Roles

Roles are business units that contain one or more permissions and can be assigned to CLM users or API clients. For example, a role can be configured to contain the permissions required for a specific operation, such as certificate creation or revocation for a policy. The role CLM_ADMIN, which contains the ADMIN global permission, is always present in MTG Certificate Lifecycle Manager Server.

Standard Roles Interactions

  • Available roles can be viewed and searched in the Administration/Roles/Show page.

  • New roles can be created in the Administration/Roles/Create page. After its creation, a role can be edited and deleted from its details page. For a valid role, a name and one or more permissions are required.

  • A role can be assigned to multiple operators and an operator can have multiple roles assigned to it.

  • Upon realm creation, a new role is created and used as that realm’s default role. That role contains some basic Global and Realm Permissions. When an API client is created, this realm’s default role is assigned to this new API client (for each realm that is chosen).

Notes and limitations

  • The name of each role must be unique and start with prefix CLM_. Roles that do not have that prefix are not considered MTG-CLM roles and cannot be viewed and managed using MTG Certificate Lifecycle Manager Server.

  • Roles are stored and managed in Keycloak application.

  • The default CLM_ADMIN role cannot be edited or deleted using MTG Certificate Lifecycle Manager Server.

  • CLM_ADMIN role can still be deleted using Keycloak UI. It is advised against it. However, if the CLM_ADMIN role gets deleted in Keycloak you may create a role with the name CLM_ADMIN using Keycloak UI.

  • Renaming a role in Keycloak will result in MTG Certificate Lifecycle Manager Server perceiving it as deleted. The renamed role can be viewed in MTG Certificate Lifecycle Manager Server, but no permission will be associated with it.

  • On startup, along with CLM_ADMIN, a role KC_ADMIN is created, which can be assigned to a Keycloak user that needs ADMIN access to it. The aforementioned roles are associated with each other but still work independently.

  • Any default realm role can be edited and deleted like any other role.

  • Realms that were created before default realm roles were introduced, get assigned roles on startup via migration scripts, except from realm SYSTEM. Since SYSTEM realm is not meant to be used with API clients, which is the sole use case for default realm roles, this is the only realm that does not get assigned a default role.