LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Available Roles
  • Role Assignment

Was this helpful?

  1. SCEPman Configuration

Certificate Master RBAC

Last updated 1 month ago

Was this helpful?

SCEPman Enterprise Edition only

Applicable to SCEPman Certificate Master version 2.5 and above

When users access SCEPman Certificate Master, their role determines the actions they can perform and the certificates they can see. The roles are determined through the Enterprise Application SCEPman-CertMaster in Microsoft Entra ID (Azure AD). If you have installed SCEPman before version 2.5, you need to execute the Complete-SCEPmanInstallation CMDlet from the SCEPman PS Module again to see the roles in the Microsoft Entra Portal. The following roles are available:

Available Roles

  • Admin.Full: Members of this role can do anything in SCEPman Certificate Master. If future version of SCEPman Certificate Master add new features, members of this role will have access to those features.

  • Manage.All: Members of this role can see and revoke all certificates. This includes certificates in the Certificate Master database as well as certificates enrolled via Intune.

  • Manage.All.Read: While members can see all certificates, they cannot revoke them.

  • Manage.Intune: Members can see and revoke certificates enrolled via Intune.

  • Manage.Intune.Read: Members can see certificates enrolled via Intune, but cannot revoke them.

  • Manage.Storage: Members can see and revoke certificates in the Certificate Master database.

  • Manage.Storage.Read: Members can see certificates in the Certificate Master database, but cannot revoke them.

  • Request.All: Members can request all types of certificates. This includes submitting CSR requests, which can be of any type. If users need to submit CSR requests, this role is required.

  • Request.Client: Requests are limited to client certificates, i.e. manually created device certificates. They have the Client Authentication Extended Key Usage (EKU) and a customizable subject.

  • Request.CodeSigning: Requests can only be for Code Signing certificates.

  • Request.Server: Members can request only server certificates. They have the Server Authentication EKU.

  • Request.SubCa: Members can request certificates for Subordinate CAs. However, the Extended Key Usage limits these CAs to issue Server Authentication certificates only. This allows them to be used for TLS interception as used in Firewalls, but not for other purposes. This is a security feature. If you require a Subordinate CA for other purposes, you must create a CSR and submit that to the Certificate Master, which requires the Request.All role.

  • Request.User: Members can request only user certificates. They have the Client Authentication EKU and a UPN chosen by the requester. Starting with SCEPman 2.6, the Smart Card Logon EKU is also possible. Keep in mind that somebody with this role can request certificates for other users. If you have Certificate Based Authentication enabled in AD or AAD and added the SCEPman CA as a trusted for this purpose in AD or AAD, this can be used to impersonate other users.

Role Assignment

1

Navigate to SCEPman-CertMaster

Azure > Enterprise Applications > Clear Filters > SCEPman-CertMaster

2

Assign a User/Group

3

Clear your web browser cache (Optional)

In some cases, an administrator's permissions may look the same even after their permissions have changed. Any Certificate Master cookies should be cleared to circumvent this issue.

Navigate to Manage > Users and Groups and select your desired administrators and their role. Press assign once administrators and roles have been selected.