Quorums
This feature allows an administrator to configure a system (or quorum) that can have multiple approvers for an operation. These approvers need to approve the operations before they can be successfully executed.
Note
Quorum policies are domain-scoped and can control only the operations taking place in the domain they are enabled.
The below table describes the list of operations supported by quorums and the respective authorized groups for approval. The approvers must be part of any respective authorized group to approve the corresponding operation.
Note
If you are using connectors and direct NAE scripts, do not enable the DeleteKey
and AddUserToGroup
quorums.
Operations Supported by Quorums
Operation | Authorized Group(s) for Approval | Auto-Executable |
---|---|---|
Deletekey | Key Admins | No |
AddUserToGroup | User Admins | Yes |
DownloadBackupKey [Root Domain Only] | Restore Admins and Backup Admins | No |
RestoreBackup [Root Domain Only] | Restore Admins | No |
DeleteDomain | Domain Admins | No |
ManagePolicyAttachment | admin | No |
DeletePolicy | admin | No |
DownloadBackupKeyDomain | Domain Backup Admins and Domain Restore Admins | No |
RestoreBackupDomain | Domain Restore Admins | No |
DeleteClientCTE | CTE Admins | Yes |
DeleteClientGroupCTE | CTE Admins | Yes |
DeleteCSIStorageGroupCTE | CTE Admins | Yes |
DeleteGuardPointCTE | CTE Admins | Yes |
DeletePolicyCTE | CTE Admins | Yes |
DeletePolicyElementsCTE | CTE Admins | Yes |
DeleteProfileCTE | CTE Admins | Yes |
UpdateClientGroupCTE | CTE Admins | Yes |
UpdateCSIStorageGroupCTE | CTE Admins | Yes |
UpdateGuardPointCTE | CTE Admins | Yes |
UpdatePolicyCTE | CTE Admins | Yes |
UpdatePolicyElementsCTE | CTE Admins | Yes |
UpdateProfileCTE | CTE Admins | Yes |
UpdateClientPasswordCTE | CTE Admins | Yes |
UpdateClientGroupPasswordCTE | CTE Admins | Yes |
CreateAttachedPolicy | admin | No |
DeleteAttachedPolicy | admin | No |
DeleteGoogleWorkspaceCSEEndpoint | CCKM Admins | No |
DeleteEKMEndpoint | CCKM Admins | No |
UpdateQuorumProfile | admin | Yes |
ArchiveKey | Key Admins | No |
RecoverKey | Key Admins | No |
RevokeKey | Key Admins | No |
ReActivateKey | Key Admins | No |
CreateLink | Key Admins | No |
UpdateLink | Key Admins | No |
DeleteLink | Key Admins | No |
UpdateAuthConnection (LDAP connection) | User Admins | No |
DownloadBackup | Backup Admins and Restore Admins | No |
DownloadBackupDomain | Domain Backup Admins and Domain Restore Admins | No |
The above table also defines whether the list of operations supported by quorums are auto-executable after approval. If auto-execution for the quorum profile is enabled for any operation, after approval, that operation will execute automatically. Hence, eliminates the need to re-trigger that operation manually. The auto_executable
flag is not configurable.
Currently, the issue with the quorum policies is that an admin may, for some reason or maliciously, change the number of voters, excluded and voter groups information on a quorum policy. This may lead to bypassing the quorum requirements. To handle this issue, the UpdateQuorumProfile
operation has been introduced. Once a quorum is enabled for UpdateQuorumProfile, the admin has to go through the quorum's approval process to modify the quorum policies. To enable UpdateQuorumProfile, refer to Activating the Quorum Policy.
The authorized group(s) for quorum approval associated with operations are configurable. To configure, refer to Updating Quorum Profile.
CTE and CTE UserSpace support CipherTrust Manager's quorum feature. Refer to the Quorum Control section for details on supported CTE and CTE UserSpace operations and resources.
Managing Quorum on Policies
The CipherTrust Manager allows you to enable quorum for:
These policies can be system policies, user policies, or quorum policies.
Once a quorum is enabled for ManagePolicyAttachment and DeletePolicy, the activation and deactivation of a quorum for any supported operation has to go through the quorum's approval process, similar to any other operation on the CipherTrust Manager.
Caution
Do not enable quorum on the ManagePolicyAttachment
and DeletePolicy
operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.
Note
It is recommended to enable quorum on both DeletePolicy
and ManagePolicyAttachment
operations together in the same order to bring the entire policy creation and deletion under quorum.
ManagePolicyAttachment
The ManagePolicyAttachment operation gives you a provision to enable a quorum for:
Creating policy attachments
Deleting policy attachments
When you activate a quorum, a policy and a policy attachment is created internally. If you want to bring activation of a quorum policy under a quorum, activate the quorum on the ManagePolicyAttachment.
DeletePolicy
The DeletePolicy operation is used to enable quorum on policy deletion. When you deactivate a quorum, a policy is deleted internally. If you want to bring deactivation of a quorum policy under a quorum, activate the quorum on the DeletePolicy action.
