Manage certificate-group access with Infinity AI
Use natural-language prompts in Infinity AI to view who has access to certificate groups and to grant a user group access to one or more certificate groups. Each operation is single-target — one user, one user group, or one certificate group per request.
To query certificate-group associations or assign certificate groups to a user group, type a prompt in Infinity AI. Infinity AI validates the request and returns a grid (for listing) or applies the change after pre-validation (for assignment).
Note: For information about querying RBAC entities,
see RBAC listing with Infinity AI. For information
about assigning roles and permissions, see Assign
permissions and roles with Infinity AI. For
information about removing roles and permissions, see
Unassign roles and permissions with Infinity
AI.
Important: Infinity AI cannot remove certificate-group
access from a user or a user group. Unassigning certificate
groups must be done in the AppViewX UI.
Overview
Infinity AI supports five certificate-group operations. Four are read-only listing prompts; the fifth grants a user group access to one or more certificate groups.
| Operation | What it does | Type |
|---|---|---|
| Get certificate groups for a user | Lists certificate groups assigned to a single user. | Read |
| Get certificate groups for a user group | Lists certificate groups assigned to a single user group. | Read |
| Get users for a certificate group | Lists users with access to a single certificate group. | Read |
| Get user groups for a certificate group | Lists user groups with access to a single certificate group. | Read |
| Assign certificate groups to a user group | Grants R or RW access on up to five certificate groups to one user group, using one consolidated access mode. | Write |
Capabilities
- Single-target prompts. Each listing prompt accepts one entity at a time (one user, one user group, or one certificate group). Each assignment prompt targets one user group.
- Pre-validation for assignment. Confirms counts, validates that all named user groups and certificate groups exist, and validates the consolidated access mode before any change is made.
- Resource handling. Assignment writes to an auto-created user-group resource. You do not create or manage the resource yourself.
- Default access mode. If you do not specify an
access mode in an assignment prompt, Infinity AI
applies
RW.
Note: If you ask for "resources" in a listing
prompt, Infinity AI interprets that as "certificate
groups". Other resource types are not returned.
Query Types
Listing prompts return a grid. Assignment prompts run pre-validation and apply the change in a single step.
Before you begin
- Know the exact name of the user, user group, or certificate group(s) you want to reference.
- For an assignment prompt, decide which access
mode (
RorRW) applies to all selected certificate groups in the request.
Run a certificate-group listing
- Open the Infinity AI pane from the platform header.
- Type a prompt that names exactly one user, user group, or certificate group, and what you want to see.
- Browse the result grid.
Assign certificate groups to a user group
- Open the Infinity AI pane from the platform header.
- Type a prompt that names the certificate group(s), the user group, and (optionally) the access mode for example, "Assign Prod_Certs and Dev_Certs to PKI_Admins with R access".
- Wait for Infinity AI to complete pre-validation. If validation fails, adjust your prompt and try again.
- Confirm the summary to apply the change.
Tip: Use exact certificate group and user
group names. Infinity AI matches names
case-insensitively, but exact names skip
disambiguation.
Sample use cases
Use these prompts as quick starting points. Each prompt maps to one of the five operations.
| Sample prompt | Operation | Supported? |
|---|---|---|
| "Show me certificate groups for user John Doe" | Get certificate groups for a user | Yes |
| "Show certificate groups for PKI_Admin user group" | Get certificate groups for a user group | Yes |
| "Show users with access to Production_Certs certificate group" | Get users for a certificate group | Yes |
| "Show user groups with access to Production_Certs" | Get user groups for a certificate group | Yes |
| "Assign Prod_Certs to PKI_Admins with RW access" | Assign certificate groups to a user group | Yes |
| "Assign Prod_Certs, Dev_Certs, Test_Certs to PKI_Admins with R access" | Assign certificate groups to a user group | Yes |
| "Assign Prod_Certs, Dev_Certs to PKI_Admins" | Assign certificate groups to a user group | Yes defaults to RW |
| "Show me certificate groups for John and Jane" | Get certificate groups for a user | No multiple users |
| "Show certificate groups with RW access for John" | Get certificate groups for a user | No access-mode filter |
| "Show certificate groups for user John or user group PKI_Admin" | Get certificate groups for a user group | No combined user and user group |
| "Show users from Production_Certs and Dev_Certs" | Get users for a certificate group | No multiple certificate groups |
| "Assign Prod_Certs with R access and Dev_Certs with RW access to PKI_Admins" | Assign certificate groups to a user group | No per-certificate-group access modes |
| "Assign 6 certificate groups to PKI_Admins" | Assign certificate groups to a user group | No exceeds limit of 5 |
| "Unassign Prod_Certs from PKI_Admins" | Unassign a certificate group | No not supported by Infinity AI |
Scenarios
The following sections describe each operation in detail, with supported and unsupported example prompts.
Scenario 1 Get certificate groups for a user
Use this when you want to see which certificate groups a single user can access.
Supported
- One user per request.
- Access-mode information is returned in the response.
Not supported
- Multiple users in one prompt.
- Filtering by access mode (R or RW).
- Direct retrieval of resources that contain the certificate group.
- Returning resource types other than certificate groups.
Example prompts
"Show me certificate groups for user John Doe"(supported)
"Show me certificate groups for John and Jane" (multiple users)
"Show me certificate groups with RW access for John" (access filtering)Scenario 2 Get certificate groups for a user group
Use this when you want to see which certificate groups a single user group can access.
Supported
- One user group per request.
- Access-mode information is returned in the response.
Not supported
- Multiple user groups in one prompt.
- Filtering by access mode (R or RW).
- Combined queries that mix a user and a user group with OR or AND.
