Groups
A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks.
The CipherTrust Manager defines Special System Users, System Defined Groups, and User Defined Groups.
Caution
It is critical that credentials of these users are kept in a secure location. If a credential is compromised, an attacker could gain access to sensitive data.
Special System Users
There are a few special system users. These are described here:
'ksadmin' user
The "ksadmin" user, is a special System Administrator that can access the CipherTrust Manager via SSH or via password authentication on a physical server console port.
$ ssh ksadmin@<ip or hostname>
For public cloud providers, the SSH key used for authentication is the key used to launch the instance. For Private Cloud Images (e.g. VMware, Hyper-V), the SSH key must be replaced before the system will fully boot, which can be done via the CLI, API, or through a web browser.
The ksadmin user has permission to run a specific set of commands using sudo. These commands allow the user to troubleshoot problems on the CipherTrust Manager server, and perform upgrades. To see the list of commands that can be run with sudo, type the command sudo -l.
The duties of the System Administrator ("ksadmin" user) are:
Deploying and configuring the CipherTrust Manager:
Run cloud-init commands, refer to [Plan Configuration Settings for Cloud-Init]({filename}/pages/get_started/deployment/virtual-deployment/cloud-init-config/.md.
Run kscfg commands, refer to System Configuration Utility.
Retrieving the initial application admin user password, if configured to generate a unique password on first boot.
Troubleshooting CipherTrust Manager issues in conjunction with Thales Technical Support.
When making a support call, the System Administrator may be asked to log in to the CipherTrust Manager using ssh to retrieve CipherTrust Manager Logs.
- Applying system upgrades (see System Upgrade/Downgrade.
'admin' user
Initially, there is only one Application Administrator and the name of this user is 'admin'. The 'admin' user is a special user who cannot be deleted and who will always have access to all resources. This is enforced by the policy engine to prevent accidental lockouts.
An 'admin' user, and all other Application Administrators if created, are responsible for:
Creating and managing Users and Groups
Configuring the CipherTrust Manager ports and licenses
Viewing audit logs
Managing backups
Administrating clusters
Note
A user that is not in the "admin" group is known as an Application User. An Application User must also be part of the System Defined 'Key Users Group' to create and manage their keys. Refer to the 'Key Users' group.
The Application Administrator can also perform all duties of the Application User.
'Global' user
The 'Global' user exists to support specific NAE-XML functionality for compatibility with SafeNet KeySecure Classic and should not be deleted or modified.
System Defined Groups
System Defined Groups exist on CipherTrust Manager at launch time. Each System Defined Group carries with it permissions to perform specific tasks.
Note
For NAE requests, the System Defined Groups can be masked by modifying the NAE interface using the ksctl utility. For details, refer to To create/modify the NAE interface to mask system groups from NAE requests.
System Defined Groups are:
'admin' group
There is a System Defined Group named "admin". Users within the "admin" group are referred to a Application Administrators. Application Administrators have full privileges and are able to perform any operation via the REST API, CLI, NAE-XML or GUI interface.
Note
Initially, there is only one Application Administrator and the name of this user is “admin”. The "admin" user is a special user who cannot be deleted and who will always have access to all resources. This is enforced by the policy engine to prevent accidental lockouts.
An Application Administrator is responsible for:
Creating and managing Users and Groups
Configuring the CipherTrust Manager ports and licenses
Viewing audit logs
Managing backups
Administrating clusters
The Application Administrator can also perform all duties of the Application User.
'All Clients' group
A client, upon successful registration with CipherTrust Manager, is made a member of All Clients group. These clients have permissions to:
- enroll with their respective CipherTrust Manager services, namely CTE, ProtectFile, and ProtectV.
'Audit Admins' group
Users who belong to "Audit Admins" group are audit records administrators. These users have permissions to:
- View audit records
'Backup Admins' group
Backup Administrators have permissions to:
create backups
create backup keys
'CA Admins' group
CA Administrators have permissions to:
create Certificate Authorities on the CipherTrust Manager
manage Certificate Authorities on the CipherTrust Manager
'Domain Admins' group
Domain Administrators have permissions to:
list the domains for a specific account
create a domain
access information about a domain
delete a domain
'CCKM Admins' group
There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the "CCKM Admins" need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.
