Groups

A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks.

The CipherTrust Manager defines Special System Users, System Defined Groups, and User Defined Groups. In addition, the CipherTrust Manager provides an option to create customized groups for CTE to control permissions on CTE resources.

Assign a User to a Group

1. Log in to CipherTrust Manager as a user in the admin or User Admins group.

2. Navigate to Access Management > Users.

3. Click the desired Username in the table to view the user details.

4. Expand the Group Memberships section.

5. Click Add Group.

6. Enable the checkbox for any desired group(s). You can search for a group by name.

7. Click Add Group to confirm.

Special System Users

There are a few special system users. These are described here:

'ksadmin' user

The "ksadmin" user, is a specialized operating system administrator that can access the CipherTrust Manager via SSH or via password authentication on a physical server console port.

$ ssh ksadmin@<ip or hostname>

For public cloud providers, the SSH key used for authentication is the key used to launch the instance. For Private Cloud Images (e.g. VMware, Hyper-V), the SSH key must be replaced before the system will fully boot, which can be done via the CLI, API, or through a web browser.

The ksadmin user has permission to run a specific set of commands using sudo. These commands allow the user to troubleshoot problems on the CipherTrust Manager server, and perform upgrades. To see the list of commands that can be run with sudo, type the command sudo -l.

The duties of the System Administrator ("ksadmin" user) are:

• Deploying and configuring the CipherTrust Manager:

  • Run cloud-init commands, refer to Plan Configuration Settings for Cloud-Init.

  • Run kscfg commands, refer to System Configuration Utility.

• Retrieving the initial application admin user password, if configured to generate a unique password on first boot.

• Troubleshooting CipherTrust Manager issues in conjunction with Thales Technical Support.

  When making a support call, the System Administrator may be asked to log in to the CipherTrust Manager using ssh to retrieve CipherTrust Manager Logs.

• Applying system upgrades (see System Upgrade/Downgrade).

• Upgrading PCIe HSM firmware for Thales CipherTrust Manager k570 appliances.

'admin' user

Initially, there is only one Application Administrator and the name of this user is 'admin'.

An 'admin' user, and all other Application Administrators if created, are responsible for:

• Creating and managing Users and Groups

• Configuring the CipherTrust Manager ports and licenses

• Viewing audit logs

• Managing backups

• Administrating clusters

• Adding other users to the 'admin' group

The Application Administrator can also perform all duties of the Application User.

'Global' user

The 'Global' user exists to support specific NAE-XML functionality for compatibility with SafeNet KeySecure Classic and should not be deleted or modified.

System Defined Groups

System Defined Groups exist on CipherTrust Manager at launch time. Each System Defined Group carries with it permissions to perform specific tasks.

System Defined Groups are:

'admin' group

There is a System Defined Group named "admin". Users within the "admin" group are referred to as Application Administrators. Application Administrators have full privileges and are able to perform any operation via the REST API, CLI, NAE-XML or GUI interface.

An Application Administrator is responsible for:

• Creating and managing Users and Groups

• Configuring the CipherTrust Manager ports and licenses

• Viewing audit logs

• Managing backups

• Administrating clusters

• Adding other users to the 'admin' group

The Application Administrator can also perform all duties of the Application User.

'All Clients' group

A client, upon successful registration with CipherTrust Manager, is made a member of All Clients group. These clients have permissions to:

• enroll with their respective CipherTrust Manager services.

'Audit Admins' group

Users who belong to "Audit Admins" group are audit records administrators. These users have permissions to:

• View audit records

'Backup Admins' group

Backup Administrators have permissions to:

• create backups

• create backup keys

'CA Admins' group

CA Administrators have permissions to:

• create Certificate Authorities on the CipherTrust Manager

• manage Certificate Authorities on the CipherTrust Manager

• generate Certificate Signing Requests (CSRs)

'Domain Admins' group

Domain Administrators have permissions to:

• list the domains for a specific account

• create a domain

• access information about a domain

• delete a domain

'CCKM Admins' group

There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the "CCKM Admins" need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.