Refer to Enabling Quorum on ManagePolicyAttachment and DeletePolicy for more details.
Quorum Policies
To enable the quorum for any operation, first you need to activate the quorum policy. After the quorum policy is active for an operation, a quorum gets created in a pre-active
state on performing the corresponding operation. To activate a quorum policy, refer to Activating the Quorum Policy.
For more details on quorum policies, refer to Managing Quorums Policies using ksctl.
Quorum Profile
It's a configuration that defines the expiration time, number of approvals, and the voter groups for a quorum. For more details on quorum profile, refer to Managing Quorums Profiles using ksctl.
States & Life-cycle of a Quorum Request
If an administrator has configured a quorum for any operation and the user initiates that operation, then that operation is denied and leads to creation of a quorum request.
The quorum request life-cycle is as follows:
The quorum is created in a
pre-active
state. A quorum or a quorum request can have one of these six states at a time as depicted in the below diagram.Note
The user/requester of this quorum must activate the quorum before any of the approvers can review the quorum request.
Once the quorum is in the
active
state, it is available to the approvers to review it. The user/requester can optionally add a reason for initiating the request while activating it.When the required approvals are granted, the quorum is set to an
approved
state.A quorum request is set to an
executed
state if the operation has been completed with an approved quorum.A deny vote forces a quorum to be in a
denied
state implying that the operation can not be performed and the quorum is terminated.
In case, a quorum already exists for the same operation, the status of the existing quorum is used to determine the outcome of the operation. Any approver can vote either to approve or deny a quorum request. A note can be added with the vote for additional information.
Note
A quorum in a pre-active
state is prone to an expedited expiry. It expires after 15 minutes of creation, if not activated.
Note
Every quorum expires after seven (7) days of the creation and this leads to the termination of that quorum.
Managing Quorums Policies
The following operations can be performed:
Activate the quorum policy
Get status of the quorum policy
Deactivate the quorum policy
You can perform these operations using the ksctl or CipherTrust Manager GUI interface.
Activating Quorum Policy
To activate quorum policy using ksctl, use the following command.
Syntax
ksctl quorum-policy activate --actions <Actions>
See Operations Supported by Quorums to see supported actions.
Request
ksctl quorum-policy activate --actions "DeleteKey"
Response
{
"Policy": {
"id": "fd6f911b-f280-492c-9eac-aed35590d530",
"uri": "kylo:kylo:admin:policies:enablequorum-fd6f911b-f280-492c-9eac-aed35590d530",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-06-01T04:45:48.917228Z",
"name": "EnableQuorum",
"actions": [
"DeleteKey"
],
"resources": null,
"allow": false,
"effect": "obligate_on_allow",
"conditions": [
{
"path": "context.principal.cust.groups",
"op": "contains",
"negate": true
}
],
"updatedAt": "2023-06-01T10:11:11.000186Z"
},
"required_approvals": 2
}
Request
ksctl quorum-policy activate --actions "UpdateQuorumProfile"
Response
{
"Policy": {
"id": "d75872e9-4ff5-4ae7-92ec-483d334bc5f7",
"uri": "kylo:kylo:admin:policies:updatequorumprofile-requires-quorum-d75872e9-4ff5-4ae7-92ec-483d334bc5f7",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-07-17T04:15:14.556005Z",
"name": "UpdateQuorumProfile requires quorum",
"deletedAt": null,
"updatedAt": "2023-07-17T04:15:14.556005Z",
"actions": [
"UpdateQuorumProfile"
],
"resources": null,
"allow": false,
"effect": "obligate_on_allow",
"conditions": [
{
"path": "context.principal.cust.groups",
"op": "contains",
"values": null,
"negate": true
}
],
"obligations": [
{
"type": "quorum",
"attributes": {
"fingerprint": [
"{{action}}",
"{{resource}}",
"{{context.environment.updates}}"
],
"quorum_profile": "UpdateQuorumProfile requires quorum"
}
}
]
},
"required_approvals": 3
}
To activate a quorum policy using the CipherTrust Manager GUI:
Open the CipherTrust Manager GUI.
Under Admin Settings, select Quorum Policy.
Search the quorum policy you want to activate.
Turn on the toggle switch under Enable Quorum Policy for the desired quorum policy.
Getting Status of Quorum Policy
To know whether the quorum policy is in active state or inactive state, use the following command.
