Cloud Admin Groups

Every VM that you register with Cryptographic Security Platform Vault must be assigned to a specific Cloud VM Set. A Cloud VM Set is a logical grouping of related VMs, such as "Amazon EC2 VMs," "Azure VMs," and "Legal Dept VMs". The configuration settings specified for a specific Cloud VM Set apply to all VMs registered with that set.

Every Cloud VM Set must be associated with a Cloud Admin Group that determines the list of Cryptographic Security Platform Vault users and Active Directory (AD) Security groups that can see and managed the VMs in that Cloud VM Set. All Cryptographic Security Platform Vault users that have access to a specific Cloud Admin Group can see all of the VMs registered with all of the Cloud VM Sets in that group. Likewise, Cryptographic Security Platform Vault alerts and audit log entries that pertain to the VMs in a Cloud Admin Group can be seen by all members of that group, but they cannot be seen by the members of other Cloud Admin Groups.

When you install Cryptographic Security Platform Vault, the installer creates a default group called Cloud Admin Group and assigns the default user account, secroot, to that group. You can change the name of the default Cloud Admin Group or remove secroot from that group, but you cannot delete that group.

In order to be associated with one or more Cloud Admin Groups, a Cryptographic Security Platform Vault user account must have Cloud Admin privileges. If you assign an Active Directory (AD) Security group to a Cloud Admin Group, then every individual user who is a member of that Security group in Active Directory will be given Cloud Admin access to all of the VMs registered with all of the Cloud VM Sets that are associated with the Cloud Admin Group. (For more information, see Considerations When Using AD Security Groups.)

If you want to limit the access to the VMs registered with Cryptographic Security Platform Vault, you can create multiple Cloud Admin Groups and Cloud VM Sets. Then you can distribute the Cloud VM Sets among the Cloud Admin Groups and create a different membership list for each Cloud Admin Group.

For example, let's say you have 5 VMs in the Midwestern US and another 10 VMs in India. You want the US VMs to be managed by one group of users and the Indian VMs to be managed by another. In addition, you have a small set of superusers who can manage all aspects of Cryptographic Security Platform Vault as well as any VM anywhere in the world.

To achieve this configuration, you could:

  1. Create two Cloud Admin Groups, one called US-MidWest and the other called India-Bangalore.
  2. Create a Cryptographic Security Platform Vault-managed Cloud Admin user account for each Midwestern user, or create an AD Security group on your AD server and then assign the relevant Midwest AD user accounts to that AD Security group. When you are done, add the Cryptographic Security Platform Vault user accounts or the AD Security group as members of the US-MidWest Cloud Admin Group.
  3. Create a Cryptographic Security Platform Vault-managed Cloud Admin user account for each Indian user, or create an AD Security group on your AD server and then assign the relevant Indian AD user accounts to that AD Security group. When you are done, add the Cryptographic Security Platform Vault user accounts or the AD  Security group as members of the India-Bangalore Cloud Admin Group.
  4. Create two Cloud VM Sets, one called US-MidWest-VMs associated with the US-MidWest Cloud Admin Group and the other called India-Bangalore-VMs associated with the India-Bangalore Cloud Admin Group.
  5. Add the Midwest VMs to the US-MidWest-VMs Cloud VM Set.
  6. Add the Indian VMs to the India-Bangalore-VMs Cloud VM Set.

  7. Create a Cryptographic Security Platform Vault-managed user account for each superuser with all three user roles (Security Admin, Domain Admin, and Cloud Admin), and assign them to the US-MidWest Cloud Admin Group and the India-Bangalore Cloud Admin Group.

    Note: These superuser accounts must be created in and managed by Cryptographic Security Platform Vault so that they can be assigned  Security Admin and Domain Admin privileges. Users from an AD Security group can only be assigned Cloud Admin privileges.

Related Topics