User Mapping
A user mapping is an association between a database user or a database role and a local user on the CipherTrust Manager. CDP uses this user mapping to authenticate with the CipherTrust Manager before submitting cryptographic requests.
When a database user sends a request to the CipherTrust Manager, CDP searches its list of user mappings (contained in the ING_AUTHORIZED_USER table in the metadata database). If the database user appears on the list, is a member of a mapped group, or has a mapped server role, CDP includes the associated CipherTrust Manager user and password in the request. If those credentials are valid and the CipherTrust Manager user has access to the required key, then the CipherTrust Manager performs the operation. If the credentials are not valid or the CipherTrust Manager user does not have access to the key, the operation fails.
If a user is both individually mapped and a member of a mapped database role, the individual user mapping takes precedence. If a user belongs to more than one mapped database role, the user inherits the access privileges of the mapping that is first when sorted alphabetically.
Windows domain logins are normally not case-sensitive. In a standard Windows environment, User1, user1, and USER1 represent the same login name. CDP’s user mapping feature is case–sensitive. The CipherTrust Manager interprets User1, user1, and USER1 as three different values. To access the CipherTrust Manager using SQL Server, you must first access the Windows environment as the user that exactly matches the value on the User Mappings section, even though you can access the environment without doing so.
You may want to enable some features for all database users and database roles not otherwise listed on the User Mappings section. To do this, you would associate the Default Mapping value with a specific CipherTrust Manager user. For example, you could create a CipherTrust Manager user with access to global keys, or you could create a CipherTrust Manager user with access to no specific permissions in order to enable the replacement value feature.
Note
In local mode, when mapping a database user to a group policy user, ensure the group has export permissions on the key; else, the select query will return inappropriate values.
If you change user mappings, the SQL Server database applies the changes to user mapping immediately. There is no need to establish a new connection.
You can create and manage user mapping using any of these options:
CipherTrust Manager UI. Refer to Managing User Mappings for details.
pdbctl utility. Refer to the pdbctl utility documentation for details.
Default Mapping
The default mapping is a catch-all CipherTrust Manager user used to connect to the CipherTrust Manager when no user mapping exists for a database user. When there is no default mapping and an unmapped database user attempts to access sensitive data, CDP returns an error message and does not send the request to the CipherTrust Manager. It may be useful to create a default mapping to prevent CDP from automatically returning this error.
When this feature is enabled, instead of returning an error message, CDP connects to the CipherTrust Manager as the default CipherTrust Manager user. How the CipherTrust Manager then responds to requests depends on your CipherTrust Manager configuration. The CipherTrust Manager might return an “insufficient permissions” error, it might return NULL, or it might return a pre–configured replacement value.
When the default mapping is assigned, the system creates an entry in the ING_AUTHORIZED_USER table with the user name, ING_DEFAULT_USER. For this reason, you should avoid using ING_DEFAULT_USER to represent a specific database user.
Note
Although the default mapping can be used for both encryption and decryption operations, Thales strongly recommends that it has no key or group permissions. The point of creating a default mapping is to gracefully handle requests for encrypted data from database users who are not authorized to view that data. If the default mapping has key or group permissions, you are potentially allowing unauthorized database users to view sensitive data.
If a machine is in a domain and that domain name is mentioned in the CDP_MSSQLServer.properties file, then the default mapping feature does not work for the local Windows OS users. To make the data accessible to them, individual users (or the role containing these users) should be mapped to an NAE user.
Limitations
When using CDP 8.12.2 or higher with CipherTrust Manager 2.15 or lower, if a user mapping is added or updated, you must execute the pdbctl utility command migrateusermap. This makes the added/updated user mapping compatible with the CipherTrust Manager. Refer to Migrate user mappings for details.
