1. Administrator's Guide
  2. Managing Oracle Key Vault Users

7 Managing Oracle Key Vault Users

Oracle Key Vault users administer the system, enroll endpoints, manage users and endpoints, control access to security objects, and grant other users administrative roles.

  • Managing User Accounts
    You can create Oracle Key Vault user accounts, grant these users Key Vault administrative roles, and add the users to user groups.
  • Managing Administrative Roles and Privileges
    Oracle Key Vault has predefined roles that you can grant to (or change) or revoke from users.
  • Managing User Passwords
    You or the user can change the user's password. You also can have passwords reset automatically.
  • Managing User Email
    Oracle Key Vault users should have their current email on file so that they can receive alerts such as system changes.
  • Managing User Groups
    You can organize users who have a common purpose into a named user group.

7.1 Managing User Accounts

You can create Oracle Key Vault user accounts, grant these users Key Vault administrative roles, and add the users to user groups.

Parent topic: Managing Oracle Key Vault Users

7.1.1 About Oracle Key Vault User Accounts

Oracle Key Vault users fulfill multiple functions.

An important user function is to register and enroll Oracle Key Vault endpoints, enabling the user to manage his or her security objects by using Oracle Key Vault.

There are two types of Oracle Key Vault users:

  • Administrative users who have one or more of the three administrative roles: System Administrator, Key Administrator, or Audit Manager

  • Ordinary users who have none of the administrative roles, but who have access to security objects

Separation of duties in Oracle Key Vault means that users with an administrative role have access to functions pertaining to their role, but not other roles. For example, only a user with the System Administrator role has access to the full System tab, not users with the Key Administrator or Audit Manager roles. Similarly, a system administrator can add endpoints, but cannot create endpoint groups. The user interface elements needed to create endpoint groups are visible only to the key administrator.

Users who have no administrative role can be granted access to security objects that are specific to their function. For example, you can grant a user access to a specific virtual wallet. This user can log into the Oracle Key Vault management console and add, manage, and delete his or her own security objects, but he or she cannot see system menus, details of other users and endpoints, their wallets, or audit reports.

Although the separation of user duties is recommended, you can have a single user perform all the administrative functions by granting that user all the administrative roles.

Oracle Key Vault does not permit the user name to be the same as the name of another user or an endpoint. If you are creating users in a multi-master cluster environment, there is a chance that user with the same name will be created in another node at the same time. In that case, Oracle Key Vault checks for naming conflicts and will automatically rename the user account that was created after the first user account of that name. You must drop the second user and then recreate it with a different name.

Parent topic: Managing User Accounts

7.1.2 How a Multi-Master Cluster Affects User Accounts

An Oracle Key Vault multi-master cluster environment affects users in various ways.

These can include expanding the activities that they can perform and ensuring that their names do not conflict with other objects in the cluster environment.

Parent topic: Managing User Accounts

7.1.2.1 Multi-Master Cluster Effect on System Administrator Users

The user who is granted the System Administrator role is responsible for managing the cluster configuration.

The System Administrator role in a multi-master cluster includes the following responsibilities:

  • All system administrator responsibilities for a single Oracle Key Vault server
  • Cluster initialization, converting the first Oracle Key Vault server to the initial node
  • Adding and removing nodes from the cluster
  • Disabling and enabling nodes in the cluster
  • Managing cluster-wide system settings
  • Monitoring cluster operations and cluster health indicators
  • Enabling and disabling replication between nodes
  • Monitoring and resolving data and naming conflicts
  • Monitoring and reacting to cluster alerts
  • Managing cluster settings
7.1.2.2 Multi-Master Cluster Effect on Key Administrator Users

The user who is granted the Key Adminstrator role manages endpoint groups, user groups, wallets, and objects.

In a multi-master cluster, when these items are uploaded in separate nodes and in separate data centers, name conflicts can occur. The  key administrator provides input to the system administrator to resolve these conflicts for wallets, KMIP objects, endpoint groups, and user groups.

7.1.2.3 Multi-Master Cluster Effect on Audit Manager Users

The user who is granted the Audit Manager role is responsible for configuring audit settings.

In a multi-master cluster environment, this user can configure audit settings for the entire cluster and for individual nodes. The audit manager user can use different setting for different nodes, if necessary. However, this user can also unify audit settings across the entire cluster.

