Concepts
Keys
A key is used to perform cryptographic operations on data . The key is created, stored, and managed on the CipherTrust Manager.
Data Migration
Data migration is the process of encrypting data, altering existing tables so that they can store the resulting ciphertext, and creating views and triggers so that the existing applications can seamlessly and automatically encrypt new data and request decrypted data when needed.
Multi Domain
When a domain is created and a user becomes part of domain, a user can access resources (such as keys and alias name) of domain. One user can be part of multiple domains and a user can switch between the domains. By default, root domain is created. A user who is part of a domain can view/access only the database connections created under that particular domain.
Creating a CipherTrust Manager User
To create a CipherTrust Manager user:
Log on to the CipherTrust Manager GUI.
Click to expand Access Management.
Click the Users tab on the left. The Users page is displayed.
On the Users page, click Add User.
On the Add User in Domain <dom1> screen, enter the details and click Add User.
Creating User Defined Group
To create a user defined group in CipherTrust Manager:
Log on to the CipherTrust Manager GUI.
Click to expand Access Management.
Click the Groups tab in the left pane. A page with existing groups is displayed.
Click Create New Group. The Create New Group wizard is displayed. Follow the steps to complete the setup.
c. Review
Add general info
In the Name filed, enter a group name.
Click Next to go to the Assign Members screen.
Assign members
From the list of available options, select the members who will be the part of the group.
Click Next to go to the Review screen.
Review
On the Review screen, verify the group details.
To modify any field, click Edit and update details.
Click Add Group.
Click Close to exit the wizard.
Mapping CipherTrust Manager Users to Group
To map a CipherTrust Manager user to a group:
Log on to the CipherTrust Manager GUI.
Click to expand Access Management.
Click the Groups tab in the left pane.
Click the group with which the CipherTrust Manager user is to be mapped.
From the list of available users, select the name of the user to be mapped to the group and click Add.
Mapping Key to Group
A key can be created and mapped to a group. A group can have various permissions such as encrypt and decrypt on a key. For more information, refer to the NAE-XML Interface Development Guide.
Mapping CipherTrust Manager User to Database User
The user mapping can be done using any of the following interfaces:
API Playground
pdbctl Utility
CipherTrust Manager's GUI
Setting Up Role Based Permission
The CipherTrust Manager allows its users to set the group policies (permissions) with keys (using the CDP client in remote mode only). The users associated with the group can perform encryption/decryption as per the permission set for the group. During encryption and decryption, CDP will behave as per the permissions set for the group.
This section explains how to map a database user to the CipherTrust Manager user which is also mapped to access policy set for a group. The group with encryption/decryption permission is mapped to a key.
For example, create two database users dbusr1
and dbsur2
and map them to the CipherTrust Manager user so that dbusr1
has only insert permission and dbusr2
has only select/delete data on the database tables.
Perform the following steps in the given order:
Create two users
encUser
anddecUser
. Refer to Creating a CipherTrust Manager User.Create two groups
encryptGroup
anddecryptGroup
. Refer to Creating User Defined Group in CipherTrust Manager.Map
encUser
toencryptGroup
anddecUser
todecryptGroup
. Refer to Mapping CipherTrust Manager Users to Group.Create key and assign encrypt permissions to
encryptGroup
and decrypt permission todecryptGroup
. Refer to Mapping Key to Group.Create the database connection.
Map
encUser
todbusr1
anddecUser
todbusr2
. After the mapping is done,dbusr1
will have only insert permission anddbusr2
will have only select/delete permissions on the database table.