Cryptographic Security Platform Vault User Accounts

There are two types of Cryptographic Security Platform Vault user accounts:

Cryptographic Security Platform Vault-managed user accounts. These are individual accounts created and administered locally in Cryptographic Security Platform Vault. A Cryptographic Security Platform Vault-managed account can be authenticated locally (with a password stored in Cryptographic Security Platform Vault) or externally (with a password stored in an LDAP server), and it can have any combination of the available user roles: Security Admin, Domain Admin, and Cloud Admin. These three user roles and their privileges are described below.

With Cryptographic Security Platform Vault-managed accounts, a Cryptographic Security Platform Vault Security Admin should create one user account for each person who needs access to Cryptographic Security Platform Vault, being careful to assign each account the appropriate user roles and access rights.
Active Directory (AD)-managed user accounts. Unlike Cryptographic Security Platform Vault-managed accounts where you have to create one account for each Cryptographic Security Platform Vault user, AD-managed users are granted access at the AD Security group level. When a Cryptographic Security Platform Vault Security Admin creates a Cloud Admin Group, they can assign one or more AD Security groups to that Cloud Admin Group. When they do so, every individual in every explicitly-named AD Security group is automatically granted Cloud Admin access to Cryptographic Security Platform Vault. (For more information, see Considerations When Using AD Security Groups.)

AD Security groups can only be associated with a Cloud Admin Group, and the only available user role for an AD-managed user account is Cloud Admin. This means you cannot use an AD group to specify users that need Security Admin or Domain Admin access to Cryptographic Security Platform Vault. Those users must have their own Cryptographic Security Platform Vault-managed user account.

By default, the Cryptographic Security Platform Vault installer creates the Cryptographic Security Platform Vault-managed user account secroot, which is automatically assigned all three user roles and placed in the default Cloud Admin Group. You can change the password and group membership for secroot, but you cannot delete the account or change its assigned Security Admin user role. We recommend you only give the secroot password to a very small number of administrators who need root-level access. If you need to change the secroot password, see Resetting the secroot Account Password.

User Roles and Privileges

Security Admin

Can manage the Cryptographic Security Platform Vault license.
Can create or delete Cryptographic Security Platform Vault-managed user accounts and Cloud Admin Groups.
Can specify the LDAP server that Cryptographic Security Platform Vault will use to authenticate AD user accounts.
Can assign Cryptographic Security Platform Vault-managed users or AD groups to Cloud Admin Groups.
Can manage the master Admin key and set up KMIP or HSM as a external key server.
Can back up, restore, and upgrade Cryptographic Security Platform Vault.
Can manage the Cryptographic Security Platform Vault KMIP server settings, accounts, and objects.
Can enable Cryptographic Security Platform Vault features such as email settings and BoundaryControl.
Can view all audit records. These records can be exported to an external syslog server.
Can view and delete alerts.
Cannot view any policies or virtual machines, and cannot modify any associated settings.

Domain Admin

Can manage Entrust Cryptographic Security Platform Vault clusters by adding, removing, and authorizing Cryptographic Security Platform Vault nodes.
Can configure Cryptographic Security Platform Vault node settings such as Cryptographic Security Platform Vault heartbeat.
Can view audit log records and alerts generated by Domain Admin actions.

Cloud Admin

Can manage the encryption of virtual machines that have the Entrust Policy Agent installed.
Can create and manage Cloud VM Sets, which separate the encrypted VMs into logical groups such as "VMs running in AWS" or "UK Data Center VMs". The configuration settings selected for a Cloud VM Set are automatically applied to all VMs in that set.
Can set options for specific VMs that override the default options specified in the Cloud VM Set.
Can create certificates for VMs and specify key expiration dates.
Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
Can create encryption keys to securely move encrypted data between specified VMs in the same Cloud VM Set.
Can view audit records and alerts generated from the all VMs in the Cloud VM Sets to which they have access.