About Trust Manifests

Trust manifests are the security component of CloudControl. You can manage your trust manifests on the Manage Trust Manifests page. From the Home tab, select Security > Trust Manifests.

CloudControl supports the following types of trust manifests:

Access Control—Provides security by limiting access to your vSphere and NSX-T environments.
Boundary Control—Allows you to use rules and constraints to authenticate and authorize delivery of encryption keys to the data encrypted and managed by Entrust DataControl/KeyControl.
Deployment Control—Provides security when deploying Kubernetes and OpenShift clusters.
Exception Control—Allows you to define rules to allow certain vSphere URL patterns and route them to either vCenter or the proxy.

Important: Do not use exception control policies unless instructed by Entrust.
Secondary Approval—Provides security by requiring additional approvals before users can perform certain disruptive operations on your vSphere and NSX-T environments.
Trust Attestation—Allows you to define rules to ensure selected resources match the trust attestation requirements.

When you create a trust manifest, you add a security policy to it. Both the trust manifest and the security policy must be the same type, for example, an access control trust manifest requires an access control policy. After the trust manifest has been reviewed, you can publish it. Once published, you can assign a resource to the trust manifest.

Trust manifests can be assigned to one or more resources:

For Deployment Control, you can assign resources at the cluster and namespace level.
For Access Control and Secondary Approval, you can assign resources at the vCenter, Data Center, and VM folder level.
For Boundary Control, you can only assign resources at the Appliance Root level.
For Trust Attestation, you can assign resources at the Appliance Root, vCenter, Data Center, Cluster, and ESXi Host level.

Note: Each resource can only be associated with one trust manifest of a given type.