A CCKM Administrator is responsible for creating and managing the following resources:
AWS KMS Accounts, AWS Keys
Azure Key Vaults, Azure Subscriptions, and Azure Keys
Luna HSM Partitions, Luna Keys
DSM Domains, DSM Keys
Google Cloud Projects, Key Rings, and Keys
Google EKM endpoints
Salesforce Organizations, Tenant Secrets
CCKM Schedules
CCKM Reports
'CCKM Users' group
There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Manager are part of this group. Additionally, the "CCKM Users" need the Key Users permissions to perform key operations on the supported clouds.
Client Admins
There is a System Defined Group named "Client Admins". Users within the "Client Admins" group can perform some administrative tasks on the CipherTrust Manager Clients.
Client Administrators have permissions to:
Read a client
Delete a client
Renew a client
Manage KMIP client administration
Connection Admins
There is a System Defined Group named "Connection Admins". Users within the "Connection Admins" group are Connection Manager Administrators.
Connection Manager Administrators have permissions to:
Create connections with third party servers and services such as AWS, Azure, DSM, Google CLoud Platform (GCP) Cloud, Hadoop, Luna SA HSM, SCP, Server Message Block (SMB), or Salesforce.
Read, delete, or update the connections.
Test an already created connection.
Test a new connection with the connection parameters.
'CTE Admins' group
There is a System Defined Group named "CTE Admins". Users within the "CTE Admins" group are CTE Administrators.
A CTE Administrator is responsible for creating and managing the following resources:
Clients and client groups
Profiles, policy elements, and policies
GuardPoints
Client registration tokens (with additional rights of System Defined Group named "CA Admins")
Note
Only users of the "CTE Admins" group can delete CTE keys.
'CTE Clients' group
There is a System Defined Group named "CTE Clients". CTE clients registered with the CipherTrust Manager are part of this group.
'DDC Admins' group
DDC Administrators can create and manage all DDC resources. For example, they can:
Create and manage branch locations, classification profiles, data stores, and scans
Configure, run, and view reports
View sensitivity levels
Manage Hadoop configuration
Decrypt scan packages coming from databases
'DDC Infotype Admins' group
DDC Infotype Admins can view and edit custom infotypes.
'DDC Infotype Viewers' group
DDC Infotype viewers can view custom infotypes.
'DDC Full Reports Admins' group
DDC Full Report Administrators can:
Create, view, and run reports
View available data stores
View available scans
View available classification profiles
View available sensitivity levels
View branch locations
'DDC Reports Admins' group
DDC Reports Administrators can:
Create, view, and run reports
View available data stores
View available scans
View available sensitivity levels
'DDC L3 Support' group
DDC L3 Support Administrators can help identify and troubleshoot issues you may encounter when using DDC. They can decrypt scan packages coming from databases.
'DDC Profiles Admins' group
DDC Profile Administrators can:
Create and manage classification profiles
View available scans
'DDC Profiles Viewer' group
DDC Profile Viewers can only view available classification profiles.
'DDC Scans Admins' group
DDC Scan Administrators can:
Create and manage scans
View available classification profiles
View available data stores
'DDC Scans Viewer' group
DDC Scan Viewers can only view available scans.
'DDC Stores Admins' group
DDC Store Administrators can create and manage:
Data stores
Branch locations
'DDC Stores Viewers' group
DDC Store Viewers can only view available:
Data stores
Sensitivity levels
Branch locations
'Domain Backup Admins' group
Domain Backup Admins have permissions to:
create domain-scoped backups
create domain backup keys
'Domain Restore Admins' group
Domain Restore Admins have permissions to:
restore domain-scoped backups
read and restore domain backup keys
'HSM Admins' group
HSM Administrators have permissions to:
configure an HSM for the CipherTrust Manager
manage an HSM for the CipherTrust Manager
'Key Admins' group
Key Administrators have permissions to managing keys on the system. They can:
create or modify their own keys
perform key management operations on keys created by all users on the system
'Key Users' group
Users that is not in the "admin" group are Application Users. An Application User must also be part of the System Defined 'Key Users' group for permission to do the following:
create keys
perform operations with any key they own or to which they have been granted access
manage KMIP client administration
'Migration Split Key Admins' group
Users who belong to this group manage the migration split keys required for Data Security Manager migration. These users can:
create or delete migration split keys
create, delete, or modify migration split key shares
'Read-Only Admins' group
This group's purpose is to allow members to access and monitor all CipherTrust Manager systems without the ability to change them. A Read-Only Admin can list all objects of a given resource type, retrieve details about a particular resource, view statuses, and download logs.