Example Request
ksctl quorum-policy status
Example Response
{
"skip": 0,
"limit": 35,
"total": 35,
"resources": [
{
"operation": [
"AddUserToGroup"
],
"active": false,
"profile": "AddUserToGroup requires quorum",
"description": "Adding users to groups will require approvals from User Admins"
},
{
"operation": [
"DeleteCSIStorageGroupCTE"
],
"active": false,
"profile": "DeleteCSIStorageGroupCTE requires quorum",
"description": "Delete CTE CSI Storage Group will require approvals from CTE Admins"
},
{
"operation": [
"DeleteClientCTE"
],
"active": false,
"profile": "DeleteClientCTE requires quorum",
"description": "Deleting CTE Client will require approvals from CTE Admins"
},
{
"operation": [
"DeleteClientGroupCTE"
],
"active": false,
"profile": "DeleteClientGroupCTE requires quorum",
"description": "Deleting CTE Client Group will require approvals from CTE Admins"
},
{
"operation": [
"DeleteDomain"
],
"active": false,
"profile": "DeleteDomain requires quorum",
"description": "Deleting domains requires approvals from Domain Admins"
},
{
"operation": [
"DeleteEKMEndpoint"
],
"active": false,
"profile": "DeleteEKMEndpoint requires quorum",
"description": "Deleting EKM endpoints requires approvals from CCKM Admins"
},
{
"operation": [
"DeleteGoogleWorkspaceCSEEndpoint"
],
"active": false,
"profile": "DeleteGoogleWorkspaceCSEEndpoint requires quorum",
"description": "Deleting GoogleWorkspace CSE Endpoints requires approvals from CCKM Admins"
},
{
"operation": [
"DeleteGuardPointCTE"
],
"active": false,
"profile": "DeleteGuardPointCTE requires quorum",
"description": "Deleting CTE Guard-Point will require approvals from CTE Admins"
},
{
"operation": [
"DeleteKey"
],
"active": true,
"profile": "DeleteKey requires quorum",
"description": "Deleting Keys will require approvals from Key Admins"
},
{
"operation": [
"DeletePolicy"
],
"active": false,
"profile": "DeletePolicy requires quorum",
"description": "Deleting Policies will require approvals from admins"
},
{
"operation": [
"DeletePolicyCTE"
],
"active": false,
"profile": "DeletePolicyCTE requires quorum",
"description": "Delete CTE Policy will require approvals from CTE Admins"
},
{
"operation": [
"DeletePolicyElementsCTE"
],
"active": false,
"profile": "DeletePolicyElementsCTE requires quorum",
"description": "Delete CTE Policy elements will require approvals from CTE Admins"
},
{
"operation": [
"DeleteProfileCTE"
],
"active": false,
"profile": "DeleteProfileCTE requires quorum",
"description": "Delete CTE Profile will require approvals from CTE Admins"
},
{
"operation": [
"DownloadBackupkey"
],
"active": false,
"profile": "DownloadBackupkey requires quorum",
"description": "Downloading System Backup Keys will require approvals from either Backup Admins or Restore Admins"
},
{
"operation": [
"DownloadBackupkeyDomain"
],
"active": false,
"profile": "DownloadBackupkeyDomain requires quorum",
"description": "Downloading Domain Backup Keys will require approvals from either Domain Backup Admins or Domain Restore Admins"
},
{
"operation": [
"ManagePolicyAttachment"
],
"active": false,
"profile": "ManagePolicyAttachment requires quorum",
"description": "ManagePolicyAttachment includes creating and deleting a policy attachment. This will require approvals from admins."
},
{
"operation": [
"RestoreBackup"
],
"active": false,
"profile": "RestoreBackup requires quorum",
"description": "Restoring System Backups will require approvals from Restore Admins"
},
{
"operation": [
"RestoreBackupDomain"
],
"active": false,
"profile": "RestoreBackupDomain requires quorum",
"description": "Restoring Domain Backups will require approvals from Domain Restore Admins"
},
{
"operation": [
"UpdateCSIStorageGroupCTE"
],
"active": false,
"profile": "UpdateCSIStorageGroupCTE requires quorum",
"description": "Update CTE CSI Storage Group will require approvals from CTE Admins"
},
{
"operation": [
"UpdateClientGroupCTE"
],
"active": false,
"profile": "UpdateClientGroupCTE requires quorum",
"description": "Update CTE Client Group will require approvals from CTE Admins"
},
{
"operation": [
"UpdateGuardPointCTE"
],
"active": false,
"profile": "UpdateGuardPointCTE requires quorum",
"description": "Update CTE GuardPoint will require approvals from CTE Admins"
},
{
"operation": [
"UpdatePolicyCTE"
],
"active": false,
"profile": "UpdatePolicyCTE requires quorum",
"description": "Update CTE Policy will require approvals from CTE Admins"
},
{
"operation": [
"UpdatePolicyElementsCTE"
],
"active": false,
"profile": "UpdatePolicyElementsCTE requires quorum",
"description": "Update CTE Policy elements will require approvals from CTE Admins"
},
{
"operation": [
"UpdateProfileCTE"
],
"active": false,
"profile": "UpdateProfileCTE requires quorum",
"description": "Update CTE Profile will require approvals from CTE Admins"
},
{
"operation": [
"UpdateQuorumProfile"
],
"active": false,
"profile": "UpdateQuorumProfile requires quorum",
"description": "Update quorum profile requires approvals from Admins"
},
{
"operation": [
"ArchiveKey"
],
"active": false,
"profile": "ArchiveKey requires quorum",
"description": "Archive Keys will require approvals from Key Admins"
},
{
"operation": [
"RecoverKey"
],
"active": false,
"profile": "RecoverKey requires quorum",
