Product Level
Product Admins manage the shared infrastructure that all teams use:
- Certificate Authorities (internal and external)
- Certificate Policies
- Certificate Profiles
- Creating Applications and assigning members
- Creating Signers and assigning members
Application Access
Applications are where teams issue and manage certificates. Members are assigned with one of three roles:
Only members assigned to an Application can see or interact with its certificates.
Signer Access
Signers are where teams sign code artifacts. Similar to Applications, members are assigned directly to Signers with specific permissions. Product Admins create Signers and assign members. Assigned members can then use the Signer to sign artifacts through the PKCS#11 module or request signing through approval workflows. Signing Policies can add additional controls, requiring approval before signing operations are allowed.Principle of Least Privilege
This model follows the principle of least privilege:- Product admins set up infrastructure once
- Teams operate within their assigned Applications and Signers
- No one has more access than they need