Groups

A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks.

The CipherTrust Manager defines Special System Users, System Defined Groups, and User Defined Groups.

Special System Users

There are a few special system users. These are described here:

'ksadmin' user

The "ksadmin" user, is a special System Administrator that can access the CipherTrust Manager via SSH or via password authentication on a physical server console port.

$ ssh ksadmin@<ip or hostname>

For public cloud providers, the SSH key used for authentication is the key used to launch the instance. For Private Cloud Images (e.g. VMware, Hyper-V), the SSH key must be replaced before the system will fully boot, which can be done via the CLI, API, or through a web browser.

The ksadmin user has permission to run a specific set of commands using sudo. These commands allow the user to troubleshoot problems on the CipherTrust Manager server, and perform upgrades. To see the list of commands that can be run with sudo, type the command sudo -l.

The duties of the System Administrator ("ksadmin" user) are:

• Deploying and configuring the CipherTrust Manager:

  • Run cloud-init commands, refer to [Plan Configuration Settings for Cloud-Init]({filename}/pages/get_started/deployment/virtual-deployment/cloud-init-config/.md.

  • Run kscfg commands, refer to System Configuration Utility.

• Retrieving the initial application admin user password, if configured to generate a unique password on first boot.

• Troubleshooting CipherTrust Manager issues in conjunction with Thales Technical Support.

When making a support call, the System Administrator may be asked to log in to the CipherTrust Manager using ssh to retrieve CipherTrust Manager Logs.

• Applying system upgrades (see System Upgrade/Downgrade.

'admin' user

Initially, there is only one Application Administrator and the name of this user is 'admin'. The 'admin' user is a special user who cannot be deleted and who will always have access to all resources. This is enforced by the policy engine to prevent accidental lockouts.

An 'admin' user, and all other Application Administrators if created, are responsible for:

• Creating and managing Users and Groups

• Configuring the CipherTrust Manager ports and licenses

• Viewing audit logs

• Managing backups

• Administrating clusters

The Application Administrator can also perform all duties of the Application User.

'Global' user

The 'Global' user exists to support specific NAE-XML functionality for compatibility with SafeNet KeySecure Classic and should not be deleted or modified.

System Defined Groups

System Defined Groups exist on CipherTrust Manager at launch time. Each System Defined Group carries with it permissions to perform specific tasks.

System Defined Groups are:

'admin' group

There is a System Defined Group named "admin". Users within the "admin" group are referred to a Application Administrators. Application Administrators have full privileges and are able to perform any operation via the REST API, CLI, NAE-XML or GUI interface.

An Application Administrator is responsible for:

• Creating and managing Users and Groups

• Configuring the CipherTrust Manager ports and licenses

• Viewing audit logs

• Managing backups

• Administrating clusters

The Application Administrator can also perform all duties of the Application User.

'All Clients' group

A client, upon successful registration with CipherTrust Manager, is made a member of All Clients group. These clients have permissions to:

• enroll with their respective CipherTrust Manager services, namely CTE, ProtectFile, and ProtectV.

'Audit Admins' group

Users who belong to "Audit Admins" group are audit records administrators. These users have permissions to:

• View audit records

'Backup Admins' group

Backup Administrators have permissions to:

• create backups

• create backup keys

'CA Admins' group

CA Administrators have permissions to:

• create Certificate Authorities on the CipherTrust Manager

• manage Certificate Authorities on the CipherTrust Manager

'Domain Admins' group

Domain Administrators have permissions to:

• list the domains for a specific account

• create a domain

• access information about a domain

• delete a domain

'CCKM Admins' group

There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the "CCKM Admins" need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.

A CCKM Administrator is responsible for creating and managing the following resources:

• AWS KMS Accounts, AWS Keys

• Azure Key Vaults, Azure Subscriptions, and Azure Keys

• Luna HSM Partitions, Luna Keys

• DSM Domains, DSM Keys

• Google Cloud Projects, Key Rings, and Keys

• CCKM Schedules

• CCKM Reports

'CCKM Users' group

There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the "CCKM Users" need the Key Users permissions to perform key operations on the supported clouds.

