5 Managing Oracle Key Vault Users

This chapter contains the following topics:

About Managing Oracle Key Vault Users

You can create and delete Oracle Key Vault users, and grant and revoke administrative roles on users.

How you manage these users depends on whether the users have or do not have roles.

  • Users who must have roles

    The administrative roles required depend on the specific task or objects. User accounts are needed for individuals who will manage either security objects or Oracle Key Vault. Each individual should have his or her own account.

  • Users who do not have roles

    Not all users need to be granted roles. If you want to restrict a user to a specific area, such as the ability to modify a virtual wallet, then only grant that user access to the virtual wallet or a set of virtual wallets. Users who have no roles only have the privileges to which they have been granted, and they can grant these privileges to other users only if they have Manage Wallet access to the virtual wallet.

Creating Oracle Key Vault Users

A user with the System Administrator role can create user accounts in the Oracle Key Vault management console.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select the Users tab.

  3. Select Manage Users.

    If there are existing users, then the Users table appears listing them.

  4. the Manage Users page, click Create.

    Description of okv_013.png follows
    Description of the illustration ''okv_013.png''

  5. Enter a user name and password.

    Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and punctuation character. The allowed punctuation characters are period (.), comma (,), underscore (_), plus sign (+), colon (:), and space.

  6. Add the user's full name and an email address, if desired.

  7. Click Save.

    The Users table reappears and now includes the new user. After a new user has been created, that user can be granted a role, but only by another user who has that same role. See "Granting or Revoking Roles" for more information.

Granting or Revoking Roles

Users can be granted Oracle Key Vault roles (or have the role revoked) only by users who already have the role. For example, if you want to grant a user the Audit Manager role, then you must have the Audit Manager role yourself.

  1. Log in to the Oracle Key Vault management console as a user who has the role that the user is to be granted.

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select the Users tab and then select Manage Users.

    The Manage Users page appears.

    Description of manage_users.png follows
    Description of the illustration ''manage_users.png''

  3. In the User Name column, click the name of the user.

    The User Details page appears.

    Description of user_details.png follows
    Description of the illustration ''user_details.png''

  4. Under Roles in User Details, select the appropriate check box for the Audit Manager, Key Administrator, or System Administrator role.

  5. Optionally, add the user to any existing groups or grant the user access to any wallets and their contents.

  6. Click Save.

Viewing the Users List

All users can view the Users List on the Manage Users page.

For each user, this page lists the user name with check marks that indicate what roles or combination of roles the user has: Key Administrator, System Administrator, Audit Manager, or none. Users have the ability to grant any role they have to other users.

See Also:

"Oracle Key Vault Administration"

To search for users:

  1. Log in to the Oracle Key Vault management console.

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select Manage Users.

    Description of okv_012.png follows
    Description of the illustration ''okv_012.png''

  3. Search as described in "Search Bars".

  4. Select one of the Users table columns to search.

Oracle Key Vault User Details

After you have created user accounts, you can add user details to these accounts, such as role grants.

Topics:

About User Details

On the User Details page, you can view information about the user, such as roles, full name, email, user's access to wallets, and user group membership.

The User Details page allows you to:

  • Grant or revoke an administrative role that you currently have.

  • Reset the password of another user, provided you have all of the administrative roles that the other user has. See also "Oracle Key Vault Password Changes".

Adding and Modifying User Details

You can view and manage the user details, such as the roles the user has or the virtual wallets that this user can access.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role:

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select the Users tab, which displays Manage Users.

  3. On the Manage Users page, in the User Name column, click the user's name.

    The User Details page appears.

    Description of okv_35.png follows
    Description of the illustration ''okv_35.png''

  4. Make any of these changes:

    • Reset another user's password if you have all the roles that user has.

    • Add or remove a user's role, using the check boxes, for a role that you have.

  5. Click Save.

Managing Oracle Key Vault User Group Membership

You can add or remove user membership if you have the Key Administrator role.

