Client-Rule Associations
After a rule is created, it can be applied (linked) to a single or multiple clients. This linking is referred to as client-rule association. The status of a client-rule association depends on the operation performed on the path.
When linking the rule with a client, specify:
The identifier of the client.
The identifier of the rule to link to the client.
The key to encrypt data. For no encryption rules, an encryption key is not needed.
Note
• ProtectFile Admins must have
ReadKey
permission on encryption keys when creating a client-rule association.
• ProtectFile Users must be grantedReadKey
andExportKey
permissions on encryption keys.
• DO NOT create versions of keys used by CTE UserSpace for encryption.The identifier of the access policy group.
Creating a Client-Rule Association
To create a client-rule association:
Open the ProtectFile/CTE UserSpace application. The Clients page is displayed.
Under Client Name, click the desired client.
Under Rules for Client "<client-name>", click the Add a Rule to this Client link. The list of available Rules is displayed.
Optionally, create a new rule by clicking New Rule. You might need to scroll down the page.
Select the desired rule.
Click Forward. You might need to scroll down the page. The list of available Access Policy Groups is displayed.
Optionally, create a new access policy group by clicking New Access Policy Group. You might need to scroll down the page.
Select the desired access policy group.
Click Forward. The details of the client-rule association is displayed.
Review the association details.
If it requires any change, click Back to modify the association.
Click Add Rule to Client.
The client-rule association is created.
When a client-rule association is created, the operation is None
and the state is Created
. The set of operations that can be performed on a client-rule association are Encrypt
, KeyRotate
, and Decrypt
. In case of failures, the state can be Validation Failed
or Failed
. The client-rule association information pulled by the client does not contain association in Created
and Validation Failed
states. For a successful cryptographic operation, the state could be Encrypted
or Decrypted
.
When the state is Encrypted
, the AccessPolicyGroup
can be modified to change the access on the path. With CTE UserSpace, you can remove the link between a client and a rule if the rule is in the Created
state or the rule is in the Validation Failed
state and the operation is Encrypt
.
Cryptographic Operations and State Flow
The following table describes the flow of cryptographic operations and possible states a client-rule association goes through.
# | Operation | State | Remarks |
---|---|---|---|
1 | None | Created | A client-rule association is created. |
2 | Encrypt | In Progress | Encryption is in progress. |
Validation Failed | Encryption failed due to validation failures. | ||
Failed | Encryption failed. | ||
3 | None | Encrypted | Path encrypted successfully. The operation is reset. |
4 | Rotate Key | In Progress | Key rotation is in progress. |
Validation Failed | Key rotation failed due to validation failures. | ||
Failed | Key rotation failed. | ||
5 | None | Encrypted | Key rotated successfully. The operation is reset. |
6 | Decrypt | In Progress | Decryption is in progress. |
Validation Failed | Decryption failed due to validation failures. | ||
Failed | Decryption failed. | ||
7 | None | Decrypted | Used internally; not visible to the administrator. Decryption is successful and the client-rule association is removed. The operation is reset. |