Note:
This menu option is only enabled if you are connected to a KMA using your profile.This function allows users to change their own passphrases. Changing your passphrash does not invalidate your current user certificate.
From the System menu, select Change Passphrase.....
Update the passphrase. The phrase must meet the requirements listed in "Passphrase Requirements".
Available to:
Security Officer
Procedures:
From the System Management menu, select User List. See "Filtering Lists" to filter the list.
Available to:
Security Officer (requires a quorum)
Procedures:
From the System Management menu, select User List. Click Create...
On the General tab, enter the following:
User ID — Uniquely identifies the user. Can be between 1 and 64 (inclusive) characters.
Description — Describes the user. This value can be between 1 and 64 (inclusive) characters.
Roles — The roles you want the user to perform.
Note:
The Quorum Member check box is disabled (grayed out) if the KMA currently runs KMS 2.1 or earlier or if the replication version of the OKM cluster is currently set to 10 or lower.Click the Passphrase tab and enter the passphrase. Confirm the passphrase (retype the same passphrase). The phrase must meet the requirements listed in "Passphrase Requirements".
Click Save.
Creating a user requires a quorum. Within the Key Split Quorum Authentication dialog, the quorum must type their usernames and passphrases to authenticate the operation. See "Key Split Quorum Authentication" for more information.
Note:
The currently logged-in Security Officers cannot modify their own records.Available to:
Security Officer (requires a quorum for role or passphrase change)
Procedures:
From the System Management menu, select User List. Double-click a user (or highlight a user and click the Details...).
On the General tab, you can modify the Description, Roles, and Enabled Flag.
On the Passphrase tab. You can change the user's passphrase. The phrase must meet the requirements listed in "Passphrase Requirements".
Click Save.
If you added user roles or changed the passphrase, within the Key Split Quorum Authentication dialog, the quorum must type their usernames and passphrases to authenticate the operation. See "Key Split Quorum Authentication" for more information.
Note:
If you did not add user roles or change the passphrase, the user information updates in the OKM cluster after you click Save, and the Key Split Quorum Authentication is not required.Notify the user that their information has changed.
Users cannot delete themselves.
Available to:
Security Officer
Procedures:
From the System Management menu, select User List. Select the user you want to delete and click Delete.
Click Yes to confirm.
Roles are fixed logical groupings of various system operations that a user can perform. A user can have more than one role.
Available to:
Security Officer
Procedures:
To view the role list, expand System Management, select Role List. See "Filtering Lists" to filter the list.
To view a list of operations for each role, highlight a role, and then click Details...
Roles:
Security Officer – manages security settings, users, sites, and transfer partners
Compliance Officer – manages key policies and key groups and determines which agents and transfer partners can use key groups
Quorum Member – views and approves pending quorum operations.
A single KMA user account may be assigned membership to one or more roles. The KMA verifies that the requesting user entity has permission to execute an operation based on the user's role(s). For more information on the roles, refer to "Log into the KMA".
Table 6-1 shows the system operations that each user role can perform. In the "Roles" columns, the entries mean the following:
Yes – the role can perform the operation.
Quorum – the role can perform the operation but must also provide a quorum.
NA – the role cannot perform the operation.
