We are working to implement Certificate Inventory and Management in the near future. in testing, we've run into a challenge.
Users with role sn_disco_certmgmt.pki_admin are unable to modify allowed fields on the unique certificate records (cmdb_ci_certificate). Specifically - assignment group (change group) and renewal tracking. These fields are greyed out for PKI admin users. With the admin role, these fields are available to be modified.
I have reviewed ACL's (write ACL has this role defined), UI policy (none defined) and client scripts (found nothing relevant).
Has anyone else run into a similar problem?
- sn_disco_certmgmt.pki_admin: This role can change non-standard attributes that are not present in the original certificate record such as state, status, assigned to, assignment group, renewal tracking, and service type. Attributes present in certificate are not editable. The default state is installed for discovered certificates, but this role can manually change the state to other options for example, issued, installed, revoked, and retired. This role can also view various dashboards, and has read/write access to certificates and certificate tasks related to certificate Discovery. The sn_disco_certmgmt.pki_admin role contains the sn_disco_certmgmt.pki_user role.
