Considerations When Using AD Security Groups

  • KeyControl only supports Active Directory (AD) Security groups. You cannot assign an AD Distribution group to a Cloud Admin Group.
  • KeyControl only evaluates a user's Secondary AD group memberships when it determines the user's privileges. It does not evaluate the user's Primary AD group membership. Therefore, all privileges must come from Secondary AD Security groups.
  • KeyControl supports one and only one AD domain for account authentication. If your system configuration includes KeyControl-managed user accounts that are authorized using an LDAP server, the AD Security groups must be part of the same AD domain as those KeyControl-managed accounts. (For details, see Specifying an LDAP/AD Authentication Server.)
  • If KeyControl sends an email alert to a Cloud Admin Group that is associated with one or more AD Security groups, every member of the associated AD Security groups receives the email alert at the email address listed for them in Active Directory. Individual AD users cannot turn off alert notifications.
  • The relationship between AD Security groups and Cloud Admin Groups is many to many. You can associate any number of AD Security groups with a Cloud Admin Group, and you can associate any number of Cloud Admin Groups with an AD Security group.

  • If you assign an AD Security group to a Cloud Admin Group, then every individual user who is a member of that AD Security group in Active Directory will be given Cloud Admin access to all of the VMs registered with all of the Cloud VM Sets that are associated with the Cloud Admin Group.

    You cannot exclude specific members of the AD group, nor can you grant automatic access to any AD groups nested inside the parent group. Every AD group you want to include must be directly associated with the Cloud Admin Group, and every individual member of every associated AD group will automatically get access to KeyControl and the VMs associated with that Cloud Admin Group.

    For details about Cloud Admins can do in KeyControl, see KeyControl User Accounts.

  • We recommend creating separate AD Security groups that contain only those users who require access to KeyControl. Cloud Admins can decrypt any VM registered with any Cloud Admin Group of which they are a member, so it is critical to make sure that access is restricted to a very small set of trusted users.

  • When an AD user logs into the KeyControl webGUI, his or her privileges are evaluated only during the initial log in. If an AD user is removed from, or added to, a Security group in Active Directory while they are logged into the webGUI, the changes to their account privileges will not take effect until after that AD user logs out of their current session and then logs back into the webGUI.

    Tip: Any KeyControl-managed user account with Security Admin privileges can view the Audit log to determine which users are currently logged into the KeyControl webGUI.
  • When an AD user logs into the KeyControl webGUI, KeyControl Security Admins can see the exact AD group memberships that KeyControl used when it assigned privileges to that AD user.

 

HyTrust DataControl v 4.3

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: