KeyControl User Accounts

There are two types of KeyControl user accounts:

KeyControl-managed user accounts. These are individual accounts created and administered locally in KeyControl. A KeyControl-managed account can be authenticated locally (with a password stored in KeyControl) or externally (with a password stored in an LDAP or RADIUS server), and it can have any combination of the available user roles: Security Admin, Domain Admin, and Cloud Admin. These three user roles and their privileges are described below.

With KeyControl-managed accounts, a KeyControl Security Admin should create one user account for each person who needs access to KeyControl, being careful to assign each account the appropriate user roles and access rights.
Active Directory (AD)-managed user accounts. Unlike KeyControl-managed accounts where you have to create one account for each KeyControl user, AD-managed users are granted access at the AD Security group level. When a KeyControl Security Admin creates a Cloud Admin Group, they can assign one or more AD Security groups to that Cloud Admin Group. When they do so, every individual in every explicitly-named AD Security group is automatically granted Cloud Admin access to KeyControl. (For more information, see Considerations When Using AD Security Groups.)

AD Security groups can only be associated with a Cloud Admin Group, and the only available user role for an AD-managed user account is Cloud Admin. This means you cannot use an AD group to specify users that need Security Admin or Domain Admin access to KeyControl. Those users must have their own KeyControl-managed user account.

By default, the KeyControl installer creates the KeyControl-managed user account secroot, which is automatically assigned all three user roles and placed in the default Cloud Admin Group. You can change the password and group membership for secroot, but you cannot delete the account or change its assigned Security Admin user role. We recommend you only give the secroot password to a very small number of administrators who need root-level access.

User Roles and Privileges

Security Admin

Can manage the KeyControl license.
Can create or delete KeyControl-managed user accounts and Cloud Admin Groups.
Can specify the LDAP server that KeyControl will use to authenticate AD user accounts.
Can assign KeyControl-managed users or AD groups to Cloud Admin Groups.
Can manage the master Admin key and set up KMIP or HSM as a external key server.
Can back up, restore, and upgrade KeyControl.
Can manage the KeyControl KMIP server settings, accounts, and objects.
Can enable KeyControl features such as email settings and BoundaryControl.
Can view all audit records. These records can be exported to an external syslog server.
Can view and delete alerts.
Cannot view any policies or virtual machines, and cannot modify any associated settings.

Domain Admin

Can manage HyTrust KeyControl clusters by adding, removing, and authorizing KeyControl nodes.
Can configure KeyControl node settings such as KeyControl heartbeat.
Can view audit log records and alerts generated by Domain Admin actions.

Cloud Admin

Can manage the encryption of virtual machines that have the HyTrust DataControl Policy Agent installed.
Can create and manage Cloud VM Sets, which separate the encrypted VMs into logical groups such as "VMs running in AWS" or "UK Data Center VMs". The configuration settings selected for a Cloud VM Set are automatically applied to all VMs in that set.
Can set options for specific VMs that override the default options specified in the Cloud VM Set.
Can create certificates for VMs and specify key expiration dates.
Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
Can create encryption keys to securely move encrypted data between specified VMs in the same Cloud VM Set.
Can view audit records and alerts generated from the all VMs in the Cloud VM Sets to which they have access.