9. Access Control & User Roles

Understand administrator roles, collection-scoped users, and access delegation.

CertKit is designed for teams of all sizes, from small engineering groups to large multi-tenant enterprises and Managed Service Providers (MSPs). To ensure security and adhere to the principle of least privilege, CertKit supports granular, role-based access control (RBAC).

This page details user scopes, administrative roles, and how to manage team permissions.

User Roles and Scopes

CertKit distinguishes between account-level administrators and collection-scoped team members.

1. Account Administrators

Account Administrators have unrestricted access across the entire CertKit organization:

  • Global Configuration: Can manage billing, configure SAML 2.0 Single Sign-On (SSO), and register global external ACME Issuers (CAs).
  • Team Management: Can invite new users, modify roles, and revoke team access.
  • Full Visibility: Automatically have read/write access to every Certificate Collection, monitored domain, and agent in the organization.
  • MSP Management: If MSP mode is enabled, administrators can create, edit, and delete client sub-accounts.

2. Collection-Scoped Users

Access for non-admin team members is restricted to specific Certificate Collections:

  • Isolation: Collection-Scoped Users can only see and interact with Collections they have been explicitly granted access to. Other Collections remain invisible to them.
  • Internal Control: Within their authorized Collections, they can add/edit certificates, add domains, deploy agents, write custom templates, and execute manual issuances.
  • Restricted Access: They cannot view billing information, alter account-level SSO/MFA policies, register account-level ACME Issuers, or manage other users.

Managing Team Access

Account Administrators can manage team roles and permissions from the Account Settings panel.

Inviting Users

To add a team member, navigate to Settings › Users and select Invite User:

  1. Email & Name: Provide the user’s name and login email address.
  2. Role Level: Designate them as either an Account Administrator or a User.
  3. Collection Permissions: If inviting as a standard User, check the boxes for the specific Certificate Collections they are authorized to manage.

When the user is created, CertKit generates a temporary password and dispatches an invitation email with login instructions.

Revoking and Editing Access

Administrators can update user details or collection assignments at any time:

  • Modifying Collections: Access to Collections can be added or revoked dynamically. Changes take effect on the user’s next request or dashboard refresh.
  • Disabling Accounts: Deleting a user immediately revokes their active sessions and blocks further logins.

MSP Access Delegation (Managed Accounts)

For organizations operating as Managed Service Providers (MSPs), team access is further refined to handle client tenants safely:

  • MSP Administrators: Automatically inherit administrative access across the main MSP account and all child Client Accounts.
  • MSP Staff (Non-Admins): Can be selectively assigned access to specific Client Accounts. Staff members can only switch context into client tenants to which they have been explicitly granted roles. This prevents technicians from viewing client data outside their scope of responsibility.