"description": "Recover Keys will require approvals from Key Admins"
},
{
"operation": [
"RevokeKey"
],
"active": false,
"profile": "RevokeKey requires quorum",
"description": "Revoke Keys will require approvals from Key Admins"
},
{
"operation": [
"ReActivateKey"
],
"active": false,
"profile": "ReActivateKey requires quorum",
"description": "Reactivate Keys will require approvals from Key Admins"
},
{
"operation": [
"CreateLink"
],
"active": false,
"profile": "CreateLink requires quorum",
"description": "CreateLink will require approvals from Key Admins"
},
{
"operation": [
"UpdateLink"
],
"active": false,
"profile": "UpdateLink requires quorum",
"description": "UpdateLink will require approvals from Key Admins"
},
{
"operation": [
"DeleteLink"
],
"active": false,
"profile": "DeleteLink requires quorum",
"description": "DeleteLink will require approvals from Key Admins"
},
{
"operation": [
"UpdateAuthConnection"
],
"active": false,
"profile": "UpdateAuthConnection requires quorum",
"description": "Updating connections will require approvals from User Admins"
},
{
"operation": [
"DownloadBackup"
],
"active": false,
"profile": "DownloadBackup requires quorum",
"description": "Downloading System Backup will require approvals from either Backup Admins or Restore Admins"
},
{
"operation": [
"DownloadBackupDomain"
],
"active": false,
"profile": "DownloadBackupDomain requires quorum",
"description": "Downloading Domain Backup will require approvals from either Domain Backup Admins or Domain Restore Admins"
}
]
}
The 'active' field represents whether policy is active or inactive. It returns true
if the policy is active and false
otherwise.
In the CipherTrust Manager GUI, the toggle switch under the Enable Quorum Policy column on the Quorum Policy page indicates the active/inactive status of a quorum policy. When switched on, it indicates that the policy is active, while when switched off, it indicates that the policy is inactive.
Deactivating Quorum Policy
To deactivate an already active quorum policy for any specific operation, use the following command syntax.
Syntax
ksctl quorum-policy deactivate --actions <Actions>
Example Request
ksctl quorum-policy deactivate "DeleteKey"
Example Response
There will be no response if quorum policy is deactivated successfully.
To deactivate an active quorum policy:
Open the CipherTrust Manager GUI.
Under Admin Settings, select Quorum Policy.
Search the desired quorum policy.
Turn off the toggle switch under Enable Quorum Policy for the desired quorum policy.
Enabling Quorum on ManagePolicyAttachment and DeletePolicy
Enabling a quorum on ManagePolicyAttachment and DeletePolicy brings activation/deactivation of a quorum policy under a quorum. It implies that you won't be able to activate/deactivate any quorum policy on your own without creating a quorum for that request.
Let's consider a scenario where you have activated a quorum for the "DeleteKey" operation. Currently, you are allowed to deactivate the created quorum.
However, if a quorum is enabled on ManagePolicyAttachment
and DeletePolicy
, you cannot activate/deactivate any quorum.
You can use the ksctl or CipherTrust Manager GUI to enable or disable a quorum on ManagePolicyAttachment
and DeletePolicy
.
ManagePolicyAttachement
Enable ManagePolicyAttachment quorum
ksctl quorum-policy activate --actions "ManagePolicyAttachment"
Disable ManagePolicyAttachment quorum
ksctl quorum-policy deactivate --actions "ManagePolicyAttachment"
Enable Response
{
"Policy": {
"id": "865baeb0-cace-4e76-943c-3fea78c0252d",
"uri": "kylo:kylo:admin:policies:managepolicyattachment-requires-quorum-865baeb0-cace-4e76-943c-3fea78c0252d",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2022-09-08T11:05:48.488623Z",
"name": "ManagePolicyAttachment requires quorum",
"actions": [
"CreateAttachedPolicy",
"DeleteAttachedPolicy"
],
"resources": null,
"allow": false,
"effect": "obligate_on_allow",
"conditions": [
{
"path": "context.principal.cust.groups",
"op": "contains",
"negate": true
}
],
"updatedAt": "2023-06-01T10:18:59.469775Z"
},
"required_approvals": 3
}
DeletePolicy
Enable DeletePolicy quorum
ksctl quorum-policy activate --actions "DeletePolicy"
Disable DeletePolicy quorum
ksctl quorum-policy deactivate --actions "DeletePolicy"
Enable Response
{
"Policy": {
"id": "e735b3e8-4698-45ad-814a-4ddfad75c572",
"uri": "kylo:kylo:admin:policies:deletepolicy-requires-quorum-e735b3e8-4698-45ad-814a-4ddfad75c572",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2022-09-08T11:05:45.325665Z",
"name": "DeletePolicy requires quorum",
"actions": [
"DeletePolicy"
],
"resources": null,
"allow": false,
"effect": "obligate_on_allow",
"conditions": [
{
"path": "context.principal.cust.groups",
"op": "contains",
"negate": true
}
],
"updatedAt": "2023-06-01T10:19:39.524036Z"
},
"required_approvals": 3
}
After activating the "DeletePolicy" quorum, if you try to deactivate a quorum policy for "DeleteKey" (created above), an error is thrown as shown below and the deactivation of quorum is not allowed:
{
"code": 4,
"codeDesc": "NCERRInsufficientPermissions",
"message": "A Quorum has been created with ID (fd6f911b-f280-492c-9eac-aed35590d530) in pre-active state. Please activate it."
