5 Managing Oracle Key Vault Users

Oracle Key Vault users administer the system, enroll endpoints, manage users and endpoints, control access to security objects, and grant other users administrative roles as needed.

• About Oracle Key Vault Users
  
• About Changing User Passwords
  
• Grant a User Access to a Virtual Wallet
  
• About User Email
  
• Manage User Groups
  

5.1 About Oracle Key Vault Users

Key Vault users fulfill multiple functions. A key function is to register and enroll Key Vault endpoints, who can manage their security objects using Key Vault.

• Types of Oracle Key Vault Users
  
• Create an Oracle Key Vault User
  
• Grant, Change or Revoke Administrative Roles
  
• Delete Oracle Key Vault User(s)
  
• View User Details
  

5.1.1 Types of Oracle Key Vault Users

There are two types of Oracle Key Vault users:

• Administrative users who have one or more of the three administrative roles: System Administrator, Key Administrator, Audit Manager.

• Ordinary users who have none of the administrative roles, but who have access to security objects.

Separation of duties in Key Vault means that users with an administrative role have access to functions pertaining to their role but not the others. For example, only the system administrator sees the System tab, not the key administrator or the audit manager. Likewise, the system administrator can add endpoints, but cannot create endpoint groups. The user interface elements needed to create endpoint groups are visible only to the key administrator.

Users who have no administrative role can be granted access to security objects specific to their function, thus restricting their privileges. For example, you can grant a user access to a specific virtual wallet. This user can log into the Key Vault management console and add, delete, and manage his own security objects, but he cannot see system menus, details of other users and endpoints, their wallets, or audit reports.

Although the separation of user duties is recommended, organizations may opt to have a single user perform all the administrative functions by granting that user all the administrative roles.

An Oracle Key Vault user name cannot be the same as an Oracle Key Vault endpoint name.

5.1.2 Create an Oracle Key Vault User

A user with the System Administrator role can create user accounts from the Oracle Key Vault management console.

To add a user to Key Vault follow these steps:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
2. Click the Users tab.

   The Manage Users page appears with a list of existing users.

3. Click Create.

   The Create User page appears.

   Figure 5-1 Create User

   
   Description of "Figure 5-1 Create User "
4. Enter a user name in User Name. You must ensure that the user name is not the same as an Oracle Key Vault endpoint name.
5. Optionally, add the user's full name in Full Name.
6. For the password, do one of the following:

   • Auto Generate Password: Select this option to have a password automatically generated and sent to the user. The user receives a message with Oracle Key Vault: System Generated User Password in the subject line. When the user logs in to the Oracle Key Vault management console for the first time, he will be asked to change the password.

     Note, that the SMTP server configuration must be set up to use this option.

   • Password and Re-type password: Enter a valid password. Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and special characters. The special characters allowed are period (.), comma (,), underscore (_), plus sign (+), colon (:), and space.

7. Click Save.

   The Manage Users page appears and lists the new user.

See Also:

"Email Notification"

"Grant, Change or Revoke Administrative Roles"

5.1.3 Grant, Change or Revoke Administrative Roles

You can grant or change an administrative role to a user you have added. You must be a user with the administrative role to grant it to other users. You can also revoke the administrative role when it is no longer needed.

• Grant or Change an Administrative Role of a User
  
• Revoke an Administrative Role from a User
  

5.1.3.1 Grant or Change an Administrative Role of a User

To grant or change an administrative role:

1. Log in to the Oracle Key Vault management console as a user who has the role that the user is to be granted.
2. Click the Users tab.

   The Manage Users page appears displaying the list of users.

   Figure 5-2 Manage Users

   
   Description of "Figure 5-2 Manage Users "
3. Click the name of the user in the User Name column.

   The User Details page appears. The User Details page provides a consolidated view of the Key Vault user. It displays the following user information: name, email, administrative role(s), membership in user group(s), and access to security object(s).

   Figure 5-3 User Details

   
   Description of "Figure 5-3 User Details "
4. To grant a role, check the box for the role you want to grant by Roles. These will be one of Audit Manager, Key Administrator, or System Administrator.

   To change a role un-check the box for the previous role and check the box(es) by the new role(s).

5. Click Save.

5.1.3.2 Revoke an Administrative Role from a User

To revoke a role from a user follow these steps:

1. Log in to the Oracle Key Vault management console as a user who has the role that the user is to be granted.
2. Click the Users tab.

