Open topic with navigation

Security Administration

Contents

Introduction

Security Administrators provide oversight of the HyTrust KeyControl cluster by creating users with specific privileges and managing these users and their membership in administrative groups. Security Administrators can add or remove privileges and assign users to admin groups, which are a collection of same-privilege admins who own system objects (storage, sets of virtual machines etc). The security administrator can see overall system activity but can't see, touch or modify any system objects.

During installation of the first KeyControl node, a default security administrator (secroot) is created that has all privileges. Having this single administrator may be fine in some environments, for example a small IT shop. For larger environments, you may want to have multiple administrators with different roles and only have the security administrators providing oversight, managing the Admin Key and so on.

Managing User Accounts

User management tasks can only be performed by Security Administrators. To view the list of current users, click the Security Icon.This will display overall information about each user in the system as shown below.

Secadmin User Summary

wwww

The list of users show the following fields by default, although you can change the order of the fields or display other by clicking the icon at the top right of the grid. The fields shown are as follows:

  • Name - the full name of the user
  • User ID - the login ID for that user
  • Status - the status of the account which will be Active if the account is active and the user is able to log on. If the status field is Disabled the user will not be able to log on and the account needs attention. This can occur if the user fails to enter the correct password. (see the section Default Password Settings for further information).
  • Last Login - the date that the user last logged on.
  • Security / Domain / Cloud - checked to show Security Admin, Domain Admin, and Cloud Admin privileges.

To modify user accounts, see Editing User Settings for details.

Finding and Displaying User Information

Selecting a user displays detailed information about the user account. Remember that the grid is your tool for finding things: in this case, finding users. See Using the Grid to Find and Edit Material. A sample record is shown below:


Secadmin User Info

If the user has failed to log on to the system by typing an incorrect password up to the maximum failed login attempts allowed, the account will be disabled. In the example shown above, Jsmith is shown as "Disabled." That is because we intentionally entered the wrong password six times, which is one more than the threshold of five. That threshhold is settable in Authentication Settings, accessed through the Settings Icon. To activate the account, a Security Administrator must log on and explicitly activate the account.

Editing User Settings

When choosing to edit user information, simply type into the areas of the user information that are available. Note that there are two other tabs of information, for Authentication and for Privileges and Groups. All three areas can be edited on this grid screen. Samples are below.

Authorization:

Secadmin User Edit

Privileges & Groups:

Secadmin User Edit

All fields shown can be modified. An account can be explicitly disabled by clicking the Account status column for that user, and unchecking the Active? field. Privileges can be added or removed. When removing a privilege, any group membership specific to that privilege will automatically be removed.

When adding either Domain or Cloud privileges a list of available groups will appear in the lower left pane for you to choose from. See the section Group Management, below, for further information.

Be careful when experimenting with privileges. If you accidentally revoke a privilege and then add it back, be sure to reinstate the groups to which the user previously belonged.

Group Management

Each object in HyTrust KeyControl is owned by a group. Examples of where and how groups are used are:

  • Alerts are posted to groups.
  • Logging / auditing information is visible on a group-by-group basis.
  • Each KeyControl node is a member of the default KeyControl Admin Group.
  • If VM Sets for different customers require separate administrators, create multiple groups and separate the admins into these groups. Each administrator will only get access to VM information that belongs to his or her group. Most of these administrators will be Cloud Administrators.

In a multi-tenant environment, you may have groups for each customer. If you don't want to have your administrators seeing different customers' policies, place them in separate groups.

The main places where group management is noticeable is with what a user can see and what audit records the user will be able to see. Security Admins see all audit records. Other admins see only the audit records generated within their respective groups.

When the system is installed there are two default groups created, as shown below:

Admin Default Groups

The groups can be changed and additional groups can be created.

  • The Cloud Admin Group is a little different, because Cloud Admins are more individual. In this case, you may actually have many Cloud Admin groups and single members per group.
  • The KeyControl Admin Group is used for all KeyControl cluster operations.

The names and descriptions of these default groups can be changed easily. Just select the group and edit the information in the detail screen, which appears below the primary grid, as shown here. The detail screen appears below for the selected record in the primary grid.

 

Admin Default Groups

The system is fully functional with just these groups.

Creating New Groups

To create new Groups:

  1. Click the Security Icon at the top of the screen.
  2. Click the Groups tab, and then click Actions.
  3. Click Create Group. The Add New Group dialog box appears.:



  4. Enter the Group Name, choose an administrative type for the group, and an optional Description, and then click Create. The group is immediately created, and you receive a confirmation, with the opportunity to create more groups, as shown below:

If you are done, click Close, or click Create More Groups to go through the process again.

Based on the type of group selected, all administrators with the appropriate privilege will be displayed in the detail pane. In this case, we chose the Cloud Admin Group, and only two of our four administrators had that privilege.

Modifying Groups

To modify the description of a group, select a group by checking to the left of it. The edit screen appears, open to the Group tab, where you can change the name or description.

Click the Users tab to add and remove users with the appropriate privileges from a group. Note that the users who are potential members are on the left, and the actual membership of the group is shown on the right. Click the name of a user on the left to move that person into a group. Click the name of an administrator on the right to move that person out of a group. Click the double-arrow on either side to move everyone in or out of a group.

Admin Group Edit

Remember that you can search for the group or for users, using the grid, as described in Using the Grid to Find and Edit Material.

Note that only users with the appropriate privileges will be shown for a given group. To add privileges to a user, click the Users tab, select the user, and then click Privileges & Groups. Choose the privileges you want to add or remove from a user, and your changes take effect immediately.