}
To enable (or disable) ManagePolicyAttachment or DeletePolicy:
Open the CipherTrust Manager GUI.
Under Admin Settings, select Quorum Policy.
Search for 'Manage Policy Attachment' or 'Delete Policy' in the search bar.
Turn on (off) the toggle switch under Enable Quorum Policy for the desired policy.
Managing Quorums
The following operations can be performed:
Activate quorum
Approve quorum
Deny quorum
List/Search quorums
Get quorum
Delete quorum
Revoke vote
You can perform these operations using the ksctl or CipherTrust Manager GUI interface.
Activating Quorums
To activate a quorum, run:
Syntax
ksctl quorum activate --id <QuorumId> --quorum-reason <Reason-to-activate>
It changes the state of the quorum from pre-active
to active
. A quorum can be approved only when it is in the active
state.
After quorum is active, it is available for the approval process.
Example Request
ksctl quorum activate --id 558622f8-bf20-4ded-9f43-e72bfaaf73a5
Example Response
{
"id": "558622f8-bf20-4ded-9f43-e72bfaaf73a5",
"uri": "kylo:kylo:sallyport:quorum:558622f8-bf20-4ded-9f43-e72bfaaf73a5",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-06-01T10:25:21.691222Z",
"updatedAt": "2023-06-01T10:26:02.944903Z",
"requester_id": "local|2e8bcf46-dcba-4f5f-89d2-8ea16c7c305f",
"requester_username": "admin",
"operation_fingerprint": "872a47b84aae3c37e2c966e135b931fcf6642fc23bc7df6cbc3c27eeae759546",
"operation": "DeleteKey",
"resource_uri": "kylo:kylo:vault:keys:test123-v0",
"state": "active",
"required_approvals": 3,
"meta": {
"details": {
"policy": {
"type": "policy_link",
"value": {
"id": "558622f8-bf20-4ded-9f43-e72bfaaf73a5",
"name": "Deletekey requires quorum"
}
}
}
},
"votes": [],
"auto_executable": false
}
Note
The requester of the operation is also the owner of the associated quorum. Only the requester/owner has permission to activate the associated quorum.
Approving Quorums
To approve a quorum, run:
Syntax
ksctl quorum approve --id <QuorumId> --note <Additional-note-for-approval>
When all the required approvals are available, then quorum moves to the approved
state and you can re-initiate the associated operation.
Example Request
ksctl quorum approve --id 558622f8-bf20-4ded-9f43-e72bfaaf73a5
Example Response
There will be no response if quorum is approved successfully.
Denying Quorums
To deny a approval to a quorum, run:
Syntax
ksctl quorum deny --id <QuorumId> --note <Additional-note-for-denial>
This command moves a quorum to the denied
state. This is a terminal state and quorum is unusable after deny.
Example Request
ksctl quorum deny --id 558622f8-bf20-4ded-9f43-e72bfaaf73a5
Example Response
There will be no response if quorum is denied successfully.
Getting List of Quorums
To get the list of quorums, run:
Syntax
ksctl quorum list
Example Request
ksctl quorum list
Example Response
{
"skip": 0,
"limit": 10,
"total": 2,
"resources": [
{
"id": "335f45bb-9609-4e19-9996-a2977d7927bd",
"uri": "kylo:kylo:sallyport:quorum:335f45bb-9609-4e19-9996-a2977d7927bd",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-09-11T06:38:18.712862Z",
"updatedAt": "2023-09-11T06:38:19.055473Z",
"requester_id": "local|a6ae00b0-2499-4f61-b5e0-b3da274d4060",
"operation_fingerprint": "72fedf72283da5ad91f596c2ba8b9efeada151cf8adec3eaf4c94efaec2494e9",
"operation": "DeleteKey",
"requester_username": "admin",
"resource_uri": "kylo:kylo:vault:keys:test-v0",
"state": "active",
"required_approvals": 1,
"meta": {
"details": {
"key": {
"type": "key_link",
"value": {
"id": "dc845651e39e48efbae7470a5de13f8c501c6c547de34c88a3e85f4f193c0625",
"name": "test"
}
}
}
},
"expires_at": "2023-09-18T06:38:19.05516Z",
"expired_at": "0001-01-01T00:00:00Z",
"votes": [],
"auto_executable": false,
"category": "Keys",
"operation_label": "Delete Keys"
},
{
"id": "fd719292-ce5e-4314-8adc-171bf0d2a613",
"uri": "kylo:kylo:sallyport:quorum:fd719292-ce5e-4314-8adc-171bf0d2a613",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-09-11T11:08:18.968876Z",
"updatedAt": "2023-09-11T11:08:19.365663Z",
"requester_id": "local|a6ae00b0-2499-4f61-b5e0-b3da274d4060",
"operation_fingerprint": "8126d3efd6db7005c36dfb6888ced8c8845d647c5bd246ab428405120486de9e",
"operation": "AddUserToGroup",
"requester_username": "admin",
"resource_uri": "admin",
"state": "active",
"required_approvals": 1,
"meta": {
"details": {
"user": {
"type": "user_link",
"value": {
"id": "local|f1bd14e1-ec8e-4955-8b16-03f47e73d56e",
"name": "test1"
}
},
"group": {
"type": "group_link",
"value": {
"name": "admin"
}
}
}
},
