Groups
A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks.
The CipherTrust Manager defines Special System Users, System Defined Groups, and User Defined Groups. In addition, the CipherTrust Manager provides an option to create customized groups for CTE to control permissions on CTE resources.
Caution
It is critical that credentials of these users are kept in a secure location. If a credential is compromised, an attacker could gain access to sensitive data.
Special System Users
There are a few special system users. These are described here:
'ksadmin' user
The "ksadmin" user, is a special System Administrator that can access the CipherTrust Manager via SSH or via password authentication on a physical server console port.
$ ssh ksadmin@<ip or hostname>
For public cloud providers, the SSH key used for authentication is the key used to launch the instance. For Private Cloud Images (e.g. VMware, Hyper-V), the SSH key must be replaced before the system will fully boot, which can be done via the CLI, API, or through a web browser.
The ksadmin user has permission to run a specific set of commands using sudo. These commands allow the user to troubleshoot problems on the CipherTrust Manager server, and perform upgrades. To see the list of commands that can be run with sudo, type the command sudo -l.
The duties of the System Administrator ("ksadmin" user) are:
Deploying and configuring the CipherTrust Manager:
Run cloud-init commands, refer to [Plan Configuration Settings for Cloud-Init]({filename}/pages/get_started/deployment/virtual-deployment/cloud-init-config/.md.
Run kscfg commands, refer to System Configuration Utility.
Retrieving the initial application admin user password, if configured to generate a unique password on first boot.
Troubleshooting CipherTrust Manager issues in conjunction with Thales Technical Support.
When making a support call, the System Administrator may be asked to log in to the CipherTrust Manager using ssh to retrieve CipherTrust Manager Logs.
Applying system upgrades (see System Upgrade/Downgrade.
Upgrading PCIe HSM firmware for Thales CipherTrust Manager k570 appliances.
'admin' user
Initially, there is only one Application Administrator and the name of this user is 'admin'.
Note
You can only delete the 'admin' user if another Application Administrator is present. The policy engine enforces that at least one Application Administrator exists at all times to prevent lockouts.
An 'admin' user, and all other Application Administrators if created, are responsible for:
Creating and managing Users and Groups
Configuring the CipherTrust Manager ports and licenses
Viewing audit logs
Managing backups
Administrating clusters
Adding other users to the 'admin' group
Note
A user that is not in the "admin" group is known as an Application User. An Application User must also be part of the System Defined 'Key Users Group' to create and manage their keys. Refer to the 'Key Users' group.
The Application Administrator can also perform all duties of the Application User.
'Global' user
The 'Global' user exists to support specific NAE-XML functionality for compatibility with SafeNet KeySecure Classic and should not be deleted or modified.
System Defined Groups
System Defined Groups exist on CipherTrust Manager at launch time. Each System Defined Group carries with it permissions to perform specific tasks.
Note
For NAE requests, the System Defined Groups can be masked by modifying the NAE interface using the ksctl utility. For details, refer to To create/modify the NAE interface to mask system groups from NAE requests.
System Defined Groups are:
'admin' group
There is a System Defined Group named "admin". Users within the "admin" group are referred to a Application Administrators. Application Administrators have full privileges and are able to perform any operation via the REST API, CLI, NAE-XML or GUI interface.
Note
Initially, there is only one Application Administrator and the name of this user is “admin”. If there is only one Application Administrator, this user cannot be deleted. The policy engine enforces that at least one Application Administrator exists at all times to prevent lockouts.
An Application Administrator is responsible for:
Creating and managing Users and Groups
Configuring the CipherTrust Manager ports and licenses
Viewing audit logs
Managing backups
Administrating clusters
Adding other users to the 'admin' group
The Application Administrator can also perform all duties of the Application User.
'All Clients' group
A client, upon successful registration with CipherTrust Manager, is made a member of All Clients group. These clients have permissions to:
- enroll with their respective CipherTrust Manager services, namely CTE, ProtectFile, and ProtectV.
'Application Data Protection Admins' group
There is a group named "Application Data Protection Admins*". Users within this group are Application Data Protection Administrators.
The Application Data Protection Administrator is responsible for creating and managing resources in the Application Data Protection tile:
Defining application, including
configuring connector settings
configuring protection policy
creating user sets
configuring access policies
creating character set
'Application Data Protection Clients' group
There is a group named "Application Data Protection Clients". The users who are part of this group only have read access to the Application Data Protection tile resources.
