Client Roles
Tip
Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand marketplace user interfaces refer to a service client. Luna Cloud HSM Services provisioned through external marketplaces user interfaces refer to a partition client. The documentation refers to these components as the client.
The security of an HSM and its cryptographic contents depend on well-controlled access to that HSM. The client imposes a software role hierarchy that enforces restricted tiers of administrative and utilization roles when accessing the software. A controlled access policy is defined by:
- the set of users with valid login credentials for the Luna Cloud HSM Service partition
- the actions each user is allowed to perform when logged in (the user's role)
For example, an access policy that adheres to the PKCS#11 standard requires two roles: the security officer (PO), who administers the user account(s), and the standard user, who performs cryptographic operations. When a user logs in to the HSM, they can perform only those functions that are permitted to their role.
When the application owner creates the Luna Cloud HSM Service they use a client to access and use the Luna Cloud HSM Service for cryptographic operations. The client separates out administrative duties and operational duties by role.
Tip
The client roles are a separate function from the DPoD platform user roles, that is the service provider, tenant administrator, and application owner. The platform user roles allow for administration and access to Luna Cloud HSM Services. Alternatively, the client roles allow for administration and access to the HSM that is bound to the client.
You provision your Luna Cloud HSM Service by initializing the service and initializing the following user roles:
Security Officer (PO)
The security officer is necessary for initializing the Luna Cloud HSM Service partition and configuring partition policies, access to this role should be restricted to the service partition administrator.
The security officer has the following roles and responsibilities:
- Initializes the service partition, creates the PO credential and sets the cloning domain.
- Initializes the crypto officer role and can reset the CO credential.
- Configures partition policies.
Crypto Officer (CO)
The crypto officer creates and administers cryptographic objects on Luna Cloud HSM Service partition. Most supported integration applications require access to the crypto officer account credentials. This allows the integration application to access the Luna Cloud HSM Service to create, use, modify, and delete cryptographic objects on the Luna Cloud HSM Service partition.
The crypto officer has the following roles and responsibilities:
- Creates and modifies cryptographic objects on the service partition.
- Manages backup and restore operations for the service partition.
- Performs cryptographic functions via user applications.
- Initializes the crypto user role and can reset the CU credential.
Crypto User (CU)
The crypto user role can be used to restrict access to the Luna Cloud HSM Service partition. If you are sharing access to the Luna Cloud HSM Service with a team member solely for the purpose of access to objects for cryptographic operations, you should create and provide them Crypto User credentials.
The crypto user has the following responsibilities:
- Performs cryptographic functions via user applications (optional read-only role).
- Can create public objects only.
- Can perform backup/restore of public objects on the partition.
See Initialize service partition for procedures to initialize and add the security officer, crypto officer, and crypto user roles.