Client Admins

There is a System Defined Group named "Client Admins". Users within the "Client Admins" group can perform some administrative tasks on the CipherTrust Manager Clients.

Client Administrators have permissions to:

• Read a client

• Delete a client

• Renew a client

• Manage KMIP client administration

Connection Admins

There is a System Defined Group named "Connection Admins". Users within the "Connection Admins" group are Connection Manager Administrators.

Connection Manager Administrators have permissions to:

• Create connections with third party servers and services such as AWS, Azure, DSM, Google CLoud Platform (GCP) Cloud, Hadoop, Luna SA HSM, SCP, Server Message Block (SMB), or Salesforce.

• Read, delete, or update the connections.

• Test an already created connection.

• Test a new connection with the connection parameters.

'CTE Admins' group

There is a System Defined Group named "CTE Admins". Users within the "CTE Admins" group are CTE Administrators.

A CTE Administrator is responsible for creating and managing the following resources:

• Clients and client groups

• Profiles, policy elements, and policies

• GuardPoints

• Client registration tokens (with additional rights of System Defined Group named "CA Admins")

'CTE Clients' group

There is a System Defined Group named "CTE Clients". CTE clients registered with the CipherTrust Manager are part of this group.

'DDC Admins' group

DDC Administrators can create and manage all DDC resources. For example, they can:

• Create and manage branch locations, classification profiles, data stores, and scans

• Configure, run, and view reports

• View sensitivity levels

• Manage Hadoop configuration

• Decrypt scan packages coming from databases

'DDC Infotype Admins' group

DDC Infotype Admins can view and edit custom infotypes.

'DDC Infotype Viewers' group

DDC Infotype viewers can view custom infotypes.

'DDC Full Reports Admins' group

DDC Full Report Administrators can:

• Create, view, and run reports

• View available data stores

• View available scans

• View available classification profiles

• View available sensitivity levels

• View branch locations

'DDC Reports Admins' group

DDC Reports Administrators can:

• Create, view, and run reports

• View available data stores

• View available scans

• View available sensitivity levels

'DDC L3 Support' group

DDC L3 Support Administrators can help identify and troubleshoot issues you may encounter when using DDC. They can decrypt scan packages coming from databases.

'DDC Profiles Admins' group

DDC Profile Administrators can:

• Create and manage classification profiles

• View available scans

'DDC Profiles Viewer' group

DDC Profile Viewers can only view available classification profiles.

'DDC Scans Admins' group

DDC Scan Administrators can:

• Create and manage scans

• View available classification profiles

• View available data stores

'DDC Scans Viewer' group

DDC Scan Viewers can only view available scans.

'DDC Stores Admins' group

DDC Store Administrators can create and manage:

• Data stores

• Branch locations

'DDC Stores Viewers' group

DDC Store Viewers can only view available:

• Data stores

• Sensitivity levels

• Branch locations

'Domain Backup Admins' group

Domain Backup Admins have permissions to:

• create domain-scoped backups

• create domain backup keys

'Domain Restore Admins' group

Domain Restore Admins have permissions to:

• restore domain-scoped backups

• read and restore domain backup keys

'HSM Admins' group

HSM Administrators have permissions to:

• configure an HSM for the CipherTrust Manager

• manage an HSM for the CipherTrust Manager

'Key Admins' group

Key Administrators have permissions to managing keys on the system. They can:

• create or modify their own keys

• perform key management operations on keys created by all users on the system

'Key Users' group

Users that is not in the "admin" group are Application Users. An Application User must also be part of the System Defined 'Key Users' group for permission to do the following:

• create keys

• perform operations with any key they own or to which they have been granted access

• manage KMIP client administration

'Migration Split Key Admins' group

Users who belong to this group manage the migration split keys required for Data Security Manager migration. These users can:

• create or delete migration split keys

• create, delete, or modify migration split key shares

'Read-Only Admins' group

This group's purpose is to allow members to access and monitor all CipherTrust Manager systems without the ability to change them. A Read-Only Admin can list all objects of a given resource type, retrieve details about a particular resource, view statuses, and download logs.