'Restore Admins' group
Restore Administrators have permissions to:
restore backups
read and restore backup keys
'System Admins' group
Members of the 'System Admin' group have permissions to configure the following:
Interfaces
LDAP connections
Logging
NTP
Instance
Cluster
Do not confuse members of this group with the 'ksadmin', the System Administrator who is responsible for deploying the CipherTrust Manager server using an SSH connection or the console port on a physical appliance. For more information on the 'ksadmin' refer to 'ksadmin' user.
'User Admins' group
User Administrators have permissions to create users and groups. They can:
Create other sub-administrator users, for example, policy administrator, key administrator, etc., and regular users
Assign users to the 'admin' group
'ProtectAPP Users' Group
The 'ProtectAPP Users' group allow CipherTrust Manager users to list the registration token needed to register ProtectApp clients. These tokens enable users to successfully register ProtectAPP clients.
'ProtectDB Users' group
There is a System Defined Group named "ProtectDB Users". Users within this group can perform the following ProtectDB operations:
Configuring databases
Managing database connections
Managing database tables
Managing user mappings
'ProtectFile Administrator' group
There is a System Defined Group named "ProtectFile Admins". Users within the "ProtectFile Admins" group are ProtectFile Administrators.
Note
CTE UserSpace also uses the 'ProtectFile Administrator' group.
A ProtectFile Administrator is responsible for creating and managing the following ProtectFile resources:
Client profiles and clients
Network shares, and share-clients and share-rules associations
Clusters, and cluster-clients and cluster-rules associations
Access policies, access policy groups, and their associations
Rules and client-rule associations
Client Registration Tokens (with additional rights of System Defined Group named "CA Admins")
'ProtectFile User' group
There is a System Defined Group named "ProtectFile Users". CipherTrust Manager clients enrolled for ProtectFile are part of this group.
Note
CTE UserSpace also uses the 'ProtectFile User' group.
'ProtectV Administrator' group
There is a System Defined Group named "ProtectV Admins". Users within this group are ProtectV Administrators.
A ProtectV Administrator is responsible for:
Managing ProtectV server settings
Managing ProtectV clients and their instances
Managing Client Registration Tokens (with additional rights of System Defined Group named "CA Admins")
'ProtectV Client' group
There is a System Defined Group named "ProtectV Clients". CipherTrust Manager clients enrolled for ProtectV are part of this group.
'ProtectV User' group
There is a System Defined Group named "ProtectV Users". Users within this group can manage ProtectV clients and their instances. This user can be common for all clients or different for each client.
User Defined Groups
User Defined Groups are created by Application Administrators. Application Administrators can:
create and delete User Defined Groups
add users to a User Defined Group
remove users from a User Defined Group
Administrators may use groups solely for organizing users, or may create Policies that use group membership to assign other permissions.
Adding group permissions to keys grants users in a User Defined Group the privileges to perform operations with those keys. The semantics of the NAE-XML requests and the permissions they grant to keys are identical to SafeNet KeySecure Classic.
Groups are stored in CipherTrust Manager's internal database.
Managing User Defined Groups
Using the GUI, REST API or the CLI, an Application Administrator can create a User Defined Group and add users/clients to this group. The following are examples using the CLI:
To create a new User Defined Group called "eng" :
$ ksctl groups create -n eng
The response looks like:
{
"name": "eng",
"created_at": "2018-04-27T21:15:36.644959Z",
"updated_at": "2018-04-27T21:15:36.644959Z"
}
To add a user to the new User Defined Group "eng":
You specify the group name and the ID of a user that you previously created.
$ ksctl groups adduser –n eng –u “<id of user>”
The response looks like:
{
"name": "eng",
"created_at": "2018-05-02T16:47:51.248735Z",
"updated_at": "2018-05-02T17:24:20.015915Z"
}