This chapter contains the following topics:
You can create and delete Oracle Key Vault users, and grant and revoke administrative roles on users.
How you manage these users depends on whether the users have or do not have roles.
Users who must have roles
The administrative roles required depend on the specific task or objects. User accounts are needed for individuals who will manage either security objects or Oracle Key Vault. Each individual should have his or her own account.
Users who do not have roles
Not all users need to be granted roles. If you want to restrict a user to a specific area, such as the ability to modify a virtual wallet, then only grant that user access to the virtual wallet or a set of virtual wallets. Users who have no roles only have the privileges to which they have been granted, and they can grant these privileges to other users only if they have Manage Wallet access to the virtual wallet.
A user with the System Administrator role can create user accounts in the Oracle Key Vault management console.
Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
See "Logging In to the Oracle Key Vault Management Console."
Select the Users tab.
Select Manage Users.
If there are existing users, then the Users table appears listing them.
the Manage Users page, click Create.
Enter a user name and password.
Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and punctuation character. The allowed punctuation characters are period (.
), comma (,
), underscore (_
), plus sign (+
), colon (:
), and space.
Add the user's full name and an email address, if desired.
Click Save.
The Users table reappears and now includes the new user. After a new user has been created, that user can be granted a role, but only by another user who has that same role. See "Granting or Revoking Roles" for more information.
Users can be granted Oracle Key Vault roles (or have the role revoked) only by users who already have the role. For example, if you want to grant a user the Audit Manager role, then you must have the Audit Manager role yourself.
Log in to the Oracle Key Vault management console as a user who has the role that the user is to be granted.
See "Logging In to the Oracle Key Vault Management Console."
Select the Users tab and then select Manage Users.
The Manage Users page appears.
In the User Name column, click the name of the user.
The User Details page appears.
Under Roles in User Details, select the appropriate check box for the Audit Manager, Key Administrator, or System Administrator role.
Optionally, add the user to any existing groups or grant the user access to any wallets and their contents.
Click Save.
All users can view the Users List on the Manage Users page.
For each user, this page lists the user name with check marks that indicate what roles or combination of roles the user has: Key Administrator, System Administrator, Audit Manager, or none. Users have the ability to grant any role they have to other users.
See Also:
"Oracle Key Vault Administration"To search for users:
Log in to the Oracle Key Vault management console.
See "Logging In to the Oracle Key Vault Management Console."
Select Manage Users.
Search as described in "Search Bars".
Select one of the Users table columns to search.
After you have created user accounts, you can add user details to these accounts, such as role grants.
Topics:
On the User Details page, you can view information about the user, such as roles, full name, email, user's access to wallets, and user group membership.
The User Details page allows you to:
Grant or revoke an administrative role that you currently have.
Reset the password of another user, provided you have all of the administrative roles that the other user has. See also "Oracle Key Vault Password Changes".
You can view and manage the user details, such as the roles the user has or the virtual wallets that this user can access.
Log in to the Oracle Key Vault management console as a user who has the System Administrator role:
See "Logging In to the Oracle Key Vault Management Console."
Select the Users tab, which displays Manage Users.
On the Manage Users page, in the User Name column, click the user's name.
The User Details page appears.
Make any of these changes:
Reset another user's password if you have all the roles that user has.
Add or remove a user's role, using the check boxes, for a role that you have.
Click Save.
You can add or remove user membership if you have the Key Administrator role.
Topics:
See Also:
"Creating a User Group"You can add an Oracle Key Vault user to a group.
Log in as a user who has the Key Administrator role.
Select the Users tab, and then select Manage Users. In the User Name column, click the user's name.
Click Add in the User Group Membership region.
Select the check box next to the group in the list that the user is being added to.
Click Save.
A dialog box appears, indicating that the user has been successfully added.
You can remove an Oracle Key Vault user from a group:
Log in as a user who has the Key Administrator role.
Select the Users tab, and then select Manage Users. In the User Name column, click the user's name.
In the User Group Membership region, select the check box next to the group that the user is being removed from.
Click Remove.
When the confirmation dialog box asks if you are sure you want to delete the membership to the selected group, click OK.
A dialog box appears, indicating that the user has been successfully removed from the group.
Depending on your permissions, you can modify user passwords.
Topics:
Any valid Oracle Key Vault user can change his or her own password.
You can reset another user's password only if you the same roles that the user has. For example, if you want to change the password of a user who has the Audit Manager role, then you also must have this role before you can change the password.
Consider the following users and roles:
User | System Admin | Key Admin | Audit Manager |
---|---|---|---|
OKV_ALL_JANE |
Yes | Yes | Yes |
OKV_SYS_KEYS_JOE |
Yes | Yes | |
OKV_SYS_SEAN |
Yes | ||
OKV_KEYS_KATE |
Yes | ||
OKV_AUD_AUDREY |
Yes | ||
OKV_OLIVER |
Suppose that user OKV_SYS_KEYS_JOE
, who has the System Administrator and Key Administrator roles, logs in. If user OKV_SYS_KEYS_JOE
wants to change the other users' passwords, then the following happens:
OKV_AUD_AUDREY
: Because OKV_SYS_KEYS_JOE
does not have the Audit Manager role, which OKV_AUD_AUDREY
has, OKV_SYS_KEYS_JOE
cannot change OKV_AUD_AUDREY
's password. When user OKV_SYS_KEYS_JOE
selects the OKV_AUD_AUDREY
user name link to access the user details, the Audit Manager check box has a check to indicate that OKV_AUD_AUDREY
has the Audit Manager role. However, because user OKV_SYS_KEYS_JOE
is logged in and does not have this role, the check box is grayed out. This prevents him from revoking the role from OKV_AUD_AUDREY
.