Table 6-1 System Operations/User Roles
Entity | Operation | Security Officer | Compliance Officer | Operator | Backup Operator | Auditor | Quorum Member |
---|---|---|---|---|---|---|---|
Console |
Log In |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Console |
Set KMA Locale |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Set KMA IP Address |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Enable Tech Support |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Disable Tech Support |
Yes |
NA |
Yes |
NA |
NA |
NA |
Console |
Enable Primary Administrator |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Disable Primary Administrator |
Yes |
NA |
Yes |
NA |
NA |
NA |
Console |
Restart KMA |
NA |
NA |
Yes |
NA |
NA |
NA |
Console |
Shutdown KMA |
NA |
NA |
Yes |
NA |
NA |
NA |
Console |
Log OKM into Cluster |
Quorum |
NA |
NA |
NA |
NA |
NA |
Console |
Set User's Passphrase |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Reset KMA |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Show Cluster Root CA Certificate Properties |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Console |
Re-key Root CA Certificate |
Yes |
NA |
NA |
NA |
NA |
NA |
Console |
Logout |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Connect |
Log In |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Connect |
Create Profile |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Connect |
Delete Profile |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Connect |
Set Config Settings |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Connect |
Disconnect |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Key Split Credentials |
List |
Yes |
NA |
NA |
NA |
NA |
NA |
Key Split Credentials |
Modify |
Quorum |
NA |
NA |
NA |
NA |
NA |
Autonomous Unlock |
List |
Yes |
NA |
NA |
NA |
NA |
NA |
Autonomous Unlock |
Modify |
Quorum |
NA |
NA |
NA |
NA |
NA |
Lock/Unlock KMA |
List Status |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
Lock/Unlock KMA |
Lock |
Yes |
NA |
NA |
NA |
NA |
NA |
Lock/Unlock KMA |
Unlock |
Quorum |
NA |
NA |
NA |
NA |
NA |
Site |
Create |
Yes |
NA |
NA |
NA |
NA |
NA |
Site |
List |
Yes |
NA |
Yes |
NA |
NA |
NA |
Site |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
Site |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
Security Parameters |
List |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
Security Parameters |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
KMA |
Create |
Quorum |
NA |
NA |
NA |
NA |
NA |
KMA |
List |
Yes |
NA |
Yes |
NA |
NA |
NA |
KMA |
Modify |
Quorum |
NA |
NA |
NA |
NA |
NA |
KMA |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
User |
Create |
Quorum |
NA |
NA |
NA |
NA |
NA |
User |
List |
Yes |
NA |
NA |
NA |
NA |
NA |
User |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
User |
Modify Passphrase |
Quorum |
NA |
NA |
NA |
NA |
NA |
User |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
Role |
Add |
Quorum |
NA |
NA |
NA |
NA |
NA |
Role |
List |
Yes |
NA |
NA |
NA |
NA |
NA |
Key Policy |
Create |
NA |
Yes |
NA |
NA |
NA |
NA |
Key Policy |
List |
NA |
Yes |
NA |
NA |
NA |
NA |
Key Policy |
Modify |
NA |
Yes |
NA |
NA |
NA |
NA |
Key Policy |
Delete |
NA |
Yes |
NA |
NA |
NA |
NA |
Key Group |
Create |
NA |
Yes |
NA |
NA |
NA |
NA |
Key Group |
List |
NA |
Yes |
Yes |
NA |
NA |
NA |
Key Group |
List Data Units |
NA |
Yes |
Yes |
NA |
NA |
NA |
Key Group |
List Agents |
NA |
Yes |
Yes |
NA |
NA |
NA |
Key Group |
Modify |
NA |
Yes |
NA |
NA |
NA |
NA |
Key Group |
Delete |
NA |
Yes |
NA |
NA |
NA |
NA |
Agent |
Create |
NA |
NA |
Yes |
NA |
NA |
NA |
Agent |
List |
NA |
Yes |
Yes |
NA |
NA |
NA |
Agent |
Modify |
NA |
NA |
Yes |
NA |
NA |
NA |
Agent |
Modify Passphrase |
NA |
NA |
Yes |
NA |