A CCKM Administrator is responsible for creating and managing the following resources:

• AWS KMS Accounts, AWS Keys, AWS Custom Key Stores

• Azure Key Vaults, Azure Subscriptions, and Azure Keys

• Luna HSM Partitions, Luna Keys

• DSM Domains, DSM Keys

• Google Cloud Projects, Key Rings, and Keys

• Google EKM endpoints

• Salesforce Organizations, Tenant Secrets

• SAP Groups, SAP Keys

• CCKM Schedules

• CCKM Reports

'CCKM Users' group

There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the "CCKM Users" need the Key Users permissions to perform key operations on the supported clouds. As well, they need custom key store permissions to manage AWS custom key stores.

Client Admins

There is a System Defined Group named "Client Admins". Users within the "Client Admins" group can perform some administrative tasks on the CipherTrust Manager Clients.

Client Administrators have permissions to:

• Read a client

• Delete a client

• Renew a client

• Manage KMIP client administration

• Manage client profiles

• Manage registration tokens

Connection Admins

There is a System Defined Group named "Connection Admins". Users within the "Connection Admins" group are Connection Manager Administrators.

Connection Manager Administrators have permissions to:

• Create connections with third party servers and services such as AWS, Azure, DSM, Google CLoud Platform (GCP) Cloud, Hadoop, Luna SA HSM, SCP, Server Message Block (SMB), or Salesforce.

• Read, delete, or update the connections.

• Test an already created connection.

• Test a new connection with the connection parameters.

'CTE Admins' group

There is a System Defined Group named "CTE Admins". Users within the "CTE Admins" group are CTE Administrators.

A CTE Administrator is responsible for creating and managing the following resources:

• Clients and client groups

• Profiles, policy elements, and policies

• GuardPoints

• Client registration tokens (with additional rights of System Defined Group named "CA Admins" and "Client Admins")

'CTE Clients' group

There is a System Defined Group named "CTE Clients". CTE clients registered with the CipherTrust Manager are part of this group.

'DDC Admins' group

DDC Administrators can create and manage all DDC resources. For example, they can:

• Create and manage branch locations, classification profiles, data stores, and scans

• Configure, run, and view reports

• View sensitivity levels

• Manage Hadoop configuration

• Decrypt scan packages coming from databases

'DDC Infotype Admins' group

DDC Infotype Admins can view and edit custom infotypes.

'DDC Infotype Viewers' group

DDC Infotype viewers can view custom infotypes.

'DDC Full Reports Admins' group

DDC Full Report Administrators can:

• Create, view, and run reports

• View available data stores

• View available scans

• View available classification profiles

• View available sensitivity levels

• View branch locations

'DDC Reports Admins' group

DDC Reports Administrators can:

• Create, view, and run reports

• View available data stores

• View available scans

• View available sensitivity levels

'DDC L3 Support' group

DDC L3 Support Administrators can help identify and troubleshoot issues you may encounter when using DDC. They can decrypt scan packages coming from databases.

'DDC Profiles Admins' group

DDC Profile Administrators can:

• Create and manage classification profiles

• View available scans

'DDC Profiles Viewer' group

DDC Profile Viewers can only view available classification profiles.

'DDC Scans Admins' group

DDC Scan Administrators can:

• Create and manage scans

• View available classification profiles

• View available data stores

'DDC Scans Viewer' group

DDC Scan Viewers can only view available scans.