- Direct retrieval of resources that contain the certificate group.
- Returning resource types other than certificate groups.
Example prompts
"Show certificate groups for PKI_Admin user group" (supported)
"Show certificate groups for PKI_Admin and Cert_Managers" (multiple groups)
"Show certificate groups with R access for PKI_Admin" (access filtering)
"Show certificate groups for user John or user group PKI_Admin" (OR not supported)
"Show certificate groups for user John and user group PKI_Admin"(AND not supported)Scenario 3 Get users for a certificate group
Use this when you want to see which users have access to a single certificate group.
Supported
- One certificate group per request.
- Access-mode information is returned in the response.
Not supported
- Multiple certificate groups in one prompt.
- Filtering by access mode (R or RW).
Example prompts
"Show users with access to Production_Certs certificate group"(supported)
"Show users with RW access to Production_Certs"(access filtering)
"Show users from Production_Certs and Dev_Certs" (multiple cert groups)Scenario 4 Get user groups for a certificate group
Use this when you want to see which user groups have access to a single certificate group.
Supported
- One certificate group per request.
- Access-mode information is returned in the response.
Not supported
- Multiple certificate groups in one prompt.
- Filtering by access mode (R or RW).
Example prompts
"Show user groups with access to Production_Certs" (supported)
"Show user groups with R access to Production_Certs"(access filtering)
"Show user groups from Production_Certs and Test_Certs" (multiple cert groups)Scenario 5 Assign certificate groups to a user group
Use this to grant one or more certificate groups to a single user group, with one consolidated access mode applied to every certificate group in the request.
Supported
- Up to five certificate groups in a single request.
- One user group per request.
- One consolidated access mode
(
RorRW) for every certificate group in the request.
Pre-validation
Before applying the assignment to the auto-created user-group resource, Infinity AI validates that:
- The request names one user group only.
- The request names five or fewer certificate groups.
- All certificate group names exist in the system.
- The user group name exists in the system.
- The access mode is a single, supported
consolidated value (
RorRW).
Steps
- Type a prompt that names the certificate group(s), the user group, and (optionally) the access mode.
- Wait for Infinity AI to complete pre-validation.
- Review the summary and confirm.
Example prompts
"Assign Prod_Certs to PKI_Admins with RW access"(supported)
"Assign Prod_Certs, Dev_Certs, Test_Certs to PKI_Admins with R access" (supported)
"Assign Prod_Certs, Dev_Certs to PKI_Admins" (supported, defaults to RW)
"Assign Prod_Certs with R access and Dev_Certs with RW access to PKI_Admins"(per-group modes not supported)
"Assign 6 certificate groups to PKI_Admins"(exceeds limit of 5)
"Assign CG1 with R and CG2 with RW to PKI_Admins"(per-group modes not supported)Note: When you mix per-certificate-group
access modes in one request (for example, "CG1 with
R and CG2 with RW"), Infinity AI rejects the
request. Split it into one request per access mode
instead.
Product behavior
Listing grid behavior
- Each listing prompt returns one entity type per grid (certificate groups, users, or user groups).
- Access-mode information is returned in the response.
- If your prompt uses the word "resources", Infinity AI interprets it as "certificate groups". Other resource types are not returned.
Assignment pre-validation
Pre-validation runs before any change is made. If any check fails, the operation stops with a clear explanation and no data is modified.
- Infinity AI validates only the request structure, counts, names, and the supported consolidated access mode.
- Infinity AI does not split a single request into multiple per-certificate-group access modes. If the prompt mixes access modes, the entire request is rejected.
Access-mode behavior
| Behavior | Detail |
|---|---|
| Supported access modes | R (read) or
RW
(read-write). |
| Default access mode | RW, applied when
no access mode is specified in the
prompt. |
| Scope of the access mode | The same access mode applies to every certificate group in the request. |
| Per-certificate-group access modes | Not supported. Run separate requests for different access modes. |
Auto-created user-group resource
The assignment is written to the user group's
auto-created resource (for example,
AVX_INFINITY_RESOURCE_<UserGroupName>).
Resources are managed internally only you cannot
create, modify, or delete them through Infinity
AI.
Product limitations
Per-operation limits
| Operation | Maximum per request | Notes |
|---|---|---|
| Get certificate groups for a user | 1 user | No access-mode filter. |
| Get certificate groups for a user group | 1 user group | No access-mode filter; cannot combine user and user group. |
| Get users for a certificate group | 1 certificate group | No access-mode filter. |
| Get user groups for a certificate group | 1 certificate group | No access-mode filter. |
| Assign certificate groups to a user group | 5 certificate groups, 1 user group | One consolidated access mode for the whole request. |
Unsupported operations
- Assigning a cert group to a user group Infinity AI does not validate whether the cert group is already associated with the target user group. The assignment is performed directly without duplicate checks.
- Unassigning a certificate group from a user or user group Infinity AI cannot remove certificate-group access. Use the AppViewX UI.
- Multiple users, user groups, or certificate groups in a single listing prompt.
- Filtering listing results by access mode (R or RW).
- Combined user-and-user-group queries with OR or AND when listing certificate groups.
- Direct retrieval of resources that contain a certificate group, or returning resource types other than certificate groups.
- Per-certificate-group access modes in a single assignment request.
- Assigning certificate groups to multiple user groups in a single request.
- Assigning more than five certificate groups in a single request.
Recommended workarounds
- To target multiple users, user groups, or certificate groups, run separate prompts.
- To grant different access modes for different certificate groups, run one assignment prompt per access mode (for example, one R request and one RW request).
- To remove certificate-group access, use the AppViewX UI.
