Roles and Permissions¶
Access within the Zaita platform is governed by a role-based access control (RBAC) model. Each user is assigned exactly one role that defines the scope of actions they may perform, ensuring the principle of least privilege is applied across the platform.
Default Role¶
Every user added to the platform is assigned the User role by default. The User role provides the minimum level of access required to interact with the platform:
| Permission | Description |
|---|---|
| Request a certificate | Submit certificate requests through the web portal or API (subject to domain restrictions) |
| View own requests | View the status and history of their own certificate requests |
| Use Policy Validator | Test certificate requests against configured policies |
| Use Policy Test | Run policy simulations |
| View dashboard | Access the main dashboard |
Users can only request certificates for domains that have been explicitly assigned to their account. See Domain Assignments for more information.
Built-In Roles¶
The platform provides the following built-in roles, each scoped to a specific area of the platform:
Super Administrator¶
The Super Administrator role has unrestricted access to the entire platform, including all administrative functions and the ability to manage other users' roles.
| Permission | Description |
|---|---|
| Full platform access | Access all areas of the platform without restriction |
| Manage users | Create, modify, and deactivate user accounts |
| Assign roles | Grant and revoke roles for any user |
| Manage domain assignments | Control which domains users can request certificates for |
| Account settings | Configure account-level settings under Admin → Settings, including SSO and security policies |
| View audit log | Access the complete audit log for compliance and security review |
| Request certificates for any domain | Bypass domain assignment restrictions |
PKI Administrator¶
The PKI Administrator role manages the Local PKI infrastructure, certificate authority integrations, and domain configuration.
| Permission | Description |
|---|---|
| Manage Local PKI Root Certificates | Generate, upload, revoke, and delete root certificates |
| Manage Local PKI Intermediate Certificates | Generate, upload, revoke, and delete intermediate certificates |
| Manage Integrations | Create, modify, and delete certificate authority integrations |
| Manage Domains | Add, modify, and remove domains under Admin → Domains |
| View audit log | Access the audit log for compliance and security review |
| Run reports | Generate and view reports |
| View domains | View all configured domains |
Deployment Administrator¶
The Deployment Administrator role manages the infrastructure components used for certificate discovery and deployment.
| Permission | Description |
|---|---|
| Manage Target Systems | Create, modify, and delete target system registrations |
| Manage Bridges | Create, modify, and delete Bridge deployments and configuration |
| Manage Couriers | Create, modify, and delete Courier integrations |
| View audit log | Access the audit log for compliance and security review |
| Run reports | Generate and view reports |
| View domains | View all configured domains |
Policy Administrator¶
The Policy Administrator role manages the certificate policy engine, controlling the rules and constraints applied to certificate issuance and lifecycle operations.
| Permission | Description |
|---|---|
| Create policies | Define new certificate policies with constraints on algorithm, key size, validity period, and allowed domains |
| Modify policies | Update existing policy rules and enforcement modes |
| Delete policies | Remove policies from the platform |
| Configure enforcement | Set enforcement mode per policy — hard failure (block issuance) or soft failure (warn and proceed) |
| Manage approval workflows | Configure whether certificate requests require approval and define approval criteria |
| View audit log | Access the audit log for compliance and security review |
| Run reports | Generate and view reports |
| View domains | View all configured domains |
Report Operator¶
The Report Operator role provides read-only access focused on reporting and compliance visibility.
| Permission | Description |
|---|---|
| Run reports | Generate and view all available reports |
| View dashboard | Access the main dashboard and metrics |
User¶
The User role is the default role assigned to all new users. It provides basic access for requesting certificates.
| Permission | Description |
|---|---|
| Request certificates | Submit certificate requests for assigned domains only |
| View own requests | View the status and history of their own certificate requests |
| Use Policy Validator | Test certificate requests against configured policies |
| Use Policy Test | Run policy simulations |
| View dashboard | Access the main dashboard |
Role Summary¶
| Role | Scope | Default |
|---|---|---|
| User | Request certificates for assigned domains | Yes |
| Super Administrator | Full platform access and user management | No |
| PKI Administrator | Local PKI, integrations, and domain management | No |
| Deployment Administrator | Target systems, Bridges, and Couriers | No |
| Policy Administrator | Certificate policy configuration and enforcement | No |
| Report Operator | Reporting and dashboard access | No |
Domain Assignments¶
In addition to roles, users have domain assignments that control which domains they can request certificates for. This provides fine-grained control over certificate issuance without requiring elevated roles.
How Domain Assignments Work¶
- Each user can have zero or more domain patterns assigned to their account.
- Domain patterns can be exact matches (e.g.,
www.example.com) or wildcards (e.g.,*.example.com). - A wildcard pattern like
*.example.comallows the user to request certificates for any subdomain ofexample.com. - Users can only request certificates for domains matching one of their assigned patterns.
- Super Administrators bypass domain restrictions and can request certificates for any domain.
Managing Domain Assignments¶
Domain assignments are managed by a Super Administrator:
- Navigate to Admin → Users.
- Select the user account to modify.
- In the Allowed Certificate Domains section, add or remove domain patterns.
- Save changes.
Example Domain Patterns¶
| Pattern | Matches |
|---|---|
www.example.com |
Only www.example.com |
*.example.com |
api.example.com, www.example.com, mail.example.com, etc. |
*.dev.example.com |
app.dev.example.com, test.dev.example.com, etc. |
Assigning Roles¶
Roles are assigned by a Super Administrator through the web portal:
- Navigate to Admin → Users.
- Click the eye icon to view/edit the user account.
- Select the appropriate role from the dropdown.
- Click Update Role to save changes.
Note: Each user can have only one role assigned at a time. Choose the role that best matches the user's responsibilities.
Administrator Capabilities¶
All administrator roles (Super Administrator, PKI Administrator, Deployment Administrator, and Policy Administrator) share certain capabilities:
- View audit log — Access the audit log under Admin → Audit Log for security and compliance review.
- Run reports — Generate reports for their area of responsibility.
- View domains — View the list of configured domains (though only PKI Administrator and Super Administrator can modify them).
Audit Logging¶
All actions performed by administrator roles are logged to the audit log. This includes:
- Viewing sensitive resources (certificates, user accounts, policies)
- Creating, modifying, or deleting any resource
- Changing user roles or domain assignments
- Modifying system settings
The audit log is accessible to all administrator roles under Admin → Audit Log.
Best Practices¶
- Apply the principle of least privilege — assign the minimum role necessary for each user's job function.
- Use domain assignments to scope certificate access — rather than elevating roles, use domain assignments to control which certificates users can request.
- Limit Super Administrator accounts — reserve the Super Administrator role for users who genuinely need full platform access.
- Review roles and domain assignments regularly — as team members change responsibilities, update their roles and domain assignments accordingly.
- Monitor the audit log — regularly review the audit log to ensure administrative actions are appropriate and authorised.