Encryption administrators can only see the workspaces and keys for the tenant to which they belong.
Encryption administrators can:
- Create, read, and update encryption keys
- Assign the Encryption Admin role
- Remove the Encryption Admin role
Note: To unassign yourself from the encryption administrator role, have another encryption administrator unassign you. Encryption administrators cannot unassign themselves from the Encryption Admin role.
Encryption admin policy
| Resource Type | CREATE | READ | UPDATE | DELETE |
| Workspace | false | true | false | false |
| Key | true | true | true | true |
| Role Membership | true | true | false | false |
| Role | false | true | false | false |
| Policy | false | true | false | false |
| User | false | true | false | false |
| Tenant | false | true | false | false |
| DSM | false | true | false | false |
| Encryption Metadata | false | true | false | true |