left panel and click the CUSTOM ACCOUNT ROLES tab. You will see the new role added to the Custom roles table.
2.6 Editing a Custom Account Role
To edit a custom account role:
Click the Users
tab in the Fortanix DSM main menu.Click the CUSTOM ACCOUNT ROLES tab.
In the Custom account roles table, hover on the custom role that you want to edit and click the edit
button at the end of the row.Make the necessary permission updates and click SAVE to save the updates.
2.7 Deleting a Custom Account Role
A custom account role can only be deleted if no users are mapped to the role. To delete a custom account role:
Click the Users
tab in the Fortanix DSM main menu.Click the CUSTOM ACCOUNT ROLES tab.
In the Custom account roles table, hover on the custom role that you want to delete and click the delete
button at the end of the row.If no users are mapped to the custom account role, click DELETE to confirm the deletion.
If users are mapped to an account custom role, then first remove the users, and then delete the custom account role using the steps described above.
2.8 Assigning a User to a Custom Account Role
After a custom account role has been created, you can invite a user to the account with that custom account role. To invite a user with a custom account role:
Click the Users
tab in the Fortanix DSM main menu.On the Users page, click the Add User button
to add a new user.In the “Add new users to the account” section:
Select the INVITE BY EMAIL option.
Enter the user’s email.
Select the Custom Account role option.
From the Select a custom account role drop down, select an existing custom account role, and click INVITE to invite the user to this role.
2.9 Changing a User's Role to a Custom Account Role
2.9.1 Edit a User's Role
Click the Users
tab in the Fortanix DSM main menu.In the Users table, click the user whose role you want to edit.
In the detailed view of the user, hover on the existing user role next to the user’s name and click the edit
.png?sv=2022-11-02&spr=https&st=2025-04-25T14%3A48%3A05Z&se=2025-04-25T15%3A24%3A05Z&sr=c&sp=r&sig=GNk1nbO6PR56U3pV8xFIf6ym9eiasdJW%2FhDWlZjx4Ao%3D)
icon. 
Figure 2: Edit user role
In the EDIT ROLE dialog box, select the Custom account role option.
In the Select a custom role drop down, select the custom account role that you want to assign to the user. The permissions associated with the selected role are displayed.
Click SAVE to save the new role for the user.
2.9.2 Edit an External User Role
Click the Users
tab in the Fortanix DSM main menu.On the Users page, click the Add User button
to add a new LDAP user from the directory.Select the SEARCH LDAP DIRECTORY option.
NOTE
If the LDAP integration is configured in the Account Settings page, then the provider name will be listed for selection in the SOURCE drop down.
Select the source and click SEARCH DIRECTORY.
The users are listed in the table.
To edit an LDAP user’s permission, select the check box for the user and click the edit icon
.In the “Edit role” dialog box, select the Custom account role option.
Select the custom account role from the drop down and click SAVE to save the role changes.
The external user now has the new custom account role assigned for the account.
2.10 Creating a Custom Group Role
A custom group role can be created:
From the CUSTOM GROUP ROLES tab on the Groups page.
From the External Roles page while mapping a user to a group.
While inviting a user to an account as an Account Member.
2.10.1 Create a Custom Group Role from the Group Detailed View
To create a Custom group role from the Groups page:
Go to the Groups page, and click the CUSTOM GROUP ROLES tab.
Click the add
button to create a new custom group role.Enter the name of the group custom role in the Role Name field.
Select the toggle for Exclusive Role to keep this Custom group role exclusive, that is, it cannot be co-assigned with any other Custom group role. Disable it to allow adding more Custom group roles to a user in addition to the current role.
You can configure the following permissions for the group custom role:
Group
Create Group Approval Policy: A user with this permission is allowed to:
Create a Quorum approval policy for a group.
NOTE
Updating/Deleting group Quorum policy is managed by the policy itself.
For more information, refer to the User’s Guide: Quorum Policy.
Update Group External Links: A user with this permission is allowed to update an existing HSM/External KMS group configuration. Note that this is only useful for groups backed by external HSM/KMS.
