KeyControl User Accounts
You can create user accounts for KeyControl that have access to certain areas of the KeyControl webGUI based on their assigned user role. These accounts can also be used in the HyTrust CLI (Command Line Interface) and the HyTrust API calls when KeyControl authorization is required.
Each user account can have one or more roles assigned to it, and it may be assigned to one or more groups. The combination of user role and group membership fully defines the user's access level in KeyControl. The user role dictates what operations the user can perform and their group membership dictates which objects in the system they can affect.
|
Note:
|
The only user role that does not have an associated group is the Security Admin, because Security Admins only work with KeyControl users, groups, and Admin keys. Because these items are universal across all groups and cannot be further divided, there is no reason to have a Security Admin group. |
By default, the KeyControl installer creates the user account secroot, which is automatically assigned all three user roles and placed in the two default groups (the Cloud Admin Group and Domain Admin Group). You can change the password and group membership for secroot, but you cannot delete the account or change its default user roles. We recommend you only give the secroot password to a very small number of administrators who need root-level access. In general, you should create a user account for every user and specifically define the account's privileges and group membership on a user by user basis.
The available user roles and their privileges are described below.
Security Admin
- Can manage the KeyControl license.
- Can create or delete users and groups, and can assign users to groups. Groups allow for multiple-admin knowledge (no single person can cause havoc
by withholding information).
- Can manage the master Admin key and set up KMIP or HSM as a external key server.
- Can back up, restore, and upgrade KeyControl.
- Can manage the KeyControl KMIP server settings, accounts, and objects.
- Can enable KeyControl features such as email settings and BoundaryControl.
- Can view all audit records. These records can be exported to an external syslog server.
- Can view and delete alerts.
- Cannot view any policies or virtual machines, and cannot modify any associated settings.
Domain Admin
- Can manage HyTrust KeyControl clusters by adding, removing, and authorizing KeyControl nodes.
- Can configure KeyControl node settings such as KeyControl heartbeat.
- Can view audit log records and alerts generated from Domain Admin group actions.
Cloud Admin
- Can manage the encryption of virtual machines that have the HyTrust DataControl Policy Agent installed.
- Can create and manage Cloud VM Sets, which separate the encrypted VMs into logical groups.
For example, "VMs running in AWS" or "UK Datacenter VMs". The configuration settings selected for a Cloud VM Set will automatically be applied to all VMs in that set.
- Can set options for specific VMs that override the default options specified in the Cloud VM Set.
- Can create certificates for VMs and specify key expiration dates.
- Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is
revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
- Can create encryption keys to securely move encrypted data between specified VMs.
- Can view audit records and alerts generated from Cloud Admin group actions.
