Managing SAP Groups
This section describes how to manage SAP groups on CCKM. Before proceeding, a connection to your SAP account must exist on the CipherTrust Manager. Refer to Connection Manager for details.
After the connection is configured, you can add groups to the CipherTrust Manager. SAP groups can be added, viewed, modified, or deleted on the SAP Data Custodian Groups page.
Adding Existing SAP Groups
You can add existing groups linked to a SAP connection to the CipherTrust Manager. An existing group can only be added just once.
To add an existing SAP group:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups. The Groups tab of the SAP Data Custodian Groups page is displayed.
Click Add Existing Groups. The Add SAP Data Custodian Group screen is displayed.
Select the desired Connection from the drop-down list. The list of existing groups linked with the selected connection is displayed. Group Name, Application, and Created By of groups is displayed.
Under Group Name, select the desired groups.
Click Save.
The selected group is displayed on the SAP Data Custodian Groups page. Now, you can manage the group from CCKM on the CipherTrust Manager.
The group is available to upload SAP keys and view SAP reports.
Viewing SAP Data Custodian Groups
The Groups tab of the SAP Data Custodian Groups page shows the list of groups added to the CipherTrust Manager. Search for the groups by Group Name, Created By, or Region.
To view the list of groups added to the CipherTrust Manager:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups. The Groups tab of the SAP Data Custodian Groups page shows the list of groups added to the CipherTrust Manager.
The page displays the following details:
Column Description Group Name Name of the group. Region Region of the group. Application Name of the SAP application. Connection Name of the SAP connection added to the CipherTrust Manager. Created By Name of the SAP user who created the group. Tenant Name of the SAP tenant. For SAP Technical Users (TUs), the field remains blank. Last Refreshed Date and time when the group was refreshed the last.
To view/hide columns, click the Customize View () icon, select/clear the desired option, and click OK to display the column.
Refreshing SAP Groups
Refreshing is the process to download keys created in SAP groups to the CCKM. You can refresh keys from individual or all SAP groups.
Refreshing Specific SAP Groups
To refresh a group:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups.
On the Groups tab, click the overflow icon () corresponding to the desired group and click Refresh Now.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > SAP > SAP Keys page. Refer to Viewing SAP Keys for details.
Refreshing All SAP Groups
To refresh all SAP groups:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups.
On the Groups tab, click Refresh All. The This may take a while... message is displayed.
Note
Refresh all groups is a time intensive operation that could take several hours or days to complete. It will continue running in the background.
Click Refresh All to continue.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > SAP > SAP Keys page. Refer to Viewing SAP Keys for details.
Viewing Details of a Group
To view the details of a group on CCKM:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups.
On the Groups tab, click the Group Name link of the desired group.
Alternatively, click the overflow icon () corresponding to the desired group, and click View/Edit Details.
The edit view of the SAP Data Custodian Groups page shows additional details of the selected group under the ACCESS CONTROL and GENERAL INFO sections. Expand each section to view more details.
Changing the SAP Connection
To change the SAP connection of a group:
Expand GENERAL INFO.
From the Connection ID drop-down list, select the SAP connection.
Click Update.
The connection of the SAP group is changed.
Managing User Permissions on SAP Groups
To work with the SAP cloud, users/groups must have the minimum set of permissions that allow them to use the SAP resources such as keys and groups. Initially, the CCKM user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform operations on SAP groups.
Users with the following characteristics can perform operations for SAP keys and SAP groups:
Users in the
CCKM Admins
groupUsers in the
Admin
groupUsers who are administrators for a domain
Users who are in the
CCKM Users
group and which have had a CCKM Admin assign permissions through the UI or the/v1/cckm/sap/groups/{id}/update-acls
endpoint in the REST API.
Adding Permissions for a User/Group
To add permissions for a user/group:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups.
On the Groups tab, click the Group Name link of the desired group.
Alternatively, click the overflow icon () corresponding to the desired group, and click View/Edit.
Expand the ACCESS CONTROL section.
Click Assign User/Group. The Assign User/Group dialog box is displayed.
Select the desired user or group from the User/Group drop-down list.
Click Save.
The newly added user/group is displayed under Name in the ACCESS CONTROL section. You can now grant additional permissions to the user/group, as appropriate. Refer to Granting Permission to Perform an Operation for details.
Allowed Operations
CCKM allows the following operations on SAP groups:
View Keys, Add Native Key, Add BYOK Key, Edit Key
Rotate Key, Delete Key, Delete Key Backup, Remove Key, Restore Key
Rotate to Native Key, Rotate to BYOK Key, Synchronize Key
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
In the ACCESS CONTROL section, select the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
To revoke permissions from a user/group, refer to Removing a Permission for details.
Removing a Permission
To remove a permission assigned to a user or group:
In the ACCESS CONTROL section, clear the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
In the ACCESS CONTROL section, under Unassign, click the X button corresponding to the desired user/group.
On the Remove User / Remove Group screen, click Remove.
Note
Removing this user/group will remove all permissions currently assigned to the user/group.
Click Remove to confirm the action. To cancel the action, click Keep It.
A success message is displayed on the screen.
Removing SAP Groups
SAP groups can be removed on the SAP Data Custodian Groups page. Search for existing groups using Group Name or Created By.
To remove a group from CCKM:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > SAP Groups.
On the Groups tab, click the overflow icon () corresponding to the group you want to remove.
Click Delete.
Select I wish to delete the SAP Group.
Click Delete.
The SAP group is deleted successfully. The group is removed from the list of SAP Data Custodian groups.