Groups
A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks.
The CipherTrust Data Security Platform Service defines System Defined Groups and User Defined Groups.
Caution
It is critical that credentials of these users are kept in a secure location. If a credential is compromised, an attacker could gain access to sensitive data.
Assign a User to a Group
-
Log in to CipherTrust Data Security Platform Service as a user in the
adminorUser Adminsgroup. -
Navigate to Access Management > Users.
-
Click the desired Username in the table to view the user details.
-
Expand the Group Memberships section.
-
Click Add Group.
-
Enable the checkbox for any desired group(s). You can search for a group by name.
-
Click Add Group to confirm.
System Defined Groups
System Defined Groups exist on CipherTrust Data Security Platform Service at launch time. Each System Defined Group carries with it permissions to perform specific tasks.
System Defined Groups are:
'admin' group
There is a System Defined Group named "admin". Users within the "admin" group are referred to as Application Administrators.
Application administrators are ultimately responsible for creating and assigning resources to application users. They are have permissions to:
-
Create and manage users and groups
-
Create and manage connections
-
Create and manage CipherTrust Data Security Platform Service keys, key policies, and key rotation schedules
-
Create and manage quorums
-
Create Certificate Signing Requests (CSRs)
The Application Administrator can also perform all duties of the Application User.
Note
Initially, there is only one Application Administrator, which is the first user created on a CDSPaaS service. If there is only one Application Administrator, this user cannot be deleted. The policy engine enforces that at least one Application Administrator exists at all times to prevent lockouts.
Note
A user that is not in the "admin" group is known as an Application User. An Application User must also be part of the System Defined 'Key Users Group' to create and manage their keys. Refer to the 'Key Users' group.
'All Clients' group
A client, upon successful registration with CipherTrust Data Security Platform Service, is made a member of All Clients group. These clients have permissions to:
- enroll with their respective CipherTrust Data Security Platform Service services.
'CA Admins' group
CA Administrators have permissions to:
- generate Certificate Signing Requests (CSRs)
'CCKM Admins' group
There is a System Defined Group named "CCKM Admins". Users within the "CCKM Admins" group are CCKM Administrators. Additionally, the "CCKM Admins" need the Key Users, Connection Admins, and User Admins permissions to perform key operations on the supported clouds.
A CCKM Administrator is responsible for creating and managing the following resources:
-
AWS KMS Accounts, AWS Keys, AWS Custom Key Stores
-
Azure Key Vaults, Azure Subscriptions, and Azure Keys
-
Google Cloud Projects, Key Rings, and Keys
-
Google EKM endpoints
-
Salesforce Organizations, Tenant Secrets
-
SAP Groups, SAP Keys
-
CCKM Schedules
-
CCKM Reports
'CCKM Users' group
There is a System Defined Group named "CCKM Users". CCKM users registered with the CipherTrust Data Security Platform Service are part of this group. Additionally, the "CCKM Users" need the Key Users permissions to perform key operations on the supported clouds. As well, they need custom key store permissions to manage AWS custom key stores.
Client Admins
There is a System Defined Group named "Client Admins". Users within the "Client Admins" group can perform some administrative tasks on the CipherTrust Manager Clients.
Client Administrators have permissions to:
-
Read a client
-
Delete a client
-
Renew a client
-
Manage registration tokens
Connection Admins
There is a System Defined Group named "Connection Admins". Users within the "Connection Admins" group are Connection Manager Administrators.
Connection Manager Administrators have permissions to:
-
Create connections with third party servers and services such as AWS, Azure, DSM, Google CLoud Platform (GCP) Cloud, Hadoop, Luna SA HSM, SCP, CIFS/SMB, or Salesforce.
-
Read, delete, or update the connections.
-
Test an already created connection.
-
Test a new connection with the connection parameters.
'CTE Admins' group
There is a System Defined Group named "CTE Admins". Users within the "CTE Admins" group are CTE Administrators.
A CTE Administrator is responsible for creating and managing the following resources:
-
Clients and client groups
-
Profiles, policy elements, and policies
-
GuardPoints
-
Client registration tokens (with additional rights of System Defined Group named "CA Admins" and "Client Admins")
Note
Only users of the "CTE Admins" group can delete CTE keys.
'CTE Clients' group
There is a System Defined Group named "CTE Clients". CTE clients registered with the CipherTrust Data Security Platform Service are part of this group.
'Key Admins' group
Key Administrators have permissions to managing keys on the system. They can:
-
create or modify their own keys
-
perform key management operations on keys created by all users on the system
'Key Users' group
Users that are not in the "admin" group are Application Users. An Application User must also be part of the System Defined 'Key Users' group for permission to do the following:
-
create keys
-
perform operations with any key they own or to which they have been granted access
'Read-Only Admins' group
This group's purpose is to allow members to access and monitor all CipherTrust Data Security Platform Service systems without the ability to change them. A Read-Only Admin can list all objects of a given resource type, retrieve details about a particular resource, view statuses, and download logs.
'User Admins' group
User Administrators have permissions to create users and groups. They can:
-
Create other sub-administrator users, for example, policy administrator, key administrator, etc., and regular users
-
Assign users to most groups.
Note
Only an existing member of the 'admin' group can assign another user to this group.
User Defined Groups
User Defined Groups are created by Application Administrators. Application Administrators can:
-
create and delete User Defined Groups
-
add users to a User Defined Group
-
remove users from a User Defined Group
Groups are stored in CipherTrust Data Security Platform Service's internal database.
Managing User Defined Groups
Using the GUI, REST API or the CLI, an Application Administrator can create a User Defined Group and add users/clients to this group. The following are examples using the CLI:
To create a new User Defined Group called "eng" :
$ ksctl groups create -n eng
The response looks like:
{
"name": "eng",
"created_at": "2018-04-27T21:15:36.644959Z",
"updated_at": "2018-04-27T21:15:36.644959Z"
}
To add a user to the new User Defined Group "eng":
You specify the group name and the ID of a user that you previously created.
$ ksctl groups adduser –n eng –u “<id of user>”
The response looks like:
{
"name": "eng",
"created_at": "2018-05-02T16:47:51.248735Z",
"updated_at": "2018-05-02T17:24:20.015915Z"
}
