Creating a Linux Access Control Policy

Linux Access Control Policies determine which local user accounts can access the data files and blocks on the associated Linux data disks. Each policy contains one rule with one permissions list, so you cannot differentiate between filesystem-level controls and block-level controls. The default permission is "Deny" for all accounts, so the permissions list is a whitelist of the accounts that are allowed to access the data on the disk.

The permission list can contains local VM users only. You cannot specify a domain-qualified user account. This means that any protected disk will block all remote access user requests.

The following procedure describes how to create a Linux Access Control Policy. For Windows, see Creating a Windows Access Control Policy.

Before You Begin 

Make sure you have reviewed the requirements and recommendations described in Access Control Policies.

Procedure 

  1. Log into the KeyControl Vault for VM Encryption webGUI on any node in the cluster using an account with Cloud Admin privileges in the Cloud Administration group under which you want to add the policy.
  2. In the top menu bar, click Workloads.
  3. Navigate to the Access Control Policies tab.
  4. Select Actions > Create Policy.

  5. In the Create Policy Wizard Details page, enter the following information:

    Field

    Description
    Name

    Enter a name for the Access Control Policy (1-256 characters). The name can include special characters and spaces.

    OS Type

    Select Linux.

    Note: You cannot change the OS Type after the policy has been saved.
    Cloud Administrator Group

    Select the Cloud Administration Group with which this policy should be associated.

    Note: You cannot change the Group after the policy has been saved.

    Description

    Enter an optional description for the group. This description is displayed in the KeyControl webGUI when a user selects the Access Control Policy to associate with the disk, so we recommend that you use this field so other Cloud Admins can be sure that they are selecting the correct policy.
  6. When you are done, click Next.
  7. In the Rules page, click Add rule now.
  8. In the Create Rule Wizard Details page, enter a name and description for the Access Control Rule. For Linux, you can only create one rule that applies to both filesystem-level access and block-level access.
  9. When you are finished, click Next.

  10. In the Permissions page, click Add permission now.

    You must add at least one user to the permissions list before you can save the Access Control Policy.

  11. In the Create Permission dialog box, enter a local VM account name that will be allowed to access the data on the disk. KeyControl does not support domain-qualified usernames for Linux.

    For security reasons, you cannot add root to the permissions list.

    Important: If any of the permissions list entries are invalid, the Policy Agent does not apply the Access Control Policy. If access controls were already enabled for the disk, the Policy Agent continues to use the previous access control settings.

  12. If you want to add another user to the permissions list, click Add Another. Otherwise, click Save.

    Note: A Linux Access Control Policy can only contain one rule, and only one Access Control Policy can be associated with a specific Linux VM, so this permissions list must include all users who are authorized to access the files and data blocks on all protected disks on the VM.

  13. After you have added all of the required permissions, click Add Rule.
  14. Click Create Policy.

What to Do Next 

Associate the Access Control Policy with one or more Linux data disks as described in Associating an Access Control Policy with a Disk.