"expires_at": "2023-09-18T11:08:19.365407Z",
"expired_at": "0001-01-01T00:00:00Z",
"votes": [],
"auto_executable": true,
"category": "Access Management",
"operation_label": "Add Users To Groups"
}
]
}
Getting Details of Quorums
To get details of a quorum, run:
Syntax
ksctl quorum get --id <QuorumId>
Example Request
ksctl quorum get --id fd719292-ce5e-4314-8adc-171bf0d2a613
Example Response
{
"id": "fd719292-ce5e-4314-8adc-171bf0d2a613",
"uri": "kylo:kylo:sallyport:quorum:fd719292-ce5e-4314-8adc-171bf0d2a613",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-09-11T11:08:18.968876Z",
"updatedAt": "2023-09-11T11:08:19.365663Z",
"requester_id": "local|a6ae00b0-2499-4f61-b5e0-b3da274d4060",
"operation_fingerprint": "8126d3efd6db7005c36dfb6888ced8c8845d647c5bd246ab428405120486de9e",
"operation": "AddUserToGroup",
"requester_username": "admin",
"resource_uri": "admin",
"state": "active",
"required_approvals": 1,
"meta": {
"details": {
"user": {
"type": "user_link",
"value": {
"id": "local|f1bd14e1-ec8e-4955-8b16-03f47e73d56e",
"name": "jigs"
}
},
"group": {
"type": "group_link",
"value": {
"name": "admin"
}
}
}
},
"expires_at": "2023-09-18T11:08:19.365407Z",
"expired_at": "0001-01-01T00:00:00Z",
"votes": [],
"auto_executable": true,
"category": "Access Management",
"operation_label": "Add Users To Groups"
}
Deleting Quorums
To delete a quorum, run:
Syntax
ksctl quorum delete --id <QuorumId>
Example Request
ksctl quorum delete --id 558622f8-bf20-4ded-9f43-e72bfaaf73a5
There will be no response if quorum is deleted successfully.
Note
The requester of the operation is the owner of the associated quorum. Only the requester/owner has permission to delete the quorum.
Revoking Vote for Quorums
To revoke your vote from an already approved quorum, run:
Syntax
ksctl quorum revoke --id <QuorumId>
If the number of approvals falls below the required approvals, the quorum moves back to the active
state.
Example Request
ksctl quorum revoke --id 558622f8-bf20-4ded-9f43-e72bfaaf73a5
Example Response
There will be no response if vote is revoked successfully.
Activating Quorums
A quorum is automatically activated when approval is requested from the GUI while performing the operation on which the quorum is created.
It changes the state of the quorum from pre-active
to active
. A quorum can be approved only when it is in the active
state.
After quorum is active, it is available for the approval process.
Note
The requester of the operation is also the owner of the associated quorum. Only the requester/owner has permission to activate the associated quorum.
Approving Quorums
To approve a quorum:
Open the CipherTrust Manager GUI.
Go to Quorums.
Click the Inbox tab. It will list all the operations where your approval is requested.
Go to the operation you want to approve and click the Approve Quorum button.
When all the required approvals are available, quorum moves to the approved
state. If a quorum is auto-executable, the operation will be automatically executed, else you need to re-initiate the operation. The Auto Executable field displays whether a quorum is auto-executable.
Note
The user who created the quorum request is not allowed to vote for that quorum.
Denying Quorums
To deny a quorum:
Open the CipherTrust Manager GUI.
Go to Quorums.
Click the Inbox tab. It will list all the operations where you are requested as a approver.
Go to the operation you want to deny and click the Reject Quorum button.
Note
The user who created the quorum request is not allowed to vote for that quorum.
Getting List of Quorums
To get the list of quorums:
Open the CipherTrust Manager GUI.
Go to Quorums. It displays the three tabs:
My Requests - lists all the quorum requests you have created.
Inbox - lists all the quorums where you are requested as a approver.
Resolved - lists all the quorum requests that have been executed, rejected, or expired.
Getting Details of Quorums
To get details of a quorum:
Open the CipherTrust Manager GUI.
Go to Quorums. It displays the three tabs:
My Requests - lists the quorum requests you have created.
Inbox - lists all the quorums where you are requested as a approver.
Resolved - lists the quorum requests that have been executed, rejected, or expired.
Expand the drop-down arrow adjacent to operation to get the details of a respective quorum.
Deleting Quorums
To delete a quorum:
Open the CipherTrust Manager GUI.
Go to Quorums.
Click the My Requests tab. It will list all the quorums you have created.
Go to desired quorum and click the Delete button.
