Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

ProtectFile Administration

Client-Rule Associations

search

Please Note:

Client-Rule Associations

After a rule is created, it can be applied (linked) to a single or multiple clients. This linking is referred to as client-rule association. The status of a client-rule association depends on the operation performed on the path.

When linking the rule with a client, specify:

  • The identifier of the client.

  • The identifier of the rule to link to the client.

  • The key to encrypt data. For no encryption rules, an encryption key is not needed.

ProtectFile Admins must have ReadKey permission on encryption keys when creating a client-rule association.
ProtectFile Users must be granted ReadKey and ExportKey permissions on encryption keys.
DO NOT create versions of keys used by ProtectFile for encryption.
• The identifier of the access policy group.

Creating a Client-Rule Association

To create a client-rule association:

  1. Open the ProtectFile & Transparent Encryption UserSpace application. The Clients page is displayed.

  2. Under Client Name, click the desired client.

  3. Under Rules for Client "<client-name>", click the Add a Rule to this Client link. The list of available Rules is displayed.

    Optionally, create a new rule by clicking New Rule. You might need to scroll down the page.

  4. Select the desired rule.

  5. Click Forward. You might need to scroll down the page. The list of available Access Policy Groups is displayed.

    Optionally, create a new access policy group by clicking New Access Policy Group. You might need to scroll down the page.

  6. Select the desired access policy group.

  7. Click Forward. The details of the client-rule association is displayed.

  8. Review the association details.

    If it requires any change, click Back to modify the association.

  9. Click Add Rule to Client.

The client-rule association is created.

When a client-rule association is created, the operation is None and the state is Created. The set of operations that can be performed on a client-rule association are Encrypt, KeyRotate, and Decrypt. In case of failures, the state can be Validation Failed or Failed. The client-rule association information pulled by the client does not contain association in Created and Validation Failed states. For a successful cryptographic operation, the state could be Encrypted or Decrypted. For a successful non-cryptographic (access control only) operation, the state could be Applied or Removed.

When the state is Encrypted, the AccessPolicyGroup can be modified to change the access on the path. With ProtectFile, you can remove the link between a client and a rule if the rule is in the Created state or the rule is in the Validation Failed state and the operation is Encrypt.

Cryptographic Operations and State Flow

The following table describes the flow of cryptographic operations and possible states a client-rule association goes through.

#OperationStateRemarks
1NoneCreatedA client-rule association is created.
2EncryptIn ProgressEncryption is in progress.
Validation FailedEncryption failed due to validation failures.
FailedEncryption failed.
3NoneEncryptedPath encrypted successfully. The operation is reset.
4Rotate KeyIn ProgressKey rotation is in progress.
Validation FailedKey rotation failed due to validation failures.
FailedKey rotation failed.
5NoneEncryptedKey rotated successfully. The operation is reset.
6DecryptIn ProgressDecryption is in progress.
Validation FailedDecryption failed due to validation failures.
FailedDecryption failed.
7NoneDecryptedUsed internally; not visible to the administrator. Decryption is successful and the client-rule association is removed. The operation is reset.

Non-Cryptographic Operations and State Flow

The following table describes the flow of non-cryptographic operations and possible states a client-rule association goes through.

#OperationStateRemarks
1NoneCreatedA client-rule association is created.
2ApplyIn ProgressApplying access control is in progress.
Validation FailedApplying access control failed due to validation failures.
FailedApplying access control failed.
3NoneAppliedAccess control applied successfully. The operation is reset.
4RemoveIn ProgressRemoving access control is in progress.
Validation FailedRemoving access control failed due to validation failures.
FailedAccess control removal failed.
5NoneRemovedUsed internally; not visible to the administrator. Access control removal is successful and the client-rule association is removed. The operation is reset.