Secrets Vault Access Policies

The Secrets Vault supports Role-based Access Control (RBAC) Policies. Access to secrets is denied by default, and must be explicitly granted through Access Control Policies.

Roles

Roles define actions or operations that can be performed on the Secrets Vault and secrets. The following pre-defined roles are supported: 

  • Vault Admin Role

    Vault administrators have full access to all aspects of the secrets vault. This access includes: 

    • Box management—Can create and manage boxes.
    • Secret management—Can create and manage secrets within boxes, and checkout secrets.
    • Policy management—Can create role-based access control policies to allow users or applications the ability to access secrets.
    • View audit logs—Can view audit logs.

  • Vault User Role

    The vault user role is assigned to users and applications who need access to the secrets. They have the following permissions: 

    • List box IDs—Can retrieve the list of boxes (the box name and ID only) that the user or application has been granted access to.
    • List secrets—Can retrieve the list of secrets that the user or application has been granted access to.
    • Checkout secrets—Can retrieve the secret value.
    • Checkin secrets—Can checkin the secret after use.
    • List my checkouts—Can retrieve the outstanding secret leases for the user or application.

Policies

Vault administrators can create and manage access control policies that manage access to the secrets. Policies consist of the following: 

  • Security principle—The list of users governed by this policy. This can be an individual AD user or a group.
  • Role—The permissions or a list of actions/operations that are granted to the user. Only the vault user role is supported. For information on granting the vault admin role, see Default Admin Policy.
  • Resources—The list of boxes and secrets in the vault that the user or group can access.

The maximum number of policy change versions that can be kept is 25.

Default Admin Policy

When a new vault is created in KeyControl, the secrets vault creates a default admin policy that grants the vault administrator role to the AD user or group that is set as the first vault administrator. The default admin policy is the only policy you can use to grant the vault admin role to other users. To do so, the Vault Administrator can edit the 'security principle' part of the default admin policy to grant the vault administrator role to additional users.