   The Manage Users page appears displaying the list of users.

   Figure 5-4 Manage Users

   
   Description of "Figure 5-4 Manage Users "
3. Click the user name, whose role you want to revoke.

   The User Details page appears.

4. Un-check the box for the role you want to revoke.
5. Click Save.

5.1.4 Delete Oracle Key Vault User(s)

You can delete a Key Vault user if the user's function in the organization changes. Deleting a user removes them from Key Vault and removes them from any user groups they were part of. The operation does not delete any security objects managed by the user.

To delete a user from Oracle Key Vault follow these steps:

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role and the same role(s) as the user being deleted.
2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Check the box(es) by the user(s) you want to delete.
4. Click Delete.
5. In the confirmation dialog box, click OK.
6. Click Save.

5.1.5 View User Details

All administrative users can view the list of Oracle Key Vault users and their details. Users without any of the three administrative roles can only see their own user details.

The User Details page provides a consolidated view of the Key Vault user. This is the page where all user management tasks are performed.

To view user details for a given user:

1. Log in to the Oracle Key Vault management console.
2. Select Users.

   The Manage Users page appears displaying the list of users.

   You can sort and search the list by column: user name, full name or roles.

3. Click on a user name to get to the User Details page.

See Also:

"Administrative Roles within Oracle Key Vault"

"Performing Actions and Searches"

5.2 About Changing User Passwords

Any valid Oracle Key Vault user can change his or her own password.

• How User Password Changes Work
  
• Change Your Own Password
  
• Reset Another User's Password
  

5.2.1 How User Password Changes Work

You can reset another user's password as a Key Vault System Administrator. You can also reset the password of another user if you have at minimum the same administrative role as that user. For example, if you want to change the password of a user who has the Audit Manager role, then you also must have this role before you can change the password.

Consider the following users and roles:

User	System Admin	Key Admin	Audit Manager
OKV_ALL_JANE	Yes	Yes	Yes
OKV_SYS_KEYS_JOE	Yes	Yes	-
OKV_SYS_SEAN	Yes	-	-
OKV_KEYS_KATE	-	Yes	-
OKV_AUD_AUDREY	-	-	Yes
OKV_OLIVER	-	-	-

Suppose that user OKV_SYS_KEYS_JOE, who has the System Administrator and Key Administrator roles is logged in and wants to change the other users' passwords. This happens:

• OKV_KEYS_KATE: OKV_SYS_KEYS_JOE can change the password for OKV_KEYS_KATE because they have the Key Administrator role in common.

• OKV_AUD_AUDREY: OKV_SYS_KEYS_JOE cannot change OKV_AUD_AUDREY's password because OKV_SYS_KEYS_JOE does not have the Audit Manager role.

• OKV_ALL_JANE: OKV_SYS_KEYS_JOE cannot change the password for user OKV_ALL_JANE because he does not have Audit Manager role.

• OKV_OLIVER: OKV_SYS_KEYS_JOE can change the password for user OKV_OLIVER, who has no roles at all.

5.2.2 Change Your Own Password

Any user can change his or her own Oracle Key Vault account password.

To change your own password:

1. Log in to the Oracle Key Vault management console.

   See References below to learn how to log in to Key Vault.

2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Select Change Password from the left sidebar.

   The Change Password for <your user name> page appears.

   Figure 5-5 Change Your Own User Password

   
   Description of "Figure 5-5 Change Your Own User Password"
4. Enter your current password in Current Password. Enter the new password in New Password and Re-enter New Password.
5. Click Save.

5.2.3 Reset Another User's Password

You can reset the password of another user if you are a Key Vault System Administrator or a user with the identical administrative role (at minimum) as the user, whose password you wish to reset. Key Vault provides two ways to reset a user's password.

• Reset Password Manually
  
• Reset Password Automatically
  
• Reset Operating System User Account Passwords
  

5.2.3.1 Reset Password Manually

You can set the password manually for a user, and then use any out-of-band method to notify the user of the new password.

To reset another user's password follow these steps:

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.

   See References below to learn how to log in to Key Vault.

2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Click the user name, whose password you want to change.

   The User Details page appears.

4. Click Reset Password.

   The Reset User Password page appears.

   Figure 5-6 Reset User Password Manually

   
   Description of "Figure 5-6 Reset User Password Manually"
5. Enter the new password in New Password and Re-type New Password.
6. Click Save.