Topics:

See Also:

"Creating a User Group"

Adding an Oracle Key Vault User to a Group

You can add an Oracle Key Vault user to a group.

  1. Log in as a user who has the Key Administrator role.

    Select the Users tab, and then select Manage Users. In the User Name column, click the user's name.

  2. Click Add in the User Group Membership region.

  3. Select the check box next to the group in the list that the user is being added to.

  4. Click Save.

    A dialog box appears, indicating that the user has been successfully added.

Removing an Oracle Key Vault User from a Group

You can remove an Oracle Key Vault user from a group:

  1. Log in as a user who has the Key Administrator role.

    Select the Users tab, and then select Manage Users. In the User Name column, click the user's name.

  2. In the User Group Membership region, select the check box next to the group that the user is being removed from.

  3. Click Remove.

  4. When the confirmation dialog box asks if you are sure you want to delete the membership to the selected group, click OK.

    A dialog box appears, indicating that the user has been successfully removed from the group.

Oracle Key Vault Password Changes

Depending on your permissions, you can modify user passwords.

Topics:

Who Can Change Oracle Key Vault Passwords?

Any valid Oracle Key Vault user can change his or her own password.

You can reset another user's password only if you the same roles that the user has. For example, if you want to change the password of a user who has the Audit Manager role, then you also must have this role before you can change the password.

Consider the following users and roles:

User System Admin Key Admin Audit Manager
OKV_ALL_JANE Yes Yes Yes
OKV_SYS_KEYS_JOE Yes Yes  
OKV_SYS_SEAN Yes    
OKV_KEYS_KATE   Yes  
OKV_AUD_AUDREY     Yes
OKV_OLIVER      

Suppose that user OKV_SYS_KEYS_JOE, who has the System Administrator and Key Administrator roles, logs in. If user OKV_SYS_KEYS_JOE wants to change the other users' passwords, then the following happens:

  • OKV_AUD_AUDREY: Because OKV_SYS_KEYS_JOE does not have the Audit Manager role, which OKV_AUD_AUDREY has, OKV_SYS_KEYS_JOE cannot change OKV_AUD_AUDREY's password. When user OKV_SYS_KEYS_JOE selects the OKV_AUD_AUDREY user name link to access the user details, the Audit Manager check box has a check to indicate that OKV_AUD_AUDREY has the Audit Manager role. However, because user OKV_SYS_KEYS_JOE is logged in and does not have this role, the check box is grayed out. This prevents him from revoking the role from OKV_AUD_AUDREY.

    Description of okv_99.png follows
    Description of the illustration ''okv_99.png''

  • OKV_ALL_JANE: Because OKV_SYS_KEYS_JOE does not have Audit Manager role, as with the OKV_AUD_AUDREY user account, OKV_SYS_KEYS_JOE cannot change the OKV_ALL_JANE password, either. (Conversely, user OKV_ALL_JANE, who has all the roles the other users have, can change their passwords if she wants.)

  • OKV_KEYS_KATE: User OKV_KEYS_KATE only has the Key Administrator role, which user OKV_SYS_KEYS_JOE also has. Therefore, OKV_SYS_KEYS_JOE can change the password for OKV_KEYS_KATE. When OKV_SYS_KEYS_JOE selects the OKV_KEYS_KATE name link to display the user details, the Reset Password button appears, enabling OKV_SYS_KEYS_JOE to change the password.

  • OKV_OLIVER: User OKV_OLIVER has no roles at all, and therefore cannot change anyone else's passwords (or grant them roles). Only a user who has the System Administrator role (users OKV_ALL_JANE, OKV_SYS_KEYS_JOE, and OKV_SYS_SEAN) can change his password. See the description of users who do not have roles under "About Managing Oracle Key Vault Users" for more information.

Changing Oracle Key Vault User Passwords

You can change an Oracle Key Vault user password using either of two methods.

  • To change your own password: Select the Users tab, then select Manage Users. Select Change Password. The Change Password page appears. After you modify your password, click Save.