NA |
NA |
Agent |
Delete |
NA |
NA |
Yes |
NA |
NA |
NA |
Agent/Key Group Assignment |
List |
NA |
Yes |
Yes |
NA |
NA |
NA |
Agent/Key Group Assignment |
Modify |
NA |
Yes |
NA |
NA |
NA |
NA |
Data Unit |
Create |
NA |
NA |
NA |
NA |
NA |
NA |
Data Unit |
List |
NA |
Yes |
Yes |
NA |
NA |
NA |
Data Unit |
Modify |
NA |
NA |
Yes |
NA |
NA |
NA |
Data Unit |
Modify Key Group |
NA |
Yes |
NA |
NA |
NA |
NA |
Data Unit |
Delete |
NA |
NA |
NA |
NA |
NA |
NA |
Keys |
List Data Unit Keys |
NA |
Yes |
Yes |
NA |
NA |
NA |
Keys |
Destroy |
NA |
NA |
Yes |
NA |
NA |
NA |
Keys |
Compromise |
NA |
Yes |
NA |
NA |
NA |
NA |
Transfer Partners |
Configure |
Quorum |
NA |
NA |
NA |
NA |
NA |
Transfer Partners |
List |
Yes |
Yes |
Yes |
NA |
NA |
NA |
Transfer Partners |
Modify |
Quorum |
NA |
NA |
NA |
NA |
NA |
Transfer Partners |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
Key Transfer Keys |
List |
Yes |
NA |
NA |
NA |
NA |
NA |
Key Transfer Keys |
Update |
Yes |
NA |
NA |
NA |
NA |
NA |
Transfer Partner Key Group Assignments |
List |
NA |
Yes |
Yes |
NA |
NA |
NA |
Transfer Partner Key Group Assignments |
Modify |
NA |
Yes |
NA |
NA |
NA |
NA |
Backup |
Create |
NA |
NA |
NA |
Yes |
NA |
NA |
Backup |
List |
Yes |
Yes |
Yes |
Yes |
NA |
NA |
Backup |
List Backups with Destroyed Keys |
NA |
Yes |
Yes |
NA |
NA |
NA |
Backup |
Restore |
Quorum |
NA |
NA |
NA |
NA |
NA |
Backup |
Confirm Destruction |
NA |
NA |
NA |
Yes |
NA |
NA |
Core Security Backup |
Create |
Yes |
NA |
NA |
NA |
NA |
NA |
SNMP Manager |
Create |
Yes |
NA |
NA |
NA |
NA |
NA |
SNMP Manager |
List |
Yes |
NA |
Yes |
NA |
Yes |
NA |
SNMP Manager |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
SNMP Manager |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
Audit Event |
View |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
Audit Event |
View Agent History |
NA |
Yes |
Yes |
NA |
NA |
NA |
Audit Event |
View Data Unit History |
NA |
Yes |
Yes |
NA |
NA |
NA |
Audit Event |
View Data Unit Key History |
NA |
Yes |
Yes |
NA |
NA |
NA |
System Dump |
Create |
Yes |
NA |
Yes |
NA |
NA |
NA |
System Time |
List |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
System Time |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
NTP Server |
List |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
NTP Server |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
Software Version |
List |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
Software Version |
Upgrade |
NA |
NA |
Quorum |
NA |
NA |
NA |
Software Version |
Delete |
NA |
NA |
Yes |
NA |
NA |
NA |
Network Configuration |
Display |
Yes |
Yes |
Yes |
Yes |
Yes |
NA |
Pending Quorum Operation |
Approve |
NA |
NA |
NA |
NA |
NA |
Quorum |
Pending Quorum Operation |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
Key List |
Query |
NA |
Yes |
Yes |
NA |
NA |
NA |
Key List |
List Activity History |
NA |
Yes |
Yes |
NA |
NA |
NA |
Agent Performance List |
Query |
NA |
Yes |
Yes |
NA |
NA |
NA |
KMA Performance List |
Query |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Current Load |
Query |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Remote Syslog |
List |
Yes |
NA |
NA |
NA |
Yes |
NA |
Remote Syslog |
Create |
Yes |
NA |
NA |
NA |
NA |
NA |
Remote Syslog |
Modify |
Yes |
NA |
NA |
NA |
NA |
NA |
Remote Syslog |
Delete |
Yes |
NA |
NA |
NA |
NA |
NA |
Remote Syslog |
Test |
Yes |
NA |
NA |
NA |
NA |
NA |
Hardware Management Pack |
Download MIB Bundle |
Yes |
NA |
NA |
NA |
NA |
NA |
Hardware Management Pack |
Get Status |
Yes |
NA |
NA |
NA |
Yes |
NA |
Hardware Management Pack |
Enable |
Yes |
NA |
NA |
NA |
NA |
NA |
Hardware Management Pack |
Disable |
Yes |
NA |
NA |
NA |
NA |
NA |
Hardware Management Pack |
Test |
Yes |
NA |
NA |
NA |
NA |
NA |