'Audit Admins' group
Users who belong to "Audit Admins" group are audit records administrators. These users have permissions to:
- View audit records
'Backup Admins' group
Backup Administrators have permissions to:
create backups
create backup keys
'CA Admins' group
CA Administrators have permissions to:
create Certificate Authorities on the CipherTrust Manager
manage Certificate Authorities on the CipherTrust Manager
'Domain Admins' group
Domain Administrators have permissions to:
list the domains for a specific account
create a domain
access information about a domain
delete a domain
'CCKM Admins' group
There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the "CCKM Admins" need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.
A CCKM Administrator is responsible for creating and managing the following resources:
AWS KMS Accounts, AWS Keys, AWS Custom Key Stores
Azure Key Vaults, Azure Subscriptions, and Azure Keys
Luna HSM Partitions, Luna Keys
DSM Domains, DSM Keys
Google Cloud Projects, Key Rings, and Keys
Google EKM endpoints
Salesforce Organizations, Tenant Secrets
SAP Groups, SAP Keys
CCKM Schedules
CCKM Reports
'CCKM Users' group
There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the "CCKM Users" need the Key Users permissions to perform key operations on the supported clouds. As well, they need custom key store permissions to manage AWS custom key stores.
Client Admins
There is a System Defined Group named "Client Admins". Users within the "Client Admins" group can perform some administrative tasks on the CipherTrust Manager Clients.
Client Administrators have permissions to:
Read a client
Delete a client
Renew a client
Manage KMIP client administration
Connection Admins
There is a System Defined Group named "Connection Admins". Users within the "Connection Admins" group are Connection Manager Administrators.
Connection Manager Administrators have permissions to:
Create connections with third party servers and services such as AWS, Azure, DSM, Google CLoud Platform (GCP) Cloud, Hadoop, Luna SA HSM, SCP, Server Message Block (SMB), or Salesforce.
Read, delete, or update the connections.
Test an already created connection.
Test a new connection with the connection parameters.
'CTE Admins' group
There is a System Defined Group named "CTE Admins". Users within the "CTE Admins" group are CTE Administrators.
A CTE Administrator is responsible for creating and managing the following resources:
Clients and client groups
Profiles, policy elements, and policies
GuardPoints
Client registration tokens (with additional rights of System Defined Group named "CA Admins")
Note
Only users of the "CTE Admins" group can delete CTE keys.
'CTE Clients' group
There is a System Defined Group named "CTE Clients". CTE clients registered with the CipherTrust Manager are part of this group.
'DDC Admins' group
DDC Administrators can create and manage all DDC resources. For example, they can:
Create and manage branch locations, classification profiles, data stores, and scans
Configure, run, and view reports
View sensitivity levels
Manage Hadoop configuration
Decrypt scan packages coming from databases
'DDC Infotype Admins' group
DDC Infotype Admins can view and edit custom infotypes.
'DDC Infotype Viewers' group
DDC Infotype viewers can view custom infotypes.
'DDC Full Reports Admins' group
DDC Full Report Administrators can:
Create, view, and run reports
View available data stores
View available scans
View available classification profiles
View available sensitivity levels
View branch locations
'DDC Reports Admins' group
DDC Reports Administrators can:
Create, view, and run reports
View available data stores
View available scans
View available sensitivity levels
'DDC L3 Support' group
DDC L3 Support Administrators can help identify and troubleshoot issues you may encounter when using DDC. They can decrypt scan packages coming from databases.
'DDC Profiles Admins' group
DDC Profile Administrators can:
Create and manage classification profiles
View available scans
'DDC Profiles Viewer' group
DDC Profile Viewers can only view available classification profiles.
'DDC Scans Admins' group
DDC Scan Administrators can:
Create and manage scans
View available classification profiles
View available data stores
'DDC Scans Viewer' group
DDC Scan Viewers can only view available scans.