'DDC Stores Admins' group

DDC Store Administrators can create and manage:

• Data stores

• Branch locations

'DDC Stores Viewers' group

DDC Store Viewers can only view available:

• Data stores

• Sensitivity levels

• Branch locations

'Domain Backup Admins' group

Domain Backup Admins have permissions to:

• create domain-scoped backups

• create domain backup keys

'Domain Restore Admins' group

Domain Restore Admins have permissions to:

• restore domain-scoped backups

• read and restore domain backup keys

'HSM Admins' group

HSM Administrators have permissions to:

• configure an HSM for the CipherTrust Manager

• manage an HSM for the CipherTrust Manager

'Key Admins' group

Key Administrators have permissions to managing keys on the system. They can:

• create or modify their own keys

• perform key management operations on keys created by all users on the system

'Key Users' group

Users that are not in the "admin" group are Application Users. An Application User must also be part of the System Defined 'Key Users' group for permission to do the following:

• create keys

• perform operations with any key they own or to which they have been granted access

• manage KMIP client administration

'License Admins' group

'License Admins' can manage product licensing. They have permissions to:

• View licenses

• Add new licenses

• Delete licenses

• Enable/disable the trial evaluation

'Migration Split Key Admins' group

Users who belong to this group manage the migration split keys required for Data Security Manager migration. These users can:

• create or delete migration split keys

• create, delete, or modify migration split key shares

'Read-Only Admins' group

This group's purpose is to allow members to access and monitor all CipherTrust Manager systems without the ability to change them. A Read-Only Admin can list all objects of a given resource type, retrieve details about a particular resource, view statuses, and download logs.

'Restore Admins' group

Restore Administrators have permissions to:

• restore backups

• read and restore backup keys

'System Admins' group

Members of the 'System Admins' group have permissions to configure the following:

• Interfaces

• LDAP and OIDC connections

• Logging

• NTP

• Instance

• Cluster

• Licenses

Do not confuse members of this group with the 'ksadmin', the System Administrator who is responsible for deploying the CipherTrust Manager server using an SSH connection or the console port on a physical appliance. For more information on the 'ksadmin' refer to 'ksadmin' user.

'User Admins' group

User Administrators have permissions to create users and groups. They can:

• Create other sub-administrator users, for example, policy administrator, key administrator, etc., and regular users

• Assign users to most groups.

'ProtectAPP Users' Group

The 'ProtectAPP Users' group allow CipherTrust Manager users to list the registration token needed to register ProtectApp clients. These tokens enable users to successfully register ProtectAPP clients.

'ProtectDB Users' group

There is a System Defined Group named "ProtectDB Users". Users within this group can perform the following ProtectDB operations:

• Configuring databases

• Managing database connections

• Managing database tables

• Managing user mappings

'ProtectFile Administrator' group

There is a System Defined Group named "ProtectFile Admins". Users within the "ProtectFile Admins" group are ProtectFile Administrators.

A ProtectFile Administrator is responsible for creating and managing the following ProtectFile resources:

• Client profiles and clients

• Network shares, and share-clients and share-rules associations

• Clusters, and cluster-clients and cluster-rules associations

• Access policies, access policy groups, and their associations

• Rules and client-rule associations

• Client Registration Tokens (with additional rights of System Defined Group named "CA Admins" and "Client Admins")

'ProtectFile User' group

There is a System Defined Group named "ProtectFile Users". CipherTrust Manager clients enrolled for ProtectFile are part of this group.

User Defined Groups

User Defined Groups are created by Application Administrators. Application Administrators can:

• create and delete User Defined Groups

• add users to a User Defined Group

• remove users from a User Defined Group

Administrators may use groups solely for organizing users, or may create policies that use group membership to assign other permissions.

Adding group permissions to keys grants users in a User Defined Group the privileges to perform operations with those keys. The semantics of the NAE-XML requests and the permissions they grant to keys are identical to SafeNet KeySecure Classic.

Groups are stored in CipherTrust Manager's internal database.

Managing User Defined Groups

Using the GUI, REST API or the CLI, an Application Administrator can create a User Defined Group and add users/clients to this group. The following are examples using the CLI:

To create a new User Defined Group called "eng" :

$ ksctl groups create -n eng

The response looks like:

{
        "name": "eng",
        "created_at": "2018-04-27T21:15:36.644959Z",
        "updated_at": "2018-04-27T21:15:36.644959Z"
}

To add a user to the new User Defined Group "eng":

You specify the group name and the ID of a user that you previously created.