    Any user can change his or her password.

    Description of okv_45.png follows
    Description of the illustration ''okv_45.png''

  • To reset another user's password: Select the Users tab, and then select Manage Users. Ensure that you have all the same roles as the other user. Select the user name, and in the User Details region, select Reset Password. The Reset User Password page appears. After you modify the password, then select Save.

    To reset a password for a user who has no roles, you must be the System Administrator.

Deleting Oracle Key Vault Users

Deleting Oracle Key Vault users removes them from any groups that they are have membership in.

To delete a user, you must have all the same administrative roles as that user, and you need the System Administrator role. If you do not have these roles, then you can have another user who does have those roles revoke the roles for the user in question. Then you can delete the user. See "Granting or Revoking Roles" for information about revoking roles from a user.

  1. Log in to the Oracle Key Vault management console as a user who has the same roles as the user being deleted.

  2. Select the Users tab and then select Manage Users.

  3. Find the user and select the check box at the beginning of the row.

  4. Click Delete.

  5. In the confirmation dialog box, click OK.

  6. Click Save.

    A message appears, indicating that the user has been dropped.

Managing User Groups

Users who have been granted the Key Administrator role can view, create, and delete user groups, add members to groups, and add group access to virtual wallets.

Topics:

Creating a User Group

You can create a named group of Oracle Key Vault users.

  1. Log in as a user who has been granted the Key Administrator role.

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select the Users tab.

  3. Select Manage Access.

    The User Groups page appears.

    Description of okv_44.png follows
    Description of the illustration ''okv_44.png''

  4. Click Create User Group.

    The Create User Group page appears.

    Description of okv_44a.png follows
    Description of the illustration ''okv_44a.png''

  5. On the Create User Group page, do the following:

    • Name: Enter a name for the user group.

    • Description: Optionally, enter a description for the user group.

    • Members: Under Members, use the check box to select the users who you want to add to the user group.

  6. Click Save.

Adding and Modifying User Group Details

You can change the description and members of a user group and, add or remove wallet access and group membership. You cannot change the name of the user group.

  1. Log in as a user who has been granted the Key Administrator role.

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select the Users tab, and then select Manage Access.

  3. On the User Groups page, under Details, select the edit pencil icon for the user group that you want to modify.

  4. On the User Group Details page, do the following as necessary:

    • To modify the description, enter a new description in the Description field.

    • To add or remove access to wallets, click Add or Remove.

    • To modify the group members, under User Group Members, click Add to add new members. To delete existing members, select their check boxes and then click Remove.

  5. Click Save.

Adding an Oracle Key Vault User to a Group

You can add an existing Oracle Key Vault user a group.

  1. Log in as a user who has the Key Administrator role.

    Select the Users tab, then select Manage Access and click the edit pencil icon in the details column next to the user group name.

  2. In the User Group Members region, click Add.

  3. Select the check box for the user (member) being added.

  4. Click Save.

    A dialog box appears, indicating that the user (member) has been successfully added.

Removing an Oracle Key Vault User from a Group

You can remove an existing Oracle Key Vault user from a group.

  1. Log in as a user who has the Key Administrator role.

    Select the Users tab, then select Manage Access and click the edit pencil icon in the details column next to the user group name.

  2. In the User Group Members region, select the check box for the user (member) being removed.

  3. Click Remove.

  4. When the confirmation dialog box asks if you want to delete the user, click OK.

    A dialog box appears, indicating that the group has successfully dropped a member.

Deleting an Oracle Key Vault User Group

You can delete an Oracle Key Vault user group.

  1. Log in as a user who has been granted the Key Administrator role.

    See "Logging In to the Oracle Key Vault Management Console."

  2. Select the Users tab, and then select Manage Access.

  3. On the User Groups page, select the check boxes for the user groups that you want to delete, and then click Delete.

  4. In the Confirmation dialog box, click OK.