'DDC Stores Admins' group
DDC Store Administrators can create and manage:
Data stores
Branch locations
'DDC Stores Viewers' group
DDC Store Viewers can only view available:
Data stores
Sensitivity levels
Branch locations
'Domain Backup Admins' group
Domain Backup Admins have permissions to:
create domain-scoped backups
create domain backup keys
'Domain Restore Admins' group
Domain Restore Admins have permissions to:
restore domain-scoped backups
read and restore domain backup keys
'HSM Admins' group
HSM Administrators have permissions to:
configure an HSM for the CipherTrust Manager
manage an HSM for the CipherTrust Manager
'Key Admins' group
Key Administrators have permissions to managing keys on the system. They can:
create or modify their own keys
perform key management operations on keys created by all users on the system
'Key Users' group
Users that are not in the "admin" group are Application Users. An Application User must also be part of the System Defined 'Key Users' group for permission to do the following:
create keys
perform operations with any key they own or to which they have been granted access
manage KMIP client administration
'License Admins' group
'License Admins' can manage product licensing. They have permissions to:
View licenses
Add new licenses
Delete licenses
- Enable/disable the trial evaluation
'Migration Split Key Admins' group
Users who belong to this group manage the migration split keys required for Data Security Manager migration. These users can:
create or delete migration split keys
create, delete, or modify migration split key shares
'Read-Only Admins' group
This group's purpose is to allow members to access and monitor all CipherTrust Manager systems without the ability to change them. A Read-Only Admin can list all objects of a given resource type, retrieve details about a particular resource, view statuses, and download logs.
'Restore Admins' group
Restore Administrators have permissions to:
restore backups
read and restore backup keys
'System Admins' group
Members of the 'System Admins' group have permissions to configure the following:
Interfaces
LDAP connections
Logging
NTP
Instance
Cluster
Licenses
Do not confuse members of this group with the 'ksadmin', the System Administrator who is responsible for deploying the CipherTrust Manager server using an SSH connection or the console port on a physical appliance. For more information on the 'ksadmin' refer to 'ksadmin' user.
'User Admins' group
User Administrators have permissions to create users and groups. They can:
Create other sub-administrator users, for example, policy administrator, key administrator, etc., and regular users
Assign users to most groups.
Note
Only an existing member of the 'admin' group can assign another user to this group.
'ProtectAPP Users' Group
The 'ProtectAPP Users' group allow CipherTrust Manager users to list the registration token needed to register ProtectApp clients. These tokens enable users to successfully register ProtectAPP clients.
'ProtectDB Users' group
There is a System Defined Group named "ProtectDB Users". Users within this group can perform the following ProtectDB operations:
Configuring databases
Managing database connections
Managing database tables
Managing user mappings
'ProtectFile Administrator' group
There is a System Defined Group named "ProtectFile Admins". Users within the "ProtectFile Admins" group are ProtectFile Administrators.
Note
CTE UserSpace also uses the 'ProtectFile Administrator' group.
A ProtectFile Administrator is responsible for creating and managing the following ProtectFile resources:
Client profiles and clients
Network shares, and share-clients and share-rules associations
Clusters, and cluster-clients and cluster-rules associations
Access policies, access policy groups, and their associations
Rules and client-rule associations
Client Registration Tokens (with additional rights of System Defined Group named "CA Admins")
'ProtectFile User' group
There is a System Defined Group named "ProtectFile Users". CipherTrust Manager clients enrolled for ProtectFile are part of this group.
Note
CTE UserSpace also uses the 'ProtectFile User' group.
'ProtectV Administrator' group
There is a System Defined Group named "ProtectV Admins". Users within this group are ProtectV Administrators.
A ProtectV Administrator is responsible for:
Managing ProtectV server settings
Managing ProtectV clients and their instances
Managing Client Registration Tokens (with additional rights of System Defined Group named "CA Admins")
'ProtectV Client' group
There is a System Defined Group named "ProtectV Clients". CipherTrust Manager clients enrolled for ProtectV are part of this group.
'ProtectV User' group
There is a System Defined Group named "ProtectV Users". Users within this group can manage ProtectV clients and their instances. This user can be common for all clients or different for each client.
User Defined Groups
User Defined Groups are created by Application Administrators. Application Administrators can:
create and delete User Defined Groups
add users to a User Defined Group
remove users from a User Defined Group
Administrators may use groups solely for organizing users, or may create Policies that use group membership to assign other permissions.
Adding group permissions to keys grants users in a User Defined Group the privileges to perform operations with those keys. The semantics of the NAE-XML requests and the permissions they grant to keys are identical to SafeNet KeySecure Classic.
Groups are stored in CipherTrust Manager's internal database.