$ ksctl groups adduser –n eng –u “<id of user>”

The response looks like:

    {
        "name": "eng",
        "created_at": "2018-05-02T16:47:51.248735Z",
        "updated_at": "2018-05-02T17:24:20.015915Z"
    }

Customized Groups for CTE

Create CTE groups to provide granular permissions to users on specific CTE resources or all permissions on all resources. A CipherTrust Manager administrator can create, modify, and delete custom CTE groups on the CipherTrust Manager GUI.

For example, the CipherTrust Manager administrator can create a group of users who have only read permissions on the CTE resources. Similarly, the administrator can create another group of users who can perform all operations except the delete operations on the CTE resources.

Refer to Permissions for the complete list of permissions required to perform operations on CTE resources.

Creating Customized Groups for CTE

Create custom CTE groups to provide granular permissions to users on specific CTE resources or all permissions on all resources. The CipherTrust Manager administrator can create custom CTE groups on the CipherTrust Manager GUI.

To add a custom CTE group:

1. Log on to the CipherTrust Manager GUI.

2. In the left pane, click Access Management > Groups.

3. Click Create New Group. The General Info screen of the Create New Group wizard is displayed.

General Info

1. Enter a Name for the group.

2. Enable CTE Resource Permissions.

3. Click Next. The CTE Permissions screen is displayed.

CTE Permissions

Add granular permissions to users on specific CTE resources or all permissions on all resources. Refer to Permissions for the complete list of permissions required to perform operations on CTE resources.

1. Add the permissions:

   To grant all permissions on all resources:

   1. Enable Select All Resources & Permissions.

   2. Click Next.

   To grant granular permissions on specific resources:

   1. From the Resource Type drop-down list, select the resource you want to grant permission on. The field displays the available CTE resources.

   2. From the Permissions drop-down list, select single, multiple, or all permissions. The field displays the available permissions for the selected resource. To grant all the available permissions, select Select All.

      To add permissions on more resources, click Add More Permissions. Add permissions for as many resources as required.

      To remove a permission, click .

2. Click Next. The Assign Members screen is displayed.

Assign Members

This screen displays the available members with their user IDs. Select the members you want to add to the custom CTE group.

1. Select the members. To select all displayed members, select the check box under the Search by Name search field.

2. Click Next. The Review screen is displayed.

Review

This screen shows the group details that you have provided. These details are divided into GENERAL INFO, CTE PERMISSIONS, and ASSIGN MEMBERS sections.

Before adding the group, review all the provided details. After the group is added, certain features will no longer be editable.

1. Review the group details displayed on the screen.

   If details are incorrect or you want to make any changes, click Back and make changes, as appropriate.

   Alternatively, you can click the Edit links next to the GENERAL INFO, CTE PERMISSIONS, and ASSIGN MEMBERS sections to make changes.

2. Click Add Group. The group is successfully created.

3. Click Close.

The Groups list shows the newly created custom CTE group.

Modifying Custom CTE Groups

After a custom CTE group is created, the CipherTrust Manager administrator can modify it to add new members or remove existing members.

To modify a custom CTE group:

1. Log on to the CipherTrust Manager GUI.

2. In the left pane, click Access Management > Groups. The list of available groups is displayed.

3. Under Name, click the group you want to modify. The edit view of the group is displayed.

4. Under Members of the <group-name> group:

   • Click Remove next to the members you want to remove from the group.

   • Click Add next to the members you want to add to the group. The Member check box is selected for the member.

Deleting Custom CTE Groups

The CipherTrust Manager administrator can delete custom CTE groups.

To delete a custom CTE group:

1. Log on to the CipherTrust Manager GUI.

2. In the left pane, click Access Management > Groups. The list of available groups is displayed.

3. Click the ellipsis icon () corresponding to the group you want to delete.

4. Click Delete. A message appear stating that deleting a group may effect the permissions of users within the group.

5. Click Delete to confirm the action.

The group is deleted and removed from the Groups list.