Add a new HSM/External KMS group.
Update an existing HSM/External KMS group configuration.
Delete an existing HSM/External KMS group.
Sync keys in an existing HSM/External KMS group.
For more information, refer to the User’s Guide: Quorum Policy.
Manage Group Client Configs: A user with this permission is allowed to:
Create, update, and delete the Client Configuration options for the PKCS#11, KMIP, and Common client in the group configuration.
For more information, refer to the User’s Guide: Client Configurations.
Update Group Profile: A user with this permission is allowed to:
Update the name of the group.
Update the description of the group.
Update the custom metadata of the group created using Fortanix DSM SaaS easy wizard integrations.
Delete Group: A user with this permission is allowed to delete the group.
Map External Roles For Apps: A user with this permission is allowed to:
Create external roles for mapping and set the permissions for applications authorized through LDAP.
Update the group's external role for applications authorized through LDAP.
Delete the group's external role for applications authorized through LDAP.
Map External Roles For Users: A user with this permission is allowed to:
Create external roles for mapping and define the group roles for users authorized through LDAP.
Update the external role for users authorized through LDAP in a group.
Delete the external role for users authorized through LDAP in a group.
Map External Roles: A user with this permission is allowed to:
Map external roles for apps in a group.
Map external roles for users in a group.
Add Users to Group: A user with this permission is allowed to add users to a group.
Delete Users From Group: A user with this permission is allowed to delete users from a group.
Update Users Group Role: A user with this permission is allowed to update the user’s role in a group.
Manage Group Users: A user with this permission is allowed to update the user’s role in a group.
Add users to a group.
Delete users from a group.
Update the user’s role in a group.
Manage Group Wrapping Key: A user with this permission is allowed to update the key encryption key (KEK) in a group.
Add KEK to a group.
Delete KEK from a group.
Update the KEK in a group.
Security Object Policies
Create Group Security Object Policies: A user with this permission is allowed to create various group-level security object policies including cryptographic policy, key metadata policy, and key history policy for a particular group.
Update Group Security Object Policies: A user with this permission is allowed to update various group-level security object policies including cryptographic policy, key metadata policy, and key history policy for a particular group.
Delete Group Security Object Policies: A user with this permission is allowed to delete various group-level security object policies including cryptographic policy, key metadata policy, and key history policy for a particular group.
Manage Group Security Object Policies: A user with this permission is allowed to create, update, delete, and various group-level security object policies including cryptographic policy, key metadata policy, and key history policy for a particular group.
For more information, refer to the User’s Guide: Cryptographic Policy, User’s Guide: Key Metadata Policy, and User’s Guide: Key Undo Policy.
Custodian policy
Create Group Custodian Policy: A user with this permission is allowed to create a Key custodian policy for a particular group.
Update Group Custodian Policy: A user with this permission is allowed to update the Key custodian policy for a particular group.
Delete Group Custodian Policy: A user with this permission is allowed to delete the Key custodian policy for a particular group.
Manage Group Custodian Policy: A user with this permission is allowed to create, update, and delete the Key custodian policy for a particular group.
For more information, refer to the User’s Guide: Key Components.
App
Create Apps: A user with this permission is allowed to create cryptographic apps in the Fortanix DSM groups.
NOTE
This permission is not applicable for Fortanix DSM Admin apps.
This permission is not applicable for Fortanix DSM LDAP apps since the mapping for these apps are determined dynamically.
A user creating this app must have all the necessary group permissions for performing crypto operations.
The app permissions will be restricted based on the user’s permission in that group.
Update Apps: A user with this permission is allowed to update cryptographic apps in the Fortanix DSM groups.
Retrieve App Secrets: A user with this permission is allowed to retrieve cryptographic app secrets.
Delete Apps: A user with this permission is allowed to delete cryptographic apps in the group.
Manage Apps: A user with this permission is allowed to:
Create cryptographic apps in a group.
Update cryptographic apps in a group.
Retrieve cryptographic app secrets from a group.
Delete cryptographic apps from a group.
Get cryptographic apps from a group.