5.2.3.2 Reset Password Automatically

Another way to reset a user's password is to have it generated automatically by Key Vault. This password can be sent directly from Key Vault to the user. You must configure SMTP in Email Settings in order to use this feature.

To automatically generate a password and have it sent to the user follow these steps:

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Click the user name, whose password you want to change.

   The User Details page appears.

4. Click Reset Password.

   The Reset User Password page appears.

   Figure 5-7 Reset User Password Automatically

   
   Description of "Figure 5-7 Reset User Password Automatically"
5. Check the box by Auto Generate Password.

   An email address field appears.

6. Enter the email address of the user.
7. Click Save.

   A confirmation message appears.

If you check Auto Generate Password without configuring SMTP, a link to Email Settings appears. Click the link to configure email settings and repeat Steps 1-7.

5.2.3.3 Reset Operating System User Account Passwords

You can reset the passwords for the Operating System user accounts, Root and Support. The Root and Support users will be prompted to change their password when the next time they log in is past the expiration time of their passwords. The expiration times are 365 days with a warning at 120 days, and with STIG it is 60 days with a warning at 60 days.

1. Using SSH, log in to the Oracle Key Vault server terminal as the System Administrator.

   The Oracle Key Vault Server <Release Number> screen appears.

   Figure 5-8 Oracle Key Vault Server <Release Number> Screen

   
   Description of "Figure 5-8 Oracle Key Vault Server <Release Number> Screen"
2. Select Set User Passwords to set the Root and Support User passwords. Press Enter.

   The Set User Passwords screen appears.

   Figure 5-9 Set User Passwords Screen

   
   Description of "Figure 5-9 Set User Passwords Screen"
3. Select Set root password or Set support password and press Enter.

   The Set Password screen appears.

   Figure 5-10 Set Password Screen

   
   Description of "Figure 5-10 Set Password Screen"
4. Type the new password in the Password and Confirm fields. Select OK and press Enter.

   The Installation Passphrase screen appears.

   Figure 5-11 Installation Passphrase Screen

   
   Description of "Figure 5-11 Installation Passphrase Screen"
5. Enter the Installation Passphrase and press Enter.

The Operating System User password is changed.

5.3 Grant a User Access to a Virtual Wallet

A user with the Key Administrator role controls access to security objects for users, endpoints, and their respective groups. Any user may be granted access to security objects in Key Vault at a level appropriate to their function in the organization.

You can grant a user access to a virtual wallet as follows:

1. Log in as a user who has the Key Administrator role.
2. Select the Users tab, and then select Manage Users.

   The Manage Users page appears displaying the list of users.

3. Click the name of the user you want to grant access.

   The User Details page appears.

4. Click Add in the Access to Wallets section.

   The Add Access to User Group page appears.

5. Select the wallet under Select Wallet.
6. Set the access level to the selected wallet under Select Access Level. Select Read Only, Read and Modify, or Manage Wallet.

   Set access levels when you grant access to the wallet, if you know the level to grant. You can also set or modify access levels from the wallet menu.

7. Click Save.

See Also:

"Access Control Configuration"

"Manage Access to Virtual Wallets from Keys & Wallets Menu"

5.4 About User Email

It is important that Key Vault users have their current email on file so that system changes like alerts and password changes may be communicated directly from Key Vault. User email can be updated in the User Details page. Users can also elect to opt out of email notifications.

• Disable Email Notifications for a User
  
• Change User Email
  

5.4.1 Disable Email Notifications for a User

You can disable email notifications for a user on the user details page.

To get to the User Details page:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role:

   See References below to learn how to log in to Key Vault.

2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Click the user's name in the User Name column.

   The User Details page appears:

   Figure 5-12 User Details Page

   
   Description of "Figure 5-12 User Details Page"
4. Check the box Do not receive email alerts.
5. Click Save.

5.4.2 Change User Email

After adding the user you can add or modify the user's email address as follows:

1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role:

   See References below to learn how to log in to Key Vault.

2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Click the user's name in the User Name column.

   The User Details page appears:

4. Enter the email address in Email.
5. Click Save.

5.5 Manage User Groups

A user group is a named collection of users who have a specific purpose.