Managing User Defined Groups
Using the GUI, REST API or the CLI, an Application Administrator can create a User Defined Group and add users/clients to this group. The following are examples using the CLI:
To create a new User Defined Group called "eng" :
$ ksctl groups create -n eng
The response looks like:
{
"name": "eng",
"created_at": "2018-04-27T21:15:36.644959Z",
"updated_at": "2018-04-27T21:15:36.644959Z"
}
To add a user to the new User Defined Group "eng":
You specify the group name and the ID of a user that you previously created.
$ ksctl groups adduser –n eng –u “<id of user>”
The response looks like:
{
"name": "eng",
"created_at": "2018-05-02T16:47:51.248735Z",
"updated_at": "2018-05-02T17:24:20.015915Z"
}
Customized Groups for CTE
Create CTE groups to provide granular permissions to users on specific CTE resources or all permissions on all resources. A CipherTrust Manager administrator can create, modify, and delete custom CTE groups on the CipherTrust Manager GUI.
For example, the CipherTrust Manager administrator can create a group of users who have only read permissions on the CTE resources. Similarly, the administrator can create another group of users who can perform all operations except the delete operations on the CTE resources.
Refer to Permissions for the complete list of permissions required to perform operations on CTE resources.
Creating Customized Groups for CTE
Create custom CTE groups to provide granular permissions to users on specific CTE resources or all permissions on all resources. The CipherTrust Manager administrator can create custom CTE groups on the CipherTrust Manager GUI.
To add a custom CTE group:
Log on to the CipherTrust Manager GUI.
In the left pane, click Access Management > Groups.
Click Create New Group. The General Info screen of the Create New Group wizard is displayed.
General Info
Enter a Name for the group.
Enable CTE Resource Permissions.
Click Next. The CTE Permissions screen is displayed.
CTE Permissions
Add granular permissions to users on specific CTE resources or all permissions on all resources. Refer to Permissions for the complete list of permissions required to perform operations on CTE resources.
Add the permissions:
To grant all permissions on all resources:
Enable Select All Resources & Permissions.
Click Next.
To grant granular permissions on specific resources:
From the Resource Type drop-down list, select the resource you want to grant permission on. The field displays the available CTE resources.
From the Permissions drop-down list, select single, multiple, or all permissions. The field displays the available permissions for the selected resource. To grant all the available permissions, select Select All.
To add permissions on more resources, click Add More Permissions. Add permissions for as many resources as required.
To remove a permission, click .
Click Next. The Assign Members screen is displayed.
Assign Members
This screen displays the available members with their user IDs. Select the members you want to add to the custom CTE group.
Select the members. To select all displayed members, select the check box under the Search by Name search field.
Click Next. The Review screen is displayed.
Review
This screen shows the group details that you have provided. These details are divided into GENERAL INFO, CTE PERMISSIONS, and ASSIGN MEMBERS sections.
Before adding the group, review all the provided details. After the group is added, certain features will no longer be editable.
Review the group details displayed on the screen.
If details are incorrect or you want to make any changes, click Back and make changes, as appropriate.
Alternatively, you can click the Edit links next to the GENERAL INFO, CTE PERMISSIONS, and ASSIGN MEMBERS sections to make changes.
Click Add Group. The group is successfully created.
Click Close.
The Groups list shows the newly created custom CTE group.
Modifying Custom CTE Groups
After a custom CTE group is created, the CipherTrust Manager administrator can modify it to add new members or remove existing members.
To modify a custom CTE group:
Log on to the CipherTrust Manager GUI.
In the left pane, click Access Management > Groups. The list of available groups is displayed.
Under Name, click the group you want to modify. The edit view of the group is displayed.
Under Members of the <group-name> group:
Click Remove next to the members you want to remove from the group.
Click Add next to the members you want to add to the group. The Member check box is selected for the member.
Deleting Custom CTE Groups
The CipherTrust Manager administrator can delete custom CTE groups.
To delete a custom CTE group:
Log on to the CipherTrust Manager GUI.
In the left pane, click Access Management > Groups. The list of available groups is displayed.
Click the ellipsis icon () corresponding to the group you want to delete.
Click Delete. A message appear stating that deleting a group may effect the permissions of users within the group.
Click Delete to confirm the action.
The group is deleted and removed from the Groups list.