The audit manager can replicate audit trails between nodes, if necessary. However, this can result in significant traffic between nodes, so the audit manager can turn on or off the audit trail replication. By default, the audit trails replication is turned off.

7.1.2.4 Multi-Master Cluster Effect on Administration Users

Administrative users can have any combination of the administration roles, including the System Administrator, Key Administrator, and Audit Manager roles.

Administrative user information created in the Oracle Key Vault server that is used as the initial node seeds the cluster.

New servers added to a cluster will get administrative user information from the cluster. Administrator information that is created on the server for the purpose of inducting the server into the cluster will be removed.

Administrative users that are created in a node after the node joins an Oracle Key Vault cluster will have a cluster-wide presence. New administrative users that are added to the Oracle Key Vault cluster on different Oracle Key Vault nodes may have name conflicts. When the user account is created, Oracle Key Vault automatically resolves the administrative user name conflicts. User and endpoint conflicts will displayed in the Conflicts Resolution page and administrators can choose to rename endpoint conflicts. If there is a user name conflict, then you must either accept the automatically generated user name, or delete and recreate the user. User accounts will not be available for use and will be placed in a PENDING state until the name resolution is completed.

7.1.2.5 Multi-Master Cluster Effect on System Users

System users are responsible for the operating system of each Oracle Key Vault appliance, server, and node.

Oracle Key Vault servers are first installed and later configured to become nodes of an Oracle Key Vault cluster. As part of the server configuration, the operating system users (support and root) are created. Those users will remain unchanged after the server joins a cluster.

The same support and root passwords should be used for all the Oracle Key Vault nodes. Unlike Oracle Key Vault administrative accounts that are replicated, the support and root accounts are operating system users, and their passwords are not automatically synchronized across the cluster. Therefore, each node can potentially have a different support or root user password, making it difficult to manage multiple nodes of the cluster.

7.1.3 Creating an Oracle Key Vault User Account

A user with the System Administrator role can create user accounts from the Oracle Key Vault management console.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Click the Users tab.

    The Manage Users page appears with a list of existing users.

  3. Click Create.
  4. Enter a user name in User Name.
    Enter a maximum of 30 characters for the user name. If you are in a multi-master cluster environment, then use a maximum of 24 characters for the user name. Ensure that the user name is not the same as an Oracle Key Vault endpoint name.
  5. If you are using a multi-master cluster, then choose whether to select the Make Unique checkbox.
    Make Unique helps to control naming conflicts with user names across the multi-master cluster environment. When a server is converted to a cluster node, then the character limit for user names drops from 30 to 24 to allow for automatic renaming in case of a conflict. Users that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.
    • If you select Make Unique, then the user account will be active immediately and this user can perform operations.
    • If you do not select Make Unique, then the user account will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the user account to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The user account will then be renamed to a unique name. You will need to go to a read-write node of the cluster and either accept the renamed user account or change the user account name. If you change the user account name, then this will restart the name resolution operation and the user account will return to a PENDING state. A user account in the PENDING state cannot be used to perform most operations.
  6. Optionally, add the user's full name in Full Name.
  7. For the password, do one of the following:

    • Auto Generate Password: Select this option to have a password automatically generated and sent to the user. The user will receive a message with Oracle Key Vault: System Generated User Password in the subject line. When the user logs in to the Oracle Key Vault management console for the first time, he or she will be asked to change the password.

      The SMTP server configuration must be configured to use this option.

    • Password and Re-type password: Enter a valid password. Passwords must have 8 or more characters and contain at least one of each of the following: an uppercase letter, lowercase letter, number, and special character. The special characters allowed are period (.), comma (,), underscore (_), plus sign (+), colon (:), and space.

  8. Click Save.

    The Manage Users page appears and lists the new user. If the user is in the PENDING state, then it remains in the Users being created section until it transitions to the ACTIVE state, similar to the following example.


    Description of pending_user_with_okvadmin.png follows
    Description of the illustration pending_user_with_okvadmin.png

Related Topics

Parent topic: Managing User Accounts

7.1.4 Viewing User Account Details

All administrative users can view the list of Oracle Key Vault user accounts and their details.

