Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Administration

Groups

search

Groups

A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks.

The CipherTrust Data Security Platform Service defines System Defined Groups and User Defined Groups.

Caution

It is critical that credentials of these users are kept in a secure location. If a credential is compromised, an attacker could gain access to sensitive data.

Assign a User to a Group

  1. Log in to CipherTrust Data Security Platform Service as a user in the admin or User Admins group.

  2. Navigate to Access Management > Users.

  3. Click the desired Username in the table to view the user details.

  4. Expand the Group Memberships section.

  5. Click Add Group.

  6. Enable the checkbox for any desired group(s). You can search for a group by name.

  7. Click Add Group to confirm.

System Defined Groups

System Defined Groups exist on CipherTrust Data Security Platform Service at launch time. Each System Defined Group carries with it permissions to perform specific tasks.

System Defined Groups are:

'admin' group

There is a System Defined Group named "admin". Users within the "admin" group are referred to as Application Administrators.

Application administrators are ultimately responsible for creating and assigning resources to application users. They are have permissions to:

  • Create and manage users and groups

  • Create and manage connections

  • Create and manage CipherTrust Data Security Platform Service keys, key policies, and key rotation schedules

  • Create and manage quorums

  • Create Certificate Signing Requests (CSRs)

  • Restore CipherTrust Manager Appliance backups for the purposes of migration.

The Application Administrator can also perform all duties of the Application User.

Note

Initially, there is only one Application Administrator, which is the first user created on a CDSPaaS service. If there is only one Application Administrator, this user cannot be deleted. The policy engine enforces that at least one Application Administrator exists at all times to prevent lockouts.

Note

A user that is not in the "admin" group is known as an Application User. An Application User must also be part of the System Defined 'Key Users Group' to create and manage their keys. Refer to the 'Key Users' group.

'All Clients' group

A client, upon successful registration with CipherTrust Data Security Platform Service, is made a member of All Clients group. These clients have permissions to:

  • enroll with their respective CipherTrust Data Security Platform Service services.

'CA Admins' group

CA Administrators have permissions to:

  • generate Certificate Signing Requests (CSRs)

'CCKM Admins' group

There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the "CCKM Admins" need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.

A CCKM Administrator is responsible for creating and managing the following resources:

  • AWS KMS Accounts, AWS Keys, AWS Custom Key Stores

  • Azure Key Vaults, Azure Subscriptions, and Azure Keys

  • Google Cloud Projects, Key Rings, and Keys

  • Google EKM endpoints

  • Microsoft DKE endpoints

  • Salesforce Organizations, Tenant Secrets

  • SAP Groups, SAP Keys

  • CCKM Schedules

  • CCKM Reports

'CCKM Users' group

There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Data Security Platform Service are part of this group. Additionally, the "CCKM Users" need the Key Users permissions to perform key operations on the supported clouds. As well, they need custom key store permissions to manage AWS custom key stores.

Client Admins

There is a System Defined Group named "Client Admins". Users within the "Client Admins" group can perform some administrative tasks on the CipherTrust Manager Clients.

Client Administrators have permissions to:

  • Read a client

  • Delete a client

  • Renew a client

  • Manage registration tokens

Connection Admins

There is a System Defined Group named "Connection Admins". Users within the "Connection Admins" group are Connection Manager Administrators.

Connection Manager Administrators have permissions to:

  • Create connections with third party servers and services such as AWS, Azure, DSM, Google CLoud Platform (GCP) Cloud, Hadoop, Luna SA HSM, SCP, CIFS/SMB, or Salesforce.

  • Read, delete, or update the connections.

  • Test an already created connection.

  • Test a new connection with the connection parameters.

'CTE Admins' group

There is a System Defined Group named "CTE Admins". Users within the "CTE Admins" group are CTE Administrators.

A CTE Administrator is responsible for creating and managing the following resources:

  • Clients and client groups

  • Profiles, policy elements, and policies

  • GuardPoints

  • Client registration tokens (with additional rights of System Defined Group named "CA Admins" and "Client Admins")

Note

Only users of the "CTE Admins" group can delete CTE keys.

'CTE Clients' group

There is a System Defined Group named "CTE Clients". CTE clients registered with the CipherTrust Data Security Platform Service are part of this group.

'Domain Backup Admins' group

Domain Backup Admins have permissions to view, download, and delete CipherTrust Manager Appliance backup and backup key files temporarily stored in CipherTrust Data Security Platform Service for migration purposes.

'Domain Restore Admins' group

Domain Restore Admins have permissions to:

  • restore domain-scoped backups from CipherTrust Manager Appliance for migration

  • read and restore domain backup keys from CipherTrust Manager Appliance for migration

'Key Admins' group

Key Administrators have permissions to managing keys on the system. They can:

  • create or modify their own keys

  • perform key management operations on keys created by all users on the system

'Key Users' group

Users that are not in the "admin" group are Application Users. An Application User must also be part of the System Defined 'Key Users' group for permission to do the following:

  • create keys

  • perform operations with any key they own or to which they have been granted access

'Restricted Key Users' group

Restricted Key Users have permissions to:

  • create keys using templates. The templates can be created by Admins, Key Admins groups.

  • read the template that matches the ownerId of the user.

  • read the templates with no ownerId defined.

  • perform key lifecycle management operations such as Revoke and Reactivate.

The users part of the Restricted Key Users cannot update the created key.

'Read-Only Admins' group

This group's purpose is to allow members to access and monitor all CipherTrust Data Security Platform Service systems without the ability to change them. A Read-Only Admin can list all objects of a given resource type, retrieve details about a particular resource, view statuses, and download logs.

