API Resources

All API functions are HTTP methods on the KeyControl resources that are accessed over HTTPS.

In KeyControl, groups (rather than individual users) own resources. All users assigned to the same group have the same privileges and can see the same KeyControl resources.

In addition to group membership, access is also determined by the user role assigned to the KeyControl account. The combination of user role and group membership fully defines the user's access level in KeyControl. The user role dictates what operations the user can perform and their group membership dictates which objects in the system they can affect.

The following user roles are available:

• Security Administrators (SEC_ADMIN), who are responsible for maintaining the KeyControl user accounts, license files, and basic system administration tasks.
• Cloud Administrators (CLOUD_ADMIN), who manage the VMs associated with KeyControl and who can encrypt and decrypt those VMs.
• Domain Administrators (DOMAIN_ADMIN), who maintain the individual KeyControl nodes that create the KeyControl cluster.
• Backup users are users with the BACKUP_USER privilege, who can create, download, and view backups. Users who only have this role do not have any other admin access, and cannot access any other restricted APIs.

In order to access KeyControl resources through the API, you must first log into KeyControl using a pre-existing KeyControl user account. The group membership and user roles assigned to the account determine what resources are accessible to the API calls made using the account. If you are not seeing the system resources you expect to see through the API, the first thing to verify is the access level granted to the KeyControl account that you are using.

The following figure is a model of the KeyControl resources which may be acted upon using the KeyControl API.