Client-Rule Associations
After a rule is created, it can be applied (linked) to a single or multiple clients. This linking is referred to as client-rule association. The status of a client-rule association depends on the operation performed on the path.
When linking the rule with a client, specify:
The identifier of the client.
The identifier of the rule to link to the client.
The key to encrypt data. For no encryption rules, an encryption key is not needed.
• ProtectFile Admins must have
ReadKeypermission on encryption keys when creating a client-rule association.
• ProtectFile Users must be grantedReadKeyandExportKeypermissions on encryption keys.The identifier of the access policy group.
Creating a Client-Rule Association
To create a client-rule association:
Open the ProtectFile & Transparent Encryption UserSpace application. The Clients page is displayed.
Under Client Name, click the desired client.
Under Rules for Client "<client-name>", click the Add a Rule to this Client link. The list of available Rules is displayed.
Optionally, create a new rule by clicking New Rule. You might need to scroll down the page.
Select the desired rule.
Click Forward. You might need to scroll down the page. The list of available Access Policy Groups is displayed.
Optionally, create a new access policy group by clicking New Access Policy Group. You might need to scroll down the page.
Select the desired access policy group.
Click Forward. The details of the client-rule association is displayed.
Review the association details.
If it requires any change, click Back to modify the association.
Click Add Rule to Client.
The client-rule association is created.
When a client-rule association is created, the operation is None and the state is Created. The set of operations that can be performed on a client-rule association are Encrypt, KeyRotate, and Decrypt. In case of failures, the state can be Validation Failed or Failed. The client-rule association information pulled by the client does not contain association in Created and Validation Failed states. For a successful cryptographic operation, the state could be Encrypted or Decrypted. For a successful non-cryptographic (access control only) operation, the state could be Applied or Removed.
When the state is Encrypted, the AccessPolicyGroup can be modified to change the access on the path. With ProtectFile, you can remove the link between a client and a rule if the rule is in the Created state or the rule is in the Validation Failed state and the operation is Encrypt.
Cryptographic Operations and State Flow
The following table describes the flow of cryptographic operations and possible states a client-rule association goes through.
| # | Operation | State | Remarks |
|---|---|---|---|
| 1 | None | Created | A client-rule association is created. |
| 2 | Encrypt | In Progress | Encryption is in progress. |
| Validation Failed | Encryption failed due to validation failures. | ||
| Failed | Encryption failed. | ||
| 3 | None | Encrypted | Path encrypted successfully. The operation is reset. |
| 4 | Rotate Key | In Progress | Key rotation is in progress. |
| Validation Failed | Key rotation failed due to validation failures. | ||
| Failed | Key rotation failed. | ||
| 5 | None | Encrypted | Key rotated successfully. The operation is reset. |
| 6 | Decrypt | In Progress | Decryption is in progress. |
| Validation Failed | Decryption failed due to validation failures. | ||
| Failed | Decryption failed. | ||
| 7 | None | Decrypted | Used internally; not visible to the administrator. Decryption is successful and the client-rule association is removed. The operation is reset. |
Non-Cryptographic Operations and State Flow
The following table describes the flow of non-cryptographic operations and possible states a client-rule association goes through.
| # | Operation | State | Remarks |
|---|---|---|---|
| 1 | None | Created | A client-rule association is created. |
| 2 | Apply | In Progress | Applying access control is in progress. |
| Validation Failed | Applying access control failed due to validation failures. | ||
| Failed | Applying access control failed. | ||
| 3 | None | Applied | Access control applied successfully. The operation is reset. |
| 4 | Remove | In Progress | Removing access control is in progress. |
| Validation Failed | Removing access control failed due to validation failures. | ||
| Failed | Access control removal failed. | ||
| 5 | None | Removed | Used internally; not visible to the administrator. Access control removal is successful and the client-rule association is removed. The operation is reset. |