Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CipherTrust Manager Administration

Key Policies

search

Please Note:

Key Policies

A key policy consists of all the permissions that are applied to a given label. It is a mapping of labels to their corresponding permissions. Clients, users, and groups can have access to these permissions. It outlines which clients, users, or organizations are permitted to use, read, sign, or interact with the key. Therefore, all labels associated with a key are retrieved anytime an action on that key is performed. The client, user, or group is then determined to be permitted to operate by computing all important policies connected to these labels.

This feature allows the Key Admins and Admins to perform the following operations on Key Policies:

  • Create
  • Update
  • Delete
  • List

Permission Set

A permission set is a collection of permissions that grants you access to different operations that can be performed on the keys. For example, 'UseKey', 'ReadKey', 'SignWithKey', and so on.

The permission_set specifies which clients, users, or groups have permission to use a key, read a key, sign a key, and other operations. 


{
      "clients": {
        "UseKey": [],
        "ReadKey": ["ClientID"],
        "SignWithKey": [],
        "DecryptWithKey": [],
        "EncryptWithKey": [],
        "SignVerifyWithKey": [],
        "ExportKey" :[],
        "UploadKey" :[]
      },
      "groups": {
        "UseKey": [],
        "ReadKey": ["Application Data Protection Admins"],
        "SignWithKey": [],
        "DecryptWithKey": [],
        "EncryptWithKey": [],
        "SignVerifyWithKey": [],
        "ExportKey" :[],
        "UploadKey" :[]        
      },
      "users": {
        "UseKey": [],
        "ReadKey": ["UserID"],
        "SignWithKey": [],
        "DecryptWithKey": [],
        "EncryptWithKey": [],
        "SignVerifyWithKey": [],
        "ExportKey" :[],
        "UploadKey" :[]            
      }
}

Managing Key Policies using ksctl

The following operations can be performed on Key Policies using ksctl:

• The mandatory parameters such as name, label-selector, and permissions are required to be provided while creating a Key policy.
• The format of label-selector must be correct - label-selector env=test.
• Only the operators '=' and 'in' are supported. Also, multiple conditions can be combined using ','. For example, env in (test1,test2), test3=test4

Creating a Key Policy

To create a Key Policy, run the following command:

Syntax


./ksctl key-policy create --name <name> --description <description> --label-selector <label_selector> --permissions <permission_set>

Example Request


./ksctl key-policy create --name testPolicy --description testing  --label-selector env=test1 --permissions '{"groups":{"ReadKey":["group1"]}}'

Example Response



{
    "id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
    "uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-25T12:24:59.52885Z",
    "name": "testPolicy",
    "description": "testing",
    "label_selector": "env=test1",
    "permissions": {
        "clients": {},
        "users": {},
        "groups": {
            "ReadKey": [
                "group1"
            ]
        }
    }
}

Updating a Key Policy

Syntax


./ksctl key-policy update --id <id> --description <new_description> --permissions <new_permission_set>

Example Request


./ksctl key-policy update --id 3222a138-28b2-4e4d-9269-d8bf01fe7cfe --permissions '{"groups":{"ReadKey":["test2"]}}'

Example Response



{
    "id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
    "uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-25T12:24:59.52885Z",
    "name": "testPolicy",
    "description": "testing",
    "label_selector": "env=test1",
    "permissions": {
        "clients": {},
        "users": {},
        "groups": {
            "ReadKey": [
                "test2"
            ]
        }
    }
}

Getting details of a Key Policy

Syntax


./ksctl key-policy get --id <id>

Example Request


./ksctl key-policy get --id 3222a138-28b2-4e4d-9269-d8bf01fe7cfe

Example Response



{
    "id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
    "uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-08-25T12:24:59.52885Z",
    "name": "testPolicy",
    "description": "testing",
    "label_selector": "env=test1",
    "permissions": {
        "clients": {},
        "users": {},
        "groups": {
            "ReadKey": [
                "test2"
            ]
        }
    }
}

Deleting a Key Policy

Syntax


./ksctl key-policy delete --id <id>

Example Request


./ksctl key-policy delete --id 3222a138-28b2-4e4d-9269-d8bf01fe7cfe

Getting a list of Key Policies

Syntax


./ksctl key-policy list

Example Request


./ksctl key-policy list --labels '[{"env":"test1"}]'

Example Response



{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
        {
            "id": "3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
            "uri": "kylo:kylo:vault:key_policy:testpolicy-3222a138-28b2-4e4d-9269-d8bf01fe7cfe",
            "account": "kylo:kylo:admin:accounts:kylo",
            "createdAt": "2022-08-25T12:24:59.52885Z",
            "name": "testPolicy",
            "description": "testing",
            "label_selector": "env=test1",
            "permissions": {
                "clients": {},
                "users": {},
                "groups": {
                    "ReadKey": [
                        "test2"
                    ]
                }
            }
        }
    ]
}