Creating a Custom Cloud Admin Group

Cloud Admin Groups can contain KeyControl-managed user accounts with Cloud Admin privileges or Active Directory (AD) Security groups whose members are automatically granted Cloud Admin privileges when they log into KeyControl.

Users with Cloud Admin privileges:

• Can manage the encryption of virtual machines that have the HyTrust DataControl Policy Agent installed.
• Can create and manage Cloud VM Sets, which separate the encrypted VMs into logical groups such as "VMs running in AWS" or "UK Data Center VMs". The configuration settings selected for a Cloud VM Set are automatically applied to all VMs in that set.
• Can set options for specific VMs that override the default options specified in the Cloud VM Set.
• Can create certificates for VMs and specify key expiration dates.
• Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
• Can create encryption keys to securely move encrypted data between specified VMs in the same Cloud VM Set.
• Can view audit records and alerts generated from the all VMs in the Cloud VM Sets to which they have access.

Before You Begin 

If you want to associate one or more AD Security groups with this Cloud Admin Group, make sure that:

• You have reviewed the considerations described in Considerations When Using AD Security Groups.
• The Security groups you want to add already exist in the AD server and that they contain only those users who require access to KeyControl.
• KeyControl can communicate with your AD authentication server. For details, see Specifying an LDAP/AD Authentication Server.

Procedure

1. Log into the KeyControl webGUI using an account with Security Admin privileges.
2. In the top menu bar, click Security.
3. Click the Groups tab.
4. Click Actions > Create Group.

5. In the Add New Group dialog box on the Group tab, specify the options you want to use.

   Option	Description
   Group Name	The name of the new Cloud Admin Group.
   Description	An optional description of the group.

6. Click Next.

7. To add KeyControl users to the group, click the Members tab.

   • To assign an AD Security group, start typing the name of the group in the Active Directory Groups field. KeyControl automatically searches the associated AD server and displays a list of Security groups matching what you have typed. Select the group you want to add from the list. All members of the selected AD Security group will be able to access KeyControl with Cloud Admin privileges and see all of the VMs registered to all of the Cloud VM Sets that are assigned to this Cloud Admin Group.

     Note: If the text you enter matches a large number of AD groups, the AD server may return the message "Size Limit Exceeded". If this happens, enter a longer search string to limit the number of matches returned from the AD server.

   • To assign a KeyControl-managed user to the group, move that user from the Available Users list box to the Assigned Users list box.
8. Click Create.