Users without any of the three administrative roles can only see their own user details. The User Details page provides a consolidated view of the Oracle Key Vault user. This is the page where all user management tasks are performed.

  1. Log in to the Oracle Key Vault management console.
  2. Select Users.

    The Manage Users page appears displaying the list of users. You can sort and search the list by the column user name, full name, or roles.

  3. Click on a user name to display the User Details page.

Related Topics

Parent topic: Managing User Accounts

7.1.5 Deleting an Oracle Key Vault User Account

Deleting an Oracle Key Vault user removes the user from any user groups the user was part of in Oracle Key Vault.

The operation does not delete any security objects managed by the user. Administrators can only delete users that are not in the PENDING state.
  1. Log in to the Oracle Key Vault management console as a user with the System Administrator role and the same roles as the user being deleted.
  2. Select the Users tab.

    The Manage Users page appears displaying the list of users.

  3. Check the boxes by the users you want to delete.
  4. Click Delete.
  5. In the confirmation dialog box, click OK.
  6. Click Save.

Parent topic: Managing User Accounts

7.2 Managing Administrative Roles and Privileges

Oracle Key Vault has predefined roles that you can grant to (or change) or revoke from users.

Parent topic: Managing Oracle Key Vault Users

7.2.1 About Managing Administrative Roles

You can grant or change an administrative role for a user account that you have added.

You must be a user with the administrative role to grant it to other users. You can also revoke the administrative role when it is no longer needed. You cannot add, change, or delete these roles.

If you are using a multi-master cluster environment, then you can not grant, change, and revoke administrative roles for users in the PENDING state.

Parent topic: Managing Administrative Roles and Privileges

7.2.2 Granting or Changing an Administrative Role of a User

You can use the Manage Users page to grant or change a user administrative role.

  1. Log in to the Oracle Key Vault management console as a user who has the same role that is to be granted.
    For example, if the user needs the System Administrator role, then log in as a user who has been granted the System Administrator role.
  2. Click the Users tab.

    The Manage Users page appears displaying the list of users.

    Description of manage-users-screenshot.png follows
    Description of the illustration manage-users-screenshot.png

  3. Click the name of the user in the User Name column.

    The User Details page appears. The User Details page provides a consolidated view of the Oracle Key Vault user. It displays the following user information: user name, email, administrative roles, membership in user groups, and access to security objects.

    Description of screenshot-7.1.2.1-step-3.png follows
    Description of the illustration screenshot-7.1.2.1-step-3.png

  4. To grant a role, check the Roles box for the role you want to grant.

    To change a role, uncheck the box for the previous role and check the box by the new role. If you do not see the role listed that you want to grant, then you are logged in as a user who does not have that role and therefore do not have the privilege to grant it.

  5. Click Save.

Parent topic: Managing Administrative Roles and Privileges

7.2.3 Granting a User Access to a Virtual Wallet

A user with the Key Administrator role controls access to security objects for users, endpoints, and their respective groups.

Any user can be granted access to security objects in Oracle Key Vault at a level that is appropriate to their function in the organization.

You cannot grant access to a virtual wallet if the wallet is in the PENDING state.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Users.

    The Manage Users page appears displaying the list of users.

  3. Click the name of the user you want to grant access.

    The User Details page appears.

  4. Click Add in the Access to Wallets section.

    The Add Access to User page appears.

  5. Select the wallet under Select Wallet.
  6. Set the access level to the selected wallet under Select Access Level: Read Only, Read and Modify, or Manage Wallet.

    Set access levels when you grant access to the wallet, if you know the level to grant. You can also set or modify access levels from the wallet menu.

  7. Click Save.

Related Topics

Parent topic: Managing Administrative Roles and Privileges

7.2.4 Revoking an Administrative Role from a User

You can use the Manage User page to revoke a role from a user.

  1. Log in to the Oracle Key Vault management console as a user who has the same role that is to be revoked.
    You can only grant and revoke roles for which you are an administrator.
  2. Click the Users tab.

    The Manage Users page appears displaying the list of users.

    Description of manage-users-screenshot.png follows
    Description of the illustration manage-users-screenshot.png

  3. Click the user name whose role you want to revoke.

    The User Details page appears.

