Group Mapping
Group maps extend group-based configuration of CipherTrust Manager users to Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC) groups, associated with the Access Management LDAP or OIDC connection. A group map associates an LDAP or OIDC group belonging to a specific connection to a CipherTrust Manager group.
For example, an LDAP group can be mapped to the system defined `Key Users` group in order to allow the LDAP group's members to encrypt data. Alternatively, an LDAP or OIDC group can be mapped to a newly created CipherTrust Manager group where group-based key permissions can be configured.
Connection Requirements
To set up group maps, the LDAP or OIDC connection must be configured with information to find a given user's group membership on the authentication server. LDAP connections require six fields to allow group maps. OIDC connections require a group claim to allow group maps.
Note
Group maps are not applicable to the LDAP or OIDC connection available through connection manager.
Create a Group Map
Login to CipherTrust Manager as
admin
or another user in the User Admins group.Navigate to Access Management>Groups.
Click the desired group name.
Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
oroidc
from the drop-down menu.Connection Name - select the desired OIDC or LDAP connection from the drop-down menu.
Connection Group Name - type in the name for the OIDC or LDAP group.
Click Add Group Map to confirm.
View and Delete Group Maps for a Group
Login to CipherTrust Manager as
admin
or another user in the User Admins group.Navigate to Access Management>Groups.
Click the desired group name.
View the currently mapped groups in the Connection groups mapped to the <CipherTrust Manager group name> group.
If desired, delete a groupmap by clicking the trash can icon to the right of the groupmap row.
Example Use Cases
The utility of group mappings is illustrated by the following examples. LDAP groups are shown in the examples, but OIDC groups can also apply to these scenarios.
Making All Users in a Specific LDAP Group Members of Key Users Group
Assume that there is a LDAP connection named bababini containing a group named IT. All users in the IT group should have the ability to create keys. This can be achieved by creating a group map that maps the LDAP IT group into the built-in CipherTrust Manager 'Key Users' group:
Login to CipherTrust Manager as
admin
or another user in the User Admins group.Navigate to Access Management>Groups.
Click the 'Key Users' group name.
Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
from the drop-down menu.Connection Name - select the
bababini
connection from the drop-down menu.Connection Group Name - type in
IT
.
Click Add Group Map to confirm.
Users in the LDAP group IT can now create keys.
Two LDAP Groups Share Keys
Assume that there is a LDAP connection named bababini containing two groups: IT and Engineering. It is desired to share cryptographic keys between the two LDAP groups. This can be achieved by the following steps:
Create a user-defined group on CipherTrust Manager called
it-engg-shared-keys
.Create cryptographic keys and allow all users in the
it-engg-shared-keys
group access to those keys.Create a group mapping between the IT and
it-engg-shared-keys
.Click the
it-engg-shared-keys
group name.Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
from the drop-down menu.Connection Name - select the
bababini
connection from the drop-down menu.Connection Group Name - type in
IT
.
Click Add Group Map to confirm.
Create a group mapping between the Engineering and
it-engg-shared-keys
via the commandClick the
it-engg-shared-keys
group name.Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
from the drop-down menu.Connection Name - select the
bababini
connection from the drop-down menu.Connection Group Name - type in
Engineering
.
Click Add Group Map to confirm.
Users in both LDAP groups can now share all the keys granting access permissions to the it-engg-shared-keys
group.