Note
The requester of the operation is the owner of the associated quorum. Only the requester/owner has permission to delete the quorum.
Revoking Vote for Quorums
To revoke your vote from an already approved quorum, run:
Open the CipherTrust Manager GUI.
Go to Quorums.
Click the Inbox tab. It will list all the operations where you are requested as a approver.
Go to the operation click the Revoke Quorum Vote button to revoke your vote.
If the number of approvals falls below the required approvals, the quorum moves back to the active
state.
Managing Quorum Profiles using ksctl
The following operations can be performed:
Get quorum profile
List/Search quorum profiles
Update quorum profile
Getting Details of the Quorum Profile
To get the details of quorum profile, run:
Syntax
ksctl quorum-profiles get --profile-id <ProfileID>
Example Request
ksctl quorum-profiles get --profile-id "0e75ff2e-0d76-4681-98d3-cb3e42d5a4de"
Example Response
{
"id": "0e75ff2e-0d76-4681-98d3-cb3e42d5a4de",
"uri": "kylo:kylo:sallyport:quorum-profile:updatekey-requires-quorum-0e75ff2e-0d76-4681-98d3-cb3e42d5a4de",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.038906Z",
"updatedAt": "2023-06-05T04:19:00.095912Z",
"name": "UpdateKey requires quorum",
"required_approvals": 3,
"voter_groups": [
"Key Admins"
],
"excluded_groups": [
"Key Users"
]
}
Getting List of Quorum Profiles
To get the list of all quorum profiles, run:
Syntax
ksctl quorum-profiles list
Example Request
ksctl quorum-profiles list
Example Response
{
"skip": 0,
"limit": 10,
"total": 28,
"resources": [
{
"id": "bf16fb8e-1e19-4875-9c78-7f2dd50a0a2d",
"uri": "kylo:kylo:sallyport:quorum-profile:updateprofilecte-requires-quorum-bf16fb8e-1e19-4875-9c78-7f2dd50a0a2d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.000799Z",
"updatedAt": "2023-05-31T10:11:38.000197Z",
"name": "UpdateProfileCTE requires quorum",
"required_approvals": 3,
"voter_groups": [
"CTE Admins"
],
"excluded_groups": null
},
{
"id": "f929da9f-dc19-4c1f-871c-0f69fe5a3371",
"uri": "kylo:kylo:sallyport:quorum-profile:updatepolicyelementscte-requires-quorum-f929da9f-dc19-4c1f-871c-0f69fe5a3371",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.014439Z",
"updatedAt": "2023-05-31T10:11:38.013891Z",
"name": "UpdatePolicyElementsCTE requires quorum",
"required_approvals": 3,
"voter_groups": [
"CTE Admins"
],
"excluded_groups": null
},
{
"id": "cc8def90-b3fe-42e0-bc2c-bc1ea7be6eee",
"uri": "kylo:kylo:sallyport:quorum-profile:updatepolicycte-requires-quorum-cc8def90-b3fe-42e0-bc2c-bc1ea7be6eee",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:37.950185Z",
"updatedAt": "2023-05-31T10:11:37.949144Z",
"name": "UpdatePolicyCTE requires quorum",
"required_approvals": 3,
"voter_groups": [
"CTE Admins"
],
"excluded_groups": null
},
{
"id": "0e75ff2e-0d76-4681-98d3-cb3e42d5a4de",
"uri": "kylo:kylo:sallyport:quorum-profile:updatekey-requires-quorum-0e75ff2e-0d76-4681-98d3-cb3e42d5a4de",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.038906Z",
"updatedAt": "2023-05-31T10:11:38.038199Z",
"name": "UpdateKey requires quorum",
"required_approvals": 3,
"voter_groups": [
"Key Admins"
],
"excluded_groups": null
},
{
"id": "308ff9fd-ce83-4bef-94e6-2e6f2e9cb88e",
"uri": "kylo:kylo:sallyport:quorum-profile:updateguardpointcte-requires-quorum-308ff9fd-ce83-4bef-94e6-2e6f2e9cb88e",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:37.976519Z",
"updatedAt": "2023-05-31T10:11:37.970618Z",
"name": "UpdateGuardPointCTE requires quorum",
"required_approvals": 3,
"voter_groups": [
"CTE Admins"
],
"excluded_groups": null
},
{
"id": "b0e0c715-f931-46fd-81dd-254a024ad88e",
"uri": "kylo:kylo:sallyport:quorum-profile:updatecsistoragegroupcte-requires-quorum-b0e0c715-f931-46fd-81dd-254a024ad88e",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:37.953287Z",
"updatedAt": "2023-05-31T10:11:37.952172Z",
"name": "UpdateCSIStorageGroupCTE requires quorum",
"required_approvals": 3,
"voter_groups": [
"CTE Admins"
],
"excluded_groups": null
},
{
"id": "6a83aadf-b9a6-4cf4-b351-68719257d6ff",
"uri": "kylo:kylo:sallyport:quorum-profile:updateclientgroupcte-requires-quorum-6a83aadf-b9a6-4cf4-b351-68719257d6ff",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:37.968485Z",
"updatedAt": "2023-05-31T10:11:37.967915Z",
"name": "UpdateClientGroupCTE requires quorum",
"required_approvals": 3,
"voter_groups": [
