Creating a Cloud Admin User Account

When you register a HyTrust DataControl Policy Agent, you need to specify a KeyControl user account with Cloud Admin privileges. While you can use the default secroot account, we recommend that you make a separate account with just the  Cloud Admin permissions to use for this purpose. To make a Cloud Admin user account:

1. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.
2. In the top menu bar, click Security.
3. Click the Users tab.
4. Select Actions > Create User.

5. On the User tab, enter the following information. All fields on this tab are required.

   Field Descriptions

   Field	Description
   Login Name	The login name for the user account. The login name is case-sensitive, so you could have three distinct accounts called CloudAdmin, Cloudadmin, and cloudadmin. The login name can contain standard alphanumeric characters, hyphens (-), underscores (_), and periods (.). It cannot contain spaces or other special characters.
   Full Name	The full name of the user associated with the account. This name is included on any audit log messages generated by that user's activity. Therefore, we recommend that you specify a unique full name for each KeyControl user.
   Email Address	If your system is configured to send email alerts, they will be sent to this email address. The alerts a user sees depends on their user role and group access.
   Account Expiration	The date on which this user account should expire. The default is one year from the creation date. KeyControl automatically disables expired accounts but does not delete them. Disabled accounts can be re-enabled in the KeyControl webGUI.
   Account Enabled	Check this box to have the account be available as soon as you create it. If you clear this check box, KeyControl sets the account status to Disabled and you will need to manually enable it through the webGUI.

6. On the Authentication tab, select the type of authentication you want to use.

   Options

   Authentication Method	Description
   Managed by KeyControl	In the Authentication drop-down, select Local. In the Password and Repeat Password fields, enter the password for this user account. In the Password Expiration field, enter the date on which the password should expire. Once this date is reached, the user will be prompted to enter a new password the next time they log into KeyControl. The expiration date cannot be longer than 60 days.
   Managed by RADIUS	In the Authentication drop-down, select RADIUS. If you want to use the pre-configured RADIUS settings, leave the Use default Radius settings check box checked and continue to the next step. If you want to change the default RADIUS settings, clear the Use default Radius settings check box. Enter the RADIUS server address, port number, and password in the designated fields. To test the connection to the server, click Test RADIUS Server.
   Managed by LDAP	In the Authentication drop-down, select LDAP. KeyControl does not currently support individual LDAP settings. Instead, every LDAP user account must use the global LDAP configuration. For more information, see Configuring Default LDAP Settings.

7. When you have finished specifying the authentication method, click Next.

8. On the Privileges and Groups tab:

   1. Check the Cloud Admin checkbox.

      If you want this account to have additional privileges, you can also check the Security Admin or Domain Admin check boxes. For details, see Creating a New User Account.

   2. In the Available Groups list box, click Cloud Admin Group, then click the right arrow above the list box. This group should move to the Assigned Groups list box.

      If desired, select any other groups to which this account should belong.

   3. Click Create.
9. When you see the User Successfully Created message, click Close.