• How User Groups Work
  
• Create a User Group
  
• Add a User to a User Group
  
• Remove a User from a User Group
  
• Grant a User Group Access to a Virtual Wallet
  
• Modify User Group Description
  
• Delete a User Group
  

5.5.1 How User Groups Work

Once a user group is created you can modify all its details except the group name, which may not be changed. Users who have the Key Administrator role can create, modify, and delete user groups, in order to manage their access to virtual wallets.

The main purpose of a user group is simplify access control to security objects. If a set of users need access to a common set of security objects, you can put these users in a group and grant the group access instead of granting access per user or per security object. When certain users do not need access to the security objects any more, they may be removed from the group. New users may be added to the group.

The group's access level to security objects may be modified at any time.

5.5.2 Create a User Group

Create a user group when a set of users needs to manage a set of common security objects. You can add users to the group when you create the group or later after creating the group.

To create a user group and add users to the group at the same time:

1. Log in as a user who has the Key Administrator role.
2. Select the Users tab.

   The Manage Users page appears displaying the list of users.

3. Select Manage Access from the left sidebar.

   The User Groups page appears displaying existing user groups.

   Figure 5-13 User Groups Page

   
   Description of "Figure 5-13 User Groups Page"
4. Click Create User Group.

   The Create User Group page appears with list of users in Select Members.

   Figure 5-14 Create User Group Page

   
   Description of "Figure 5-14 Create User Group Page"
5. On the Create User Group page, do the following:

   • Name: Enter a name for the group.

   • Description: Optionally, enter a description for the group.

   • Select Members: Check the box(es) by the users you want to add to the group.

6. Click Save.

5.5.3 Add a User to a User Group

You can add an existing user to a user group if that user needs to manage the same security objects as the group. You can add users to a group when you create the group or later after creating the groups.

To add a user to a user group after the group is created:

1. Log in as a user who has the Key Administrator role.
2. Click the Users tab, then Manage Access.

   The User Groups page appears displaying a list of existing user groups.

3. Click the pencil icon in the Details for the user group.

   The User Group Details page appears displaying a list of existing user groups.

4. Click Add in the User Group Members pane. The Add User Group Members page appears displaying the list of existing users not in the user group.
5. Check the box(es) for the user(s) you want to add.
6. Click Save.

   A dialog box appears, indicating that the user has been successfully added.

5.5.4 Remove a User from a User Group

You can remove users from a user group when their function in the organization changes, and they no longer need to manage the same security objects as the group.

To remove a user from a user group:

1. Log in as a user who has the Key Administrator role.
2. Click the Users tab, then Manage Access.

   The User Groups page appears displaying a list of existing user groups.

3. Click the pencil icon in the Details for the user group.

   The User Group Details page appears.

4. In the User Group Members region, check the box(es) for the user(s) you want to remove.
5. Click Remove.
6. Click OK to confirm.

   A success message appears confirming the deletion.

5.5.5 Grant a User Group Access to a Virtual Wallet

The access level to a virtual wallet for a user group may be modified at any time as functional needs change.

To change the access level on a virtual wallet for a user group:

1. Log in as a user who has the Key Administrator role.
2. Select the Users tab, and then select Manage Access.

   The User Groups page appears displaying a list of existing user groups.

3. Click the pencil icon in the Details column, for the user group that you want to modify.

   The User Group Details page appears.

4. Click Add in the Access to Wallets section.

   The Add Access to User Group page appears.

5. Select the wallet in Select Wallet.
6. Set the access level to the selected wallet in Select Access Level. Select Read Only, Read and Modify, or Manage Wallet.
7. Click Save.

See Also:

"Access Control Configuration"

5.5.6 Modify User Group Description

A group description is useful to identify the purpose of the group. This description may be modified at any time to match the purpose of the group.

You can change the description of a user group as follows:

1. Log in as a user who has the Key Administrator role.
2. Select the Users tab, and then select Manage Access. The User Groups page appears.
3. On the User Groups page, select the pencil icon in the Details column, for the user group that you want to modify. The User Group Details page appears.
4. Enter a new description in the Description field.
5. Click Save.

5.5.7 Delete a User Group

You can delete a user group when the users in the group do not need to access the same security objects. This will automatically delete the group's access to wallets and security objects.

To delete a user group, follow these steps:

1. Log in to Oracle Key Vault as a user who has been granted the Key Administrator role.
2. Select the Users tab, and then select Manage Access.

   The User Groups page appears.

3. Check the box(es) for the user group(s) that you want to delete.
4. Click Delete.
5. Click OK to confirm.

   A success message appears confirming the deletion.