"CTE Admins"
],
"excluded_groups": null
},
{
"id": "fdcce1c4-2c89-479a-ad75-51e5e95a70fc",
"uri": "kylo:kylo:sallyport:quorum-profile:restorebackup-requires-quorum-fdcce1c4-2c89-479a-ad75-51e5e95a70fc",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.026042Z",
"updatedAt": "2023-05-31T10:11:38.018999Z",
"name": "RestoreBackup requires quorum",
"required_approvals": 3,
"voter_groups": [
"Restore Admins"
],
"excluded_groups": null
},
{
"id": "02e0f0c6-5071-4b08-8296-de89c5e8aa08",
"uri": "kylo:kylo:sallyport:quorum-profile:restorebackupdomain-requires-quorum-02e0f0c6-5071-4b08-8296-de89c5e8aa08",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.005456Z",
"updatedAt": "2023-05-31T10:11:38.004807Z",
"name": "RestoreBackupDomain requires quorum",
"required_approvals": 3,
"voter_groups": [
"Domain Restore Admins"
],
"excluded_groups": null
},
{
"id": "bd52de83-6611-4aaa-a9f3-bd344c66923d",
"uri": "kylo:kylo:sallyport:quorum-profile:managepolicyattachment-requires-quorum-bd52de83-6611-4aaa-a9f3-bd344c66923d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.007084Z",
"updatedAt": "2023-05-31T10:11:38.006579Z",
"name": "ManagePolicyAttachment requires quorum",
"required_approvals": 3,
"voter_groups": [
"admin"
],
"excluded_groups": null
}
]
}
Updating Quorum Profile
You can update the quorum profile for the following fields:
approvals
- the number of approvals (votes) required to move the quorum to the Approved state.voter-groups
- the groups defined in the voter-groups field are allowed to vote for this profile. The users part of these groups can either approve or deny a quorum request.excluded-groups
- the groups defined in the excluded-groups field are excluded from being a part of the quorum for the operation specified in the quorum profile. The quorum policies will not apply to all the users associated with the groups specified in the excluded_groups field. Let's take a scenario where the "group1" group is added to the list of excluded-groups. If user "user1" is part of a group "group1", then quorum policies won't apply to the "user1".
To update the quorum profile, run:
Syntax
ksctl quorum-profiles update --profile-id <ProfileID> --approvals <NumberOfApprovals> --voter-groups <VoterGroups> --excluded-groups <List-of-Excluded-Groups>
Example Request 1
ksctl quorum-profiles update --profile-id 61af169c-36b7-42b8-b396-284b92a52613 --approvals 2
Example Response 1 (Update for approvals)
{
"id": "61af169c-36b7-42b8-b396-284b92a52613",
"uri": "kylo:kylo:sallyport:quorum-profile:managepolicy-requires-quorum-61af169c-36b7-42b8-b396-284b92a52613",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-08-20T05:15:50.329875Z",
"updatedAt": "2021-08-20T05:19:32.613434Z",
"name": "ManagePolicy requires quorum",
"required_approvals": 2,
"voter_groups": [
"admin"
]
}
In the above example, two (2) approvals are required to move the quorum to the Approved state.
Example Request 2 (Update for Voter groups)
ksctl quorum-profiles update --profile-id 61af169c-36b7-42b8-b396-284b92a52613 --approvals 2 --voter-groups 'Domain Admins,Key Admins'
Example Response 2
{
"id": "61af169c-36b7-42b8-b396-284b92a52613",
"uri": "kylo:kylo:sallyport:quorum-profile:managepolicy-requires-quorum-61af169c-36b7-42b8-b396-284b92a52613",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-08-20T05:15:50.329875Z",
"updatedAt": "2021-08-20T05:19:32.613434Z",
"name": "ManagePolicy requires quorum",
"required_approvals": 2,
"voter_groups": [
"Domain Admins"
"Key Admins"
]
}
In the above example, only the "Domain Admins" and "Key Admins" groups are allowed to vote for this profile.
Example Request 3 (Update for excluded groups)
ksctl quorum-profiles update --profile-id "0e75ff2e-0d76-4681-98d3-cb3e42d5a4de" --excluded-groups "Key Users"
Example Response 3
{
"id": "0e75ff2e-0d76-4681-98d3-cb3e42d5a4de",
"uri": "kylo:kylo:sallyport:quorum-profile:updatekey-requires-quorum-0e75ff2e-0d76-4681-98d3-cb3e42d5a4de",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-05-31T10:11:38.038906Z",
"updatedAt": "2023-06-05T04:19:00.095912Z",
"name": "UpdateKey requires quorum",
"required_approvals": 3,
"voter_groups": [
"Key Admins"
],
"excluded_groups": [
"Key Users"
]
}
In the above example, the users added to the "Key Users" groups are excluded from being a part of the quorum for the "UpdateKey requires quorum" operation.