Creating a Custom Cloud Admin Group

This applies to the following vaults only:  

  • Cryptographic Security Platform Vault for Cloud Keys

  • Cryptographic Security Platform Vault for Databases

  • Cryptographic Security Platform Vault for VM Encryption

Cloud Admin Groups can contain Cryptographic Security Platform Vault-managed user accounts with Cloud Admin privileges or Active Directory (AD) Security groups whose members are automatically granted Cloud Admin privileges when they log into Cryptographic Security Platform Vault.

Users with Cloud Admin privileges:

  • Can manage the encryption of virtual machines that have the Entrust Policy Agent installed.
  • Can create and manage Cloud VM Sets, which separate the encrypted VMs into logical groups such as "VMs running in AWS" or "UK Data Center VMs". The configuration settings selected for a Cloud VM Set are automatically applied to all VMs in that set.
  • Can set options for specific VMs that override the default options specified in the Cloud VM Set.
  • Can create certificates for VMs and specify key expiration dates.
  • Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
  • Can create encryption keys to securely move encrypted data between specified VMs in the same Cloud VM Set.
  • Can view audit records and alerts generated from the all VMs in the Cloud VM Sets to which they have access.

Before You Begin 

If you want to associate one or more AD Security groups with this Cloud Admin Group, make sure that:

  • You have reviewed the considerations described in Considerations When Using AD Security Groups.
  • The Security groups you want to add already exist in the AD server and that they contain only those users who require access to Cryptographic Security Platform Vault.

  • Cryptographic Security Platform Vault can communicate with your AD authentication server. For details, see the appropriate link: 

    •  

Procedure

  1. Log into the appropriate Cryptographic Security Platform Vault webGUI using an account with Security Admin privileges.

    This can be one of the following vaults:  

    • Cryptographic Security Platform Vault for Cloud Keys

    • Cryptographic Security Platform Vault for Databases

    • Cryptographic Security Platform Vault for VM Encryption

  2. From the Home tab, select Security > Access Policies.

  3. On the Manage Access Policies page, you can create a new policy or use an existing policy. The policy must have admin permissions.

    By default, when you configure AD, it will add the AD group and rescue user to the default policy.

  4. On the About tab of the Create Access Policy dialog box, complete the following: 

    Field

    Description

    Name

    Enter the policy name.

    Description

    Optionally enter a description for the policy.

    Role This is set to User for all policies other than the admin policy.

    Users

    Select the required users to be added to the policy.

    If the vault is configured for Active Directory authentication, select User or Group and search for the required AD user or AD group.

  5. Click Continue.

  6. On the Permissions tab of the Create Access Policy dialog box, select whether to grant All Permissions or Specific Permissions to the users.

  7. If you selected Specific Permissions, check the checkboxes for each permission that you want to assign.

  8. Click Apply.

  9. Click the Groups tab.
  10. Click Actions > Create Group.

  11. In the Add New Group dialog box on the Group tab, specify the options you want to use.

    Option Description
    Group Name The name of the new Cloud Admin Group.
    Description An optional description of the group.
  12. Click Next.

  13. To add Cryptographic Security Platform Vault users to the group, click the Members tab.

    • To assign an AD Security group, start typing the name of the group in the Active Directory Groups field. Cryptographic Security Platform Vault automatically searches the associated AD server and displays a list of Security groups matching what you have typed. Select the group you want to add from the list. All members of the selected AD Security group will be able to access Cryptographic Security Platform Vault with Cloud Admin privileges and see all of the VMs registered to all of the Cloud VM Sets that are assigned to this Cloud Admin Group.

      Note: If the text you enter matches a large number of AD groups, the AD server may return the message "Size Limit Exceeded". If this happens, enter a longer search string to limit the number of matches returned from the AD server.

    • To assign a Cryptographic Security Platform Vault-managed user to the group, move that user from the Available Users list box to the Assigned Users list box.
  14. Click Create.