KeyControl Vault User Accounts

There are two types of KeyControl Vault user accounts:

KeyControl Vault-managed user accounts. These are individual accounts created and administered locally in KeyControl Vault. A KeyControl Vault-managed account can be authenticated locally (with a password stored in KeyControl Vault) or externally (with a password stored in an LDAP server), and it can have any combination of the available user roles: Security Admin, Domain Admin, and Cloud Admin. These three user roles and their privileges are described below.

With KeyControl Vault-managed accounts, a KeyControl Vault Security Admin should create one user account for each person who needs access to KeyControl Vault, being careful to assign each account the appropriate user roles and access rights.
Active Directory (AD)-managed user accounts. Unlike KeyControl Vault-managed accounts where you have to create one account for each KeyControl Vault user, AD-managed users are granted access at the AD Security group level. When a KeyControl Vault Security Admin creates a Cloud Admin Group, they can assign one or more AD Security groups to that Cloud Admin Group. When they do so, every individual in every explicitly-named AD Security group is automatically granted Cloud Admin access to KeyControl Vault. (For more information, see Considerations When Using AD Security Groups.)

AD Security groups can only be associated with a Cloud Admin Group, and the only available user role for an AD-managed user account is Cloud Admin. This means you cannot use an AD group to specify users that need Security Admin or Domain Admin access to KeyControl Vault. Those users must have their own KeyControl Vault-managed user account.

By default, the KeyControl Vault installer creates the KeyControl Vault-managed user account secroot, which is automatically assigned all three user roles and placed in the default Cloud Admin Group. You can change the password and group membership for secroot, but you cannot delete the account or change its assigned Security Admin user role. We recommend you only give the secroot password to a very small number of administrators who need root-level access. If you need to change the secroot password, see Resetting the secroot Account Password.

User Roles and Privileges

Security Admin

Can manage the KeyControl Vault license.
Can create or delete KeyControl Vault-managed user accounts and Cloud Admin Groups.
Can specify the LDAP server that KeyControl Vault will use to authenticate AD user accounts.
Can assign KeyControl Vault-managed users or AD groups to Cloud Admin Groups.
Can manage the master Admin key and set up KMIP or HSM as a external key server.
Can back up, restore, and upgrade KeyControl Vault.
Can manage the KeyControl Vault KMIP server settings, accounts, and objects.
Can enable KeyControl Vault features such as email settings and BoundaryControl.
Can view all audit records. These records can be exported to an external syslog server.
Can view and delete alerts.
Cannot view any policies or virtual machines, and cannot modify any associated settings.

Domain Admin

Can manage Entrust KeyControl Vault clusters by adding, removing, and authorizing KeyControl Vault nodes.
Can configure KeyControl Vault node settings such as KeyControl Vault heartbeat.
Can view audit log records and alerts generated by Domain Admin actions.

Cloud Admin

Can manage the encryption of virtual machines that have the Entrust KeyControl Policy Agent installed.
Can create and manage Cloud VM Sets, which separate the encrypted VMs into logical groups such as "VMs running in AWS" or "UK Data Center VMs". The configuration settings selected for a Cloud VM Set are automatically applied to all VMs in that set.
Can set options for specific VMs that override the default options specified in the Cloud VM Set.
Can create certificates for VMs and specify key expiration dates.
Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
Can create encryption keys to securely move encrypted data between specified VMs in the same Cloud VM Set.
Can view audit records and alerts generated from the all VMs in the Cloud VM Sets to which they have access.