'User Admins' group

User Administrators have permissions to create users and groups. They can:

  • Create other sub-administrator users, for example, policy administrator, key administrator, etc., and regular users

  • Assign users to most groups.

Note

Only an existing member of the 'admin' group can assign another user to this group.

User Defined Groups

User Defined Groups are created by Application Administrators. Application Administrators can:

  • create and delete User Defined Groups

  • add users to a User Defined Group

  • remove users from a User Defined Group Groups are stored in CipherTrust Data Security Platform Service's internal database.

Managing User Defined Groups

Using the GUI, REST API or the CLI, an Application Administrator can create a User Defined Group and add users/clients to this group. The following are examples using the CLI:

To create a new User Defined Group called "eng" :

$ ksctl groups create -n eng

Note

Restrictions on group name depend on the user interface you use to create the group.

  • ksctl CLI/REST API: The percentage % character is not allowed. All other characters are allowed.

  • CipherTrust WebUI: Name may only contain alphanumeric characters, forward (/), underscores (_), and dashes(-), which excludes whitespace and most special characters.

The response looks like:

{
        "name": "eng",
        "created_at": "2018-04-27T21:15:36.644959Z",
        "updated_at": "2018-04-27T21:15:36.644959Z"
}

To add a user to the new User Defined Group "eng":

You specify the group name and the ID of a user that you previously created.

$ ksctl groups adduser –n eng –u “<id of user>”

The response looks like:

    {
        "name": "eng",
        "created_at": "2018-05-02T16:47:51.248735Z",
        "updated_at": "2018-05-02T17:24:20.015915Z"
    }

Customized Groups for CTE

Create CTE groups to provide granular permissions to users on specific CTE resources or all permissions on all resources. A CipherTrust Data Security Platform Service administrator can create, modify, and delete custom CTE groups on the CipherTrust Data Security Platform Service GUI.

For example, the CipherTrust Data Security Platform Service administrator can create a group of users who have only read permissions on the CTE resources. Similarly, the administrator can create another group of users who can perform all operations except the delete operations on the CTE resources.

Refer to Permissions for the complete list of permissions required to perform operations on CTE resources.

Creating Customized Groups for CTE

Create custom CTE groups to provide granular permissions to users on specific CTE resources or all permissions on all resources. The CipherTrust Data Security Platform Service administrator can create custom CTE groups on the CipherTrust Data Security Platform Service GUI.

To add a custom CTE group:

  1. Log on to the CipherTrust Data Security Platform Service GUI.

  2. In the left pane, click Access Management > Groups.

  3. Click Create New Group. The General Info screen of the Create New Group wizard is displayed.

General Info

  1. Enter a Name for the group.

  2. Enable CTE Resource Permissions.

  3. Click Next. The CTE Permissions screen is displayed.

CTE Permissions

Add granular permissions to users on specific CTE resources or all permissions on all resources. Refer to Permissions for the complete list of permissions required to perform operations on CTE resources.

  1. Add the permissions:

    To grant all permissions on all resources:

    1. Enable Select All Resources & Permissions.

    2. Click Next.

    To grant granular permissions on specific resources:

    1. From the Resource Type drop-down list, select the resource you want to grant permission on. The field displays the available CTE resources.

    2. From the Permissions drop-down list, select single, multiple, or all permissions. The field displays the available permissions for the selected resource. To grant all the available permissions, select Select All.

      To add permissions on more resources, click Add More Permissions. Add permissions for as many resources as required.

      To remove a permission, click Remove Permission.

  2. Click Next. The Assign Members screen is displayed.

Assign Members

This screen displays the available members with their user IDs. Select the members you want to add to the custom CTE group.

  1. Select the members. To select all displayed members, select the check box under the Search by Name search field.

  2. Click Next. The Review screen is displayed.

Review

This screen shows the group details that you have provided. These details are divided into GENERAL INFO, CTE PERMISSIONS, and ASSIGN MEMBERS sections.

Before adding the group, review all the provided details. After the group is added, certain features will no longer be editable.

  1. Review the group details displayed on the screen.

    If details are incorrect or you want to make any changes, click Back and make changes, as appropriate.

    Alternatively, you can click the Edit links next to the GENERAL INFO, CTE PERMISSIONS, and ASSIGN MEMBERS sections to make changes.

  2. Click Add Group. The group is successfully created.

  3. Click Close.

The Groups list shows the newly created custom CTE group.

Modifying Custom CTE Groups

After a custom CTE group is created, the CipherTrust Data Security Platform Service administrator can modify it to add new members or remove existing members.

To modify a custom CTE group:

  1. Log on to the CipherTrust Data Security Platform Service GUI.

  2. In the left pane, click Access Management > Groups. The list of available groups is displayed.

  3. Under Name, click the group you want to modify. The edit view of the group is displayed.

  4. Under Members of the <group-name> group:

    • Click Remove next to the members you want to remove from the group.

    • Click Add next to the members you want to add to the group. The Member check box is selected for the member.

Deleting Custom CTE Groups

The CipherTrust Data Security Platform Service administrator can delete custom CTE groups.

To delete a custom CTE group:

  1. Log on to the CipherTrust Data Security Platform Service GUI.

  2. In the left pane, click Access Management > Groups. The list of available groups is displayed.

  3. Click the ellipsis icon (Ellipsis Icon) corresponding to the group you want to delete.

  4. Click Delete. A message appear stating that deleting a group may effect the permissions of users within the group.

  5. Click Delete to confirm the action.

The group is deleted and removed from the Groups list.

On this page