'Restore Admins' group

Restore Administrators have permissions to:

• restore backups

• read and restore backup keys

'System Admins' group

Members of the 'System Admin' group have permissions to configure the following:

• Interfaces

• LDAP connections

• Logging

• NTP

• Instance

• Cluster

Do not confuse members of this group with the 'ksadmin', the System Administrator who is responsible for deploying the CipherTrust Manager server using an SSH connection or the console port on a physical appliance. For more information on the 'ksadmin' refer to 'ksadmin' user.

'User Admins' group

User Administrators have permissions to create users and groups. They can:

• Create other sub-administrator users, for example, policy administrator, key administrator, etc., and regular users

• Assign users to the 'admin' group

'ProtectAPP Users' Group

The 'ProtectAPP Users' group allow CipherTrust Manager users to list the registration token needed to register ProtectApp clients. These tokens enable users to successfully register ProtectAPP clients.

'ProtectDB Users' group

There is a System Defined Group named "ProtectDB Users". Users within this group can perform the following ProtectDB operations:

• Configuring databases

• Managing database connections

• Managing database tables

• Managing user mappings

'ProtectFile Administrator' group

There is a System Defined Group named "ProtectFile Admins". Users within the "ProtectFile Admins" group are ProtectFile Administrators.

A ProtectFile Administrator is responsible for creating and managing the following ProtectFile resources:

• Client profiles and clients

• Network shares, and share-clients and share-rules associations

• Clusters, and cluster-clients and cluster-rules associations

• Access policies, access policy groups, and their associations

• Rules and client-rule associations

• Client Registration Tokens (with additional rights of System Defined Group named "CA Admins")

'ProtectFile User' group

There is a System Defined Group named "ProtectFile Users". CipherTrust Manager clients enrolled for ProtectFile are part of this group.

'ProtectV Administrator' group

There is a System Defined Group named "ProtectV Admins". Users within this group are ProtectV Administrators.

A ProtectV Administrator is responsible for:

• Managing ProtectV server settings

• Managing ProtectV clients and their instances

• Managing Client Registration Tokens (with additional rights of System Defined Group named "CA Admins")

'ProtectV Client' group

There is a System Defined Group named "ProtectV Clients". CipherTrust Manager clients enrolled for ProtectV are part of this group.

'ProtectV User' group

There is a System Defined Group named "ProtectV Users". Users within this group can manage ProtectV clients and their instances. This user can be common for all clients or different for each client.

User Defined Groups

User Defined Groups are created by Application Administrators. Application Administrators can:

• create and delete User Defined Groups

• add users to a User Defined Group

• remove users from a User Defined Group

Administrators may use groups solely for organizing users, or may create Policies that use group membership to assign other permissions.

Adding group permissions to keys grants users in a User Defined Group the privileges to perform operations with those keys. The semantics of the NAE-XML requests and the permissions they grant to keys are identical to SafeNet KeySecure Classic.

Groups are stored in CipherTrust Manager's internal database.

Managing User Defined Groups

Using the GUI, REST API or the CLI, an Application Administrator can create a User Defined Group and add users/clients to this group. The following are examples using the CLI:

To create a new User Defined Group called "eng" :

$ ksctl groups create -n eng

The response looks like:

{
        "name": "eng",
        "created_at": "2018-04-27T21:15:36.644959Z",
        "updated_at": "2018-04-27T21:15:36.644959Z"
}

To add a user to the new User Defined Group "eng":

You specify the group name and the ID of a user that you previously created.

$ ksctl groups adduser –n eng –u “<id of user>”

The response looks like:

    {
        "name": "eng",
        "created_at": "2018-05-02T16:47:51.248735Z",
        "updated_at": "2018-05-02T17:24:20.015915Z"
    }