Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CDP Administration

Concepts

search

Please Note:

Concepts

Keys

A key is used to perform cryptographic operations on data . The key is created, stored, and managed on the CipherTrust Manager.

Data Migration

Data migration is the process of encrypting data, altering existing tables so that they can store the resulting ciphertext, and creating views and triggers so that the existing applications can seamlessly and automatically encrypt new data and request decrypted data when needed.

Multi Domain

When a domain is created and a user becomes part of domain, a user can access resources (such as keys and alias name) of domain. One user can be part of multiple domains and a user can switch between the domains. By default, root domain is created. A user who is part of a domain can view/access only the database connections created under that particular domain.

Creating a CipherTrust Manager User

To create a CipherTrust Manager user:

  1. Log on to the CipherTrust Manager GUI.

  2. Click to expand Access Management.

  3. Click the Users tab on the left. The Users page is displayed.

  4. On the Users page, click Add User.

  5. On the Add User in Domain <dom1> screen, enter the details and click Add User.

Creating User Defined Group

To create a user defined group in CipherTrust Manager:

  1. Log on to the CipherTrust Manager GUI.

  2. Click to expand Access Management.

  3. Click the Groups tab in the left pane. A page with existing groups is displayed.

  4. Click Create New Group. The Create New Group wizard is displayed. Follow the steps to complete the setup.

    a. Add general info

    b. Assign members

    c. Review

Add general info

  1. In the Name filed, enter a group name.

  2. Click Next to go to the Assign Members screen.

Assign members

  1. From the list of available options, select the members who will be the part of the group.

  2. Click Next to go to the Review screen.

Review

  1. On the Review screen, verify the group details.

  2. To modify any field, click Edit and update details.

  3. Click Add Group.

  4. Click Close to exit the wizard.

Mapping CipherTrust Manager Users to Group

To map a CipherTrust Manager user to a group:

  1. Log on to the CipherTrust Manager GUI.

  2. Click to expand Access Management.

  3. Click the Groups tab in the left pane.

  4. Click the group with which the CipherTrust Manager user is to be mapped.

  5. From the list of available users, select the name of the user to be mapped to the group and click Add.

Mapping Key to Group

A key can be created and mapped to a group. A group can have various permissions such as encrypt and decrypt on a key. For more information, refer to the NAE-XML Interface Development Guide.

Mapping CipherTrust Manager User to Database User

The user mapping can be done using any of the following interfaces:

  • API Playground

  • pdbctl Utility

  • CipherTrust Manager's GUI

Setting Up Role Based Permission

The CipherTrust Manager allows its users to set the group policies (permissions) with keys (using the CDP client in remote mode only). The users associated with the group can perform encryption/decryption as per the permission set for the group. During encryption and decryption, CDP will behave as per the permissions set for the group.

This section explains how to map a database user to the CipherTrust Manager user which is also mapped to access policy set for a group. The group with encryption/decryption permission is mapped to a key.

For example, create two database users dbusr1 and dbsur2 and map them to the CipherTrust Manager user so that dbusr1 has only insert permission and dbusr2 has only select/delete data on the database tables.

Perform the following steps in the given order:

  1. Create two users encUser and decUser. Refer to Creating a CipherTrust Manager User.

  2. Create two groups encryptGroup and decryptGroup. Refer to Creating User Defined Group in CipherTrust Manager.

  3. Map encUser to encryptGroup and decUser to decryptGroup. Refer to Mapping CipherTrust Manager Users to Group.

  4. Create key and assign encrypt permissions to encryptGroup and decrypt permission to decryptGroup. Refer to Mapping Key to Group.

  5. Create the database connection.

  6. Map encUser to dbusr1 and decUser to dbusr2. After the mapping is done, dbusr1 will have only insert permission and dbusr2 will have only select/delete permissions on the database table.