  4. Un-check the box for the role you want to revoke.
  5. Click Save.

Parent topic: Managing Administrative Roles and Privileges

7.3 Managing User Passwords

You or the user can change the user's password. You also can have passwords reset automatically.

Parent topic: Managing Oracle Key Vault Users

7.3.1 About Changing User Passwords

Any valid Oracle Key Vault user can change his or her own password.

You can reset the password of another user if you have at minimum the same administrative role as that user. For example, if you want to change the password of a user who has the Audit Manager role, then you also must have the Audit Manager role before you can change the password.

Consider the following users and roles:

User System Admin Key Admin Audit Manager

OKV_ALL_JANE

Yes

Yes

Yes

OKV_SYS_KEYS_JOE

Yes

Yes

-

OKV_SYS_SEAN

Yes

-

-

OKV_KEYS_KATE

-

Yes

-

OKV_AUD_AUDREY

-

-

Yes

OKV_OLIVER

-

-

-

Suppose that user OKV_SYS_KEYS_JOE, who has the System Administrator and Key Administrator roles, is logged in and wants to change the other users' passwords. The following happens:

  • OKV_KEYS_KATE: OKV_SYS_KEYS_JOE can change the password for OKV_KEYS_KATE because they have the Key Administrator role in common.

  • OKV_AUD_AUDREY: OKV_SYS_KEYS_JOE cannot change OKV_AUD_AUDREY's password because OKV_SYS_KEYS_JOE does not have the Audit Manager role.

  • OKV_ALL_JANE: OKV_SYS_KEYS_JOE cannot change the password for user OKV_ALL_JANE because he does not have the Audit Manager role.

  • OKV_OLIVER: OKV_SYS_KEYS_JOE can change the password for user OKV_OLIVER, who has no roles at all.

Any user can change his or her own password.

Assuming you have privileges to do so, you can change the password of another user by using either of the following methods:

  • Specify a new password for the other user and then notify this user of the new password by using any out-of-band method.
  • Send the user a randomly generated one-time password to their email account.

Related Topics

Parent topic: Managing User Passwords

7.3.2 Changing Your Own Password

Any user can change his or her own Oracle Key Vault account password.

  1. Log in to the Oracle Key Vault management console.
  2. Select the Users tab.

    The Manage Users page appears displaying the list of users.

  3. Select Change Password from the left sidebar.

    The Change Password for <your user name> page appears.

    Description of okv_45.png follows
    Description of the illustration okv_45.png

  4. Enter your current password in Current Password.
  5. Enter the new password in New Password and Re-enter New Password.
  6. Click Save.

Parent topic: Managing User Passwords

7.3.3 Changing Another User's Password

You can change another user's password if you have the identical administrative role (at minimum) as the user whose password you want to reset.

Related Topics

Parent topic: Managing User Passwords

7.3.3.1 Changing a Password Manually

You can change the password manually for a user and then use any out-of-band method to notify the user of the new password.

This method of changing password is available only when the Reset passwords using email only option in the User Password Recovery tab of the System Recovery page is not checked.
  1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
  2. Select the Users tab.

    The Manage Users page displays the list of users.

  3. Click the user name, whose password you want to change.

    The User Details page appears.

  4. Click Reset Password.

    The Reset User Password page appears.

    Description of reset_user_password.png follows
    Description of the illustration reset_user_password.png

  5. Enter the new password in New Password and Re-type New Password.
  6. Click Save.
7.3.3.2 Changing a Password Through Email Notification

You can change a user's password by sending them a randomly generated one-time password to their email account.

This one-time password can be sent directly from Oracle Key Vault to the user. You must configure SMTP in email settings in order to use this feature. Oracle recommends that you restrict password recovery functionality to use this method by selecting the Reset passwords using email only option in the User Password Recovery tab of the System Recovery page.
  1. Log in to the Oracle Key Vault management console.
  2. Select the Users tab.

    The Manage Users page appears displaying the list of users.

  3. Click the user name of the user whose password you want to change.

    The User Details page appears.

  4. Click Reset Password.

    The Reset User Password page appears.

    Description of auto_generate_pwd.png follows
    Description of the illustration auto_generate_pwd.png

  5. Check the box by Auto Generate Password.

    An email address field appears.

  6. Enter the email address of the user.
  7. Click Save.

If you check Auto Generate Password without configuring SMTP, a link to Email Settings appears. Click the link to configure email settings and repeat the steps in this topic.

7.3.3.3 Changing Operating System User Account Passwords

Before you perform the post-installation configuration task after the Oracle Key Vault installation, you can change the passwords for the root and support accounts in the server terminal console.

After that, you can use SSH to change the root and support passwords. (When you install Oracle Key Vault, you create these accounts as part of the process.) The root and support users will be prompted to change their password when the next time they log in is past the expiration time of their passwords. The expiration times are 365 days with a warning at 120 days, and with STIG it is 60 days with a warning at 60 days.
  1. Connect to the server console.
  2. Select Set User Passwords to set the root and support user passwords. Press Enter.

    The Set User Passwords screen appears.

    Description of os_user_pwd_change2.png follows
    Description of the illustration os_user_pwd_change2.png

  3. Select Set root password or Set support password and press Enter.
  4. Type the new password in the Password and Confirm fields, and then select OK and press Enter.

    The Installation Passphrase screen appears.

    Description of os_user_pwd_change4.png follows
    Description of the illustration os_user_pwd_change4.png

  5. Enter the installation passphrase and then press Enter.

7.3.4 Controlling the Use of Password Reset Methods

You can restrict the ability of users to reset another user's password manually so that only password reset operations through email notifications are allowed.

Related Topics

Parent topic: Managing User Passwords

7.3.4.1 About Controlling the Use of Password Reset Methods

You can configure Oracle Key Vault to only allow users to change another user's password by sending them a randomly generated one-time password through email.

The user performing a password change for another user must be either an Oracle Key Vault administrator or have the same or higher privileges as the user whose password needs to be reset.

By default, there are two ways to change another user's password:

  • Manually, in which you create a new password for the user. In this scenario, both you and the user will know the password (until this user manually changes his or her own password)
  • Automatically, in which you trigger an automatically-generated password for the user, who is then emailed the new password on a one-time basis. In this scenario, only the user knows his or her new password.

You can enable only automatic password generation through email notification and disable manual password reset operations. The email notification uses the email ID that is associated with the user's account. The benefit of this feature is that the newly generated password is known only to the user whose password needed to be reset, not to the user who initiated the user's password change. Users can still change their own passwords when this feature is enabled.

When this feature is disabled, then both methods of user creation are allowed: manual password reset operations, and automatic password reset operations.

7.3.4.2 Configuring the Use of Password Reset Operations

A user who has access to the system recovery passphrase can configure the use of password reset operations

  1. Navigate to the Oracle Key Vault management console, but do not log in.
  2. At the bottom of the login screen, click the System Recovery button.
  3. When prompted, enter the system recovery passphrase.
  4. Select the User Password Recovery tab.
  5. In the User Password Recovery page, select the Reset Passwords Using Email Only option to enable or disable this option.

7.4 Managing User Email

Oracle Key Vault users should have their current email on file so that they can receive alerts such as system changes.

Parent topic: Managing Oracle Key Vault Users

7.4.1 Changing the User Email Address

After creating a user account, you can add or change the user's email address.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab.

    The Manage Users page appears displaying the list of users.

  3. Click the user's name in the User Name column.

    The User Details page appears.

  4. Enter the email address in Email.
  5. Click Save.

Parent topic: Managing User Email

7.4.2 Disabling Email Notifications for a User

You can disable email notifications for a user on the User Details page.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab.
    The Manage Users page appears displaying the list of users.
  3. Click the user's name in the User Name column.
  4. Select the Do not receive email alerts option.
  5. Click Save.

Parent topic: Managing User Email

7.5 Managing User Groups

You can organize users who have a common purpose into a named user group.

Parent topic: Managing Oracle Key Vault Users

7.5.1 About Managing User Groups

Users who have the Key Administrator role can create, modify, and delete user groups.

This enables them to manage their access to virtual wallets. After a user group is created, you can modify its details.

The main purpose of a user group is simplify access control to security objects. If a set of users need access to a common set of security objects, then you can assign these users to a group and grant the group access instead of granting access to each user or based on each security object. When certain users do not need access to the security objects any longer, you can remove them from the group. You can add new users to the group