Plugin
Create Plugins: A user with this permission is allowed to create a plugin in the group.
Update Plugins: A user with this permission is allowed to update a plugin in the group.
Invoke Plugins: A user with this permission is allowed to invoke a plugin added to the group.
Delete Plugins: A user with this permission is allowed to delete a plugin from the group.
Manage Plugins: A user with this permission is allowed to:
Create plugins in a group.
Update plugins in a group.
Invoke the plugins added to a group.
Delete plugins from a group.
Security Object
Create Security objects: A user with this permission is allowed to:
Generate keys in a group.
Import keys into a group.
Import an unwrapped key into a group.
Import keys from components into a group.
Copy keys into a group. This permission is required in the destination group.
Export Security Objects: A user with this permission is allowed to:
Export keys from a group.
Export a key by wrapping it with another key from a group.
Export key as components from a group.
Copy Security Objects: A user with this permission is allowed to copy a key from the source group to another group. This permission is required in the source group.
Wrap Security Objects: A user with this permission is allowed to use a key for wrapping another key. This permission is required in the group where the wrapping key belongs.
Unwrap Security Objects: A user with this permission is allowed to use a key for unwrapping another key. This permission is required in the group where the unwrapping key belongs.
Update Security Objects Enabled State: A user with this permission is allowed to enable or disable a security object in a group.
Rotate Security Objects: A user with this permission is allowed to update the key rotation policy to rotate a key automatically.
Delete Security Objects: A user with this permission is allowed to delete keys from a group.
Destroy Security Objects: A user with this permission is allowed to destroy keys from a group.
Revoke Security Objects: A user with this permission is allowed to mark a security object as deactivated or compromised in a group. The user can also set the deactivate date for the keys.
Activate Security Objects: A user with this permission is allowed to activate keys in a group. The user can also set the activation date for the keys.
Revert Security Objects: A user with this permission is allowed to restore the state of the security objects if a Key Undo Policy is configured for the group. If the revert operation moves the key back to some other group, then this permission is required in that group as well.
Delete Key Material: A user with this permission is allowed to delete the key material from a key.
Move Security Objects: A user with this permission is allowed to update the group that the key belongs to, to a different group.
Update Key Operations: A user with this permission is allowed to edit the key permissions in a group.
Update Security Objects Policies: A user with this permission is allowed to update individual security objects' policies such as RSA Options, and the Key access justification policy for GCP External Key Manager.
Update Security Objects Profile: A user with this permission is allowed to update the key name, description, and custom metadata, and download the public key of the keys in a group.
Scan External Security Objects: A user with this permission is allowed to scan keys in HSM/External KMS groups.
Restore External Security Objects: A user with this permission is allowed to restore an external key from its backup in Fortanix DSM when the external key is purged from an external KMS.
Derive Security Objects: A user with this permission is allowed to use a key to derive another key.
Transform Security Objects: A user with this permission is allowed to use a BIP32 key that accepts an index input and creates a non-hardened child in the same network as the parent key.
Miscellaneous
Wrap Workspace CSE: A user with this permission is allowed to wrap the Data Encryption Key (DEK) used to encrypt the Google Workspace application’s data.
Unwrap Workspace CSE: A user with this permission is allowed to unwrap the Data Encryption Key (DEK) and decrypt the Google Workspace application’s data.
Workspace CSE: A user with this permission is allowed to:
Wrap the Data Encryption Key (DEK) used to encrypt the Google Workspace application’s data.
Unwrap the Data Encryption Key (DEK) and decrypt the Google Workspace application’s data
Read
Get Group: A user with this permission is allowed to:
Get all the group details.
Get all groups that have external roles configured.
Get Security Objects: A user with this permission is allowed to get all the keys in a group.
Get Apps: A user with this permission is allowed to:
Get all the apps in a group.
Get all the LDAP groups if the app is authorized through LDAP.
Get the app credentials
Get Plugins: A user with this permission is allowed to get all the plugins in a group.
Get Group Approval Requests: A user with this permission is allowed to get all approval requests for a group.
Get Audit Logs: A user with this permission is allowed to get the audit logs of a particular session.
Click SAVE to save the custom group role.
The custom group role is now created.
3.10.2 Create a Custom Group Role from the External Roles Page
To create a custom group role from the External Roles page:
Go to the Groups page, and click the EXTERNAL ROLES tab.
Create a new external role if you have the LDAP integration on the Account Settings page.
After the external roles are mapped and displayed in the table, in the Groups for users column, click MAP TO GROUPS for the external role for which you want to assign a group.
Figure 3: Map external role to a group
In the MAPPING TO GROUPS dialog, click the MAP GROUPS FOR USERS tile.
From the Search for groups to add to column, select the group which you want to map for the external role.
In the Current groups column, Click EDIT to change the default Group Auditor role to a Custom Group Role.
Select the CUSTOM GROUP ROLE option and click ADD NEW CUSTOM GROUP ROLE to create a new custom group role for the external role.
Figure 4: Create a group custom role
Follow steps 3-4 in the previous section (Section 2.8.1) to create a new custom group role.
Click SAVE CUSTOM ROLE to save the new Custom group role.
Click SAVE to assign this new Custom group role to the External role user.
2.10.3 Create a Custom Group Role from the Invite Users Page
To create a custom group role:
Go to the Users page and click the USERS tab.
Click the Add
button to invite a user to a custom group role.Click the INVITE BY EMAIL option and enter the email of the user to invite for the custom group role.
Select Account member and click NEXT.
In the Assigning the new user to groups section, select the group from the first column to which you want to assign the user.
In the second column, click EDIT to change the default Group Auditor role to a Custom Group Role.
Select the CUSTOM GROUP ROLE option and click ADD NEW CUSTOM GROUP ROLE to create a new custom group role for the user.
Follow steps 3-4 in Section 2.8.1 to create a new custom group role.
Click SAVE CUSTOM ROLE to save the new Custom group role.
Click SAVE at the bottom of the form to assign this new Custom group role to the user.
2.11 Editing a Custom Group Role
To edit the Custom group role:
Click the Groups tab in the Fortanix DSM main menu.
Click the CUSTOM GROUP ROLES tab.
In the Custom group roles table, click
button corresponding to the custom role that you want to edit and click the Edit Role option from the drop down menu.Make the necessary permission updates and click SAVE to save the updates.
2.12 Deleting a Custom Group Role
To delete the Custom group role:
Click the Groups tab in the Fortanix DSM main menu.
Click the CUSTOM GROUP ROLES tab.
In the Custom group roles table, click
button corresponding to the custom role that you want to remove and click the Delete Role option from the drop down menu.Click the DELETE option to remove the role.
2.13 Assigning a Custom Group Role to User/External Role
A custom group role can be assigned to a user during the following scenarios:
Inviting a user to an account as an Account member on the Users page.
Inviting a user to an account as a Custom account role on the Users page.
Mapping a user to a group as External Roles on the External Roles page
2.13.1 Assign a Custom Group Role to a User
To assign a user to a custom group role:
Go to the Users page and click the USERS tab.
Click the Add
button to invite a user to a custom group role.Click the INVITE BY EMAIL option and enter the email of the user to invite for the custom group role.
Select Account member or Custom account role and click NEXT.
In the Assigning the new user to group column, select the group to which you want to assign the user with a custom group role.
Click EDIT to change the default Group Auditor role to a Custom Group Role.
Repeat Steps 7-10 from the previous section (Section 2.8.2) to assign a user to a Custom group role.
2.13.2 Assign a Custom Group Role to an External Role
Go to the Groups page and click the EXTERNAL ROLES tab.
In the External Roles table, for a particular external role, under the Groups for users column, click MAP TO GROUPS.
In the MAPPING TO GROUPS window, select the MAP GROUPS FOR USERS tile.
In the MAPPING TO GROUPS FOR USERS window, select the group to which you want to assign the user with a custom group role from the first column.
In the “Current groups” column, select the Custom group role option and assign the external role to a custom group role.