Security Administrators provide oversight of the HyTrust KeyControl cluster by creating users with specific privileges and managing these users and their membership in administrative groups. Security Administrators can add or remove privileges and assign users to admin groups, which are a collection of same-privilege admins who own system objects (sets of virtual machines, etc.). The Security Administrator can see overall system activity but can't see, touch or modify any system objects.
During installation of the first KeyControl node, a default Security Administrator (secroot) is created that has all privileges. Having this single administrator may be fine in some environments. For larger environments, you may want to have multiple administrators with different roles.
User management tasks can only be performed by Security Administrators. To view the list of current users, click the Security Icon.This will display overall information about each user in the system, as shown below.
This list of fields shows the following fields by default, although you can change the order of the fields or display other fields by clicking the icon at the top right of the grid. The fields shown are as follows:
To modify user accounts, see Editing User Settings.
Selecting a user displays detailed information about the user account.
If the user has failed to log on to the system by typing an incorrect password up to the maximum failed login attempts allowed, the account will be disabled. In the example shown above, johnsmith is shown as "Disabled." For information about setting this threshold, see Editing User Settings.
To activate the account, a Security Administrator must log on and explicitly activate the account.
To edit user information, type into the fields for user information that are shown in the screenshot above. Note that you can also edit the fields showing in the two other tabs of information, for Authentication and for Privileges & Groups. The fields showing in all three tabs can be edited from this screen.
All fields shown can be modified. Click on a field that you want to change, and a detail view of the record appears in the lower half of the screen, where you can make changes. For example, an account can be explicitly disabled by clicking the Account status column for that use. This action opens the detail portion of the user record, where you can add or remove privileges. Make the change that you want and click Save.
You can change the form of authentication, user password, and password expiration date by clicking the Authentication tab and making the changes in the detail screen.
Likewise, you can change user privileges and assigned groups by clicking the Privileges & Groups tab, and making changes in the detail screen. When removing a privilege, any group memberships specific to that privilege will automatically be removed.
When adding either Domain or Cloud privileges a list of available groups will appear in the lower left pane for you to choose from. See the section Creating and Managing Groups, below, for further information.
Each object in HyTrust KeyControl, including VM sets, encryption keys, and so on, is owned by a group. Examples of where and how groups are used are:
The main places where group management is noticeable is with what options a user can see and what audit records the user will be able to see. Security Admins see all audit records. Other admins see only the audit records generated within their respective groups.
When the system is installed there are two default groups created: the Cloud Admin Group and the KeyControl Admin Group.
The groups can be changed and additional groups can be created.
The names and descriptions of these default groups can be changed easily. Just select the group and edit the information in the detail screen, which appears below the primary screen, as shown below:
The system is fully functional with just the two default groups, but we recommend that you plan how to split your users into additional groups and assigning your admins to those groups before you start adding additional groups and users.
To create new Groups:
If you are done, click Close, or click Create More Groups to go through the process again.
Based on the type of group selected, all administrators with the appropriate privilege will be displayed in the detail pane. In this case, we chose the Cloud Admin Group, and only two administrators had that privilege.
To change the description of a group, select a group by checking the name of the group. The edit screen appears, open to the Group tab, where you can change the name or description:
Click the Users tab to add and remove users with the appropriate privileges from a group. Note that the users who are potential members are on the left, and the actual membership of the group is shown on the right. Click the name of a user on the left to move that person into a group. Click the name of an administrator on the right to move that person out of a group. Click the double-arrow on either side to move everyone in or out of a group.
Note that only users with the appropriate privileges will be shown for a given group. To add privileges to a user, click the Users tab, select the user, and then click Privileges & Groups. Choose the privileges you want to add or remove from a user, and your changes take effect immediately.