Azure Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on Azure resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Create Key | PermissionCCKMCreateKey PermissionCCKMReadKey PermissionCCKMReadAzureVault | VIEW KEYCREATE |
| Delete Backup | PermissionCCKMReadKey PermissionCCKMDeleteKey PermissionCCKMReadAzureVault | VIEW DELETEBACKUP |
| Recover Azure Key | PermissionCCKMReadKey PermissionCCKMRecoverKey PermissionCCKMReadAzureVault | VIEW KEYRECOVER |
| Restore a key backup | PermissionCCKMReadKey PermissionCCKMRestoreKey PermissionCCKMReadAzureVault | VIEW KEYRESTORE |
| Soft delete a key | PermissionCCKMReadKey PermissionCCKMSoftDeletekey PermissionCCKMReadAzureVault | VIEW KEYDELETE |
| Hard delete a key | PermissionCCKMReadKey PermissionCCKMHardDeletekey PermissionCCKMReadAzureVault | VIEW KEYPURGE |
| Upload a key | PermissionCCKMReadKey PermissionCCKMUploadKey PermissionCCKMReadAzureVault | VIEW KEYUPLOAD |
| Enable Autorotation Job | PermissionCCKMReadKey PermissionCCKMUpdateKey PermissionCCKMReadAzureVault | VIEW KEYUPDATE |
| Disable Autorotation job | PermissionCCKMReadKey PermissionCCKMUpdateKey PermissionCCKMReadAzureVault | VIEW KEYUPDATE |
| Create Sync Job | PermissionCCKMReadAzureVault PermissionCCKMSync PermissionCCKMSyncStatus | VIEW KEYSYNC |
| cancel sync job | PermissionCCKMSyncStatus | VIEW KEYSYNC |
| Create a secret | PermissionCCKMCreateSecret PermissionCCKMReadAzureVault | SECRETCREATE SECERTVIEW |
| Soft Delete secret | PermissionCCKMSoftDeleteSecret PermissionCCKMReadAzureVault | SECRETVIEW SECRETDELETE |
| Hard Delete Secret | PermissionCCKMHardDeleteSecret PermissionCCKMReadAzureVault PermissionCCKMReadSecret | SECRETVIEW SECRETDELETEBACKUP |
| Recover Secret | PermissionCCKMRecoverSecret PermissionCCKMReadAzureVault | SECRETVIEW SECRETRECOVER |
| Restore Secret | PermissionCCKMRestoreSecret PermissionCCKMReadAzureVault | SECRETVIEW SECRETRESTORE |
| Create Sync Job | PermissionCCKMReadAzureVault PermissionCCKMSync PermissionCCKMSyncStatus | SECRETVIEW SECRETSYNCHRONIZE |
| cancel sync job | PermissionCCKMSyncStatus | SECRETVIEW SECRETSYNCHRONIZE |
| Create certificate | PermissionCCKMCreateAzureCertificate PermissionCCKMReadAzureVault PermissionCCKMReadAzureCertificate | CERTIFICATECREATE CERTIFICATEVIEW |
| Soft delete azure certificate | PermissionCCKMSoftDeleteAzureCertificate PermissionCCKMReadAzureVault | CERTIFICATEDELETE CERTIFICATEVIEW |
| Hard delete azure certificate | PermissionCCKMReadAzureCertificate PermissionCCKMReadAzureVault | CERTIFICATEVIEW CERTIFICATEPURGE |
| Restore Azure Certificate | PermissionCCKMRestoreAzureCertificate PermissionCCKMReadAzureVault | CERTIFICATERESTORE CERTIFICATEVIEW |
| Recover Azure Certificate | PermissionCCKMRecoverAzureCertificate PermissionCCKMReadAzureVault PermissionCCKMReadAzureCertificate | CERTIFICATERECOVER CERTIFICATEVIEW |
| import Azure Certificate | PermissionImportAzureCertificate PermissionCCKMReadAzureVault | CERTIFICATEUPLOAD CERTIFICATEVIEW |
| Create sync job | PermissionCCKMReadAzureVault PermissionCCKMSyncStatus PermissionCCKMSync | CERTIFICATESYNCHRONIZE CERTIFICATEVIEW |
| Cancel sync job | PermissionCCKMSyncStatus | |
| Remove vault | PermissionCCKMReadAzureVault PermissionCCKMDeleteAzureVault | |
| Add Vault | PermissionCCKMAddVault PermissionCCKMReadAzureVault | |
| Get Vaults | PermissionCCKMGetAzureVault | |
| Enable autorotation | PermissionCCKMUpdateVault PermissionCCKMReadAzureVault | |
| Disable autorotation | PermissionCCKMUpdateVault PermissionCCKMReadAzureVault | |
| Update ACLs | PermissionCCKMApplyACLs PermissionCCKMReadAzureVault | |
| Add Reports | PermissionCCKMReport PermissionCCKMReadAzureVault PermissionCCKMReportStatus | CreateReport ViewReport |
Read Operations (get and list)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Read Key | PermissionCCKMReadKey | VIEW |
| List Key | PermissionCCKMReadKey | VIEW |
| Download Public Key | PermissionCCKMReadKey PermissionCCKMReadAzureVault | VIEW |
| List Sync Job | PermissionCCKMSyncStatus | |
| Get syn job by id | PermissionCCKMSyncStatus | |
| Get secret by id | PermissionCCKMReadSecret PermissionCCKMReadAzureVault | SECERTVIEW |
| List secret | PermissionCCKMReadSecret PermissionCCKMReadAzureVault | SECRETVIEW |
| List Sync Job | PermissionCCKMSyncStatus | |
| Get syn job by id | PermissionCCKMSyncStatus | |
| List Certificate | PermissionCCKMReadAzureCertificate | CERTIFICATEVIEW |
| Get certificate by id | PermissionCCKMReadAzureCertificate PermissionCCKMReadAzureVault | CERTIFICATEVIEW |
| List Sync Job | PermissionCCKMSyncStatus | |
| Get sync job by id | PermissionCCKMSyncStatus | |
| List Vault | PermissionCCKMReadAzureVault | |
| Get vault by id | PermissionCCKMReadAzureVault | |
| Get vault by id | PermissionCCKMUpdateVault PermissionCCKMReadAzureVault | |
| HsmGet Hsms | PermissionCCKMGetAzureVault | |
| List Report | PermissionCCKMReportStatus | ViewReport ViewReport |
| Get report by id | PermissionCCKMReportStatus | ViewReport ViewReport |
| Get report contents by id | PermissionCCKMReportStatus | ViewReport |
| Download report | PermissionCCKMReportStatus | DownloadReport ViewReport |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update Key | PermissionCCKMReadKey PermissionCCKMUpdateKey PermissionCCKMReadAzureVault | VIEW KEYUPDATE |
| Update secret | PermissionCCKMUpdateSecret PermissionCCKMReadAzureVault | SECRETVIEW |
| Update certificate | PermissionCCKMUpdateAzureCertificate PermissionCCKMReadAzureVault | CERTIFICATEUPDATE CERTIFICATEVIEW |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete secret by id Delete | PermissionCCKMDeleteSecret PermissionCCKMReadAzureVault | SECRETVIEW SECRETDELETE |
| Delete Azure Certificate | delete | PermissionCCKMDeleteAzureCertificate PermissionCCKMReadAzureVault |
| Delete report by id | delete | PermissionCCKMReportStatus PermissionCCKMDeleteReports |