Creating a Cloud Admin User Account

When you register a HyTrust DataControl Policy Agent, you need to specify a KeyControl user account with Cloud Admin privileges. While you can use the default secroot account, we recommend that you make a separate account with just the Cloud Admin permissions to use for this purpose. To make a Cloud Admin user account:

Log into the KeyControl webGUI using an account with Security Admin privileges.
In the top menu bar, click Security.
Click the KeyControl Managed Users tab.
Select Actions > Create User.

On the User tab, enter the following information. All fields on this tab are required.

Field Descriptions

Field	Description
Login Name	The login name for the KeyControl-managed user account. The login name is case-sensitive, so you could have three different accounts called CloudAdmin, Cloudadmin, and cloudadmin. The login name can contain standard alphanumeric characters, hyphens (-), underscores (_), and periods (.). It cannot contain spaces or other special characters.
Full Name	The full name of the user associated with the account. This name is included on any audit log messages generated by that user's activity. Therefore, we recommend that you specify a unique full name for each KeyControl user.
Email Address	If your system is configured to send email alerts, they will be sent to this email address. The alerts a user sees depends on their user role and group access.
Account Expiration	The date on which this user account should expire. The default is one year from the creation date. KeyControl automatically disables expired accounts but does not delete them. Disabled accounts can be re-enabled in the KeyControl webGUI.
Account Enabled	Check this box to have the account be available as soon as you create it. If you clear this check box, KeyControl sets the account status to Disabled and you will need to manually enable it through the webGUI.

On the Authentication tab, select the type of authentication you want to use.

Options

Authentication Method	Description
Locally by KeyControl	In the Authentication drop-down, select Local. In the Password and Repeat Password fields, enter the password for this user account. In the Password Expiration field, enter the date on which the password should expire. Once this date is reached, the user will be prompted to enter a new password the next time they log into KeyControl. The expiration date cannot be longer than the number of days defined in the default local authentication settings. For more information, see Configuring Local Authentication Settings.
Externally by a RADIUS authentication server	In the Authentication drop-down, select RADIUS. If you want to use the pre-configured RADIUS settings, leave the Use default Radius settings check box checked and continue to the next step. If you want to change the default RADIUS settings, clear the Use default Radius settings check box and enter the RADIUS server address, port number, shared secret, and authentication method in the designated fields. For more information, see Specifying Default RADIUS Authentication Server Settings. To test the connection to the server, click Test RADIUS Server.
Externally by an LDAP authentication server	In the Authentication drop-down, select LDAP. KeyControl does not currently support individual LDAP settings. Instead, every LDAP user account must use the global LDAP configuration. For more information, see Specifying an LDAP/AD Authentication Server.

Authentication Method

Description

Locally by KeyControl

In the Authentication drop-down, select Local.
In the Password and Repeat Password fields, enter the password for this user account.
In the Password Expiration field, enter the date on which the password should expire. Once this date is reached, the user will be prompted to enter a new password the next time they log into KeyControl.

The expiration date cannot be longer than the number of days defined in the default local authentication settings. For more information, see Configuring Local Authentication Settings.

Externally by a RADIUS authentication server

In the Authentication drop-down, select RADIUS.
If you want to use the pre-configured RADIUS settings, leave the Use default Radius settings check box checked and continue to the next step.
If you want to change the default RADIUS settings, clear the Use default Radius settings check box and enter the RADIUS server address, port number, shared secret, and authentication method in the designated fields. For more information, see Specifying Default RADIUS Authentication Server Settings.
To test the connection to the server, click Test RADIUS Server.

Externally by an LDAP authentication server

In the Authentication drop-down, select LDAP.

KeyControl does not currently support individual LDAP settings. Instead, every LDAP user account must use the global LDAP configuration. For more information, see Specifying an LDAP/AD Authentication Server.

When you have finished specifying the authentication method, click Next.
On the Privileges and Groups tab:
1. Check the Cloud Admin checkbox.
  
  If you want this account to have additional privileges, you can also check the Security Admin or Domain Admin check boxes. For details, see Creating a New KeyControl-Managed User Account.
2. In the Available Groups list box, click Cloud Admin Group, then click the right arrow above the list box. This group should move to the Assigned Groups list box.
  
  If desired, select any other groups to which this account should belong.
3. Click Create.
When you see the User Successfully Created message, click Close.