OKV_ALL_JANE
: Because OKV_SYS_KEYS_JOE
does not have Audit Manager role, as with the OKV_AUD_AUDREY
user account, OKV_SYS_KEYS_JOE
cannot change the OKV_ALL_JANE
password, either. (Conversely, user OKV_ALL_JANE
, who has all the roles the other users have, can change their passwords if she wants.)
OKV_KEYS_KATE
: User OKV_KEYS_KATE
only has the Key Administrator role, which user OKV_SYS_KEYS_JOE
also has. Therefore, OKV_SYS_KEYS_JOE
can change the password for OKV_KEYS_KATE
. When OKV_SYS_KEYS_JOE
selects the OKV_KEYS_KATE
name link to display the user details, the Reset Password button appears, enabling OKV_SYS_KEYS_JOE
to change the password.
OKV_OLIVER
: User OKV_OLIVER
has no roles at all, and therefore cannot change anyone else's passwords (or grant them roles). Only a user who has the System Administrator role (users OKV_ALL_JANE
, OKV_SYS_KEYS_JOE
, and OKV_SYS_SEAN
) can change his password. See the description of users who do not have roles under "About Managing Oracle Key Vault Users" for more information.
You can change an Oracle Key Vault user password using either of two methods.
To change your own password: Select the Users tab, then select Manage Users. Select Change Password. The Change Password page appears. After you modify your password, click Save.
Any user can change his or her password.
To reset another user's password: Select the Users tab, and then select Manage Users. Ensure that you have all the same roles as the other user. Select the user name, and in the User Details region, select Reset Password. The Reset User Password page appears. After you modify the password, then select Save.
To reset a password for a user who has no roles, you must be the System Administrator.
Deleting Oracle Key Vault users removes them from any groups that they are have membership in.
To delete a user, you must have all the same administrative roles as that user, and you need the System Administrator role. If you do not have these roles, then you can have another user who does have those roles revoke the roles for the user in question. Then you can delete the user. See "Granting or Revoking Roles" for information about revoking roles from a user.
Log in to the Oracle Key Vault management console as a user who has the same roles as the user being deleted.
Select the Users tab and then select Manage Users.
Find the user and select the check box at the beginning of the row.
Click Delete.
In the confirmation dialog box, click OK.
Click Save.
A message appears, indicating that the user has been dropped.
Users who have been granted the Key Administrator role can view, create, and delete user groups, add members to groups, and add group access to virtual wallets.
Topics:
You can create a named group of Oracle Key Vault users.
Log in as a user who has been granted the Key Administrator role.
See "Logging In to the Oracle Key Vault Management Console."
Select the Users tab.
Select Manage Access.
The User Groups page appears.
Click Create User Group.
The Create User Group page appears.
On the Create User Group page, do the following:
Name: Enter a name for the user group.
Description: Optionally, enter a description for the user group.
Members: Under Members, use the check box to select the users who you want to add to the user group.
Click Save.
You can change the description and members of a user group and, add or remove wallet access and group membership. You cannot change the name of the user group.
Log in as a user who has been granted the Key Administrator role.
See "Logging In to the Oracle Key Vault Management Console."
Select the Users tab, and then select Manage Access.
On the User Groups page, under Details, select the edit pencil icon for the user group that you want to modify.
On the User Group Details page, do the following as necessary:
To modify the description, enter a new description in the Description field.
To add or remove access to wallets, click Add or Remove.
To modify the group members, under User Group Members, click Add to add new members. To delete existing members, select their check boxes and then click Remove.
Click Save.
You can add an existing Oracle Key Vault user a group.
Log in as a user who has the Key Administrator role.
Select the Users tab, then select Manage Access and click the edit pencil icon in the details column next to the user group name.
In the User Group Members region, click Add.
Select the check box for the user (member) being added.
Click Save.
A dialog box appears, indicating that the user (member) has been successfully added.
You can remove an existing Oracle Key Vault user from a group.
Log in as a user who has the Key Administrator role.
Select the Users tab, then select Manage Access and click the edit pencil icon in the details column next to the user group name.
In the User Group Members region, select the check box for the user (member) being removed.
Click Remove.
When the confirmation dialog box asks if you want to delete the user, click OK.
A dialog box appears, indicating that the group has successfully dropped a member.
You can delete an Oracle Key Vault user group.
Log in as a user who has been granted the Key Administrator role.
See "Logging In to the Oracle Key Vault Management Console."
Select the Users tab, and then select Manage Access.
On the User Groups page, select the check boxes for the user groups that you want to delete, and then click Delete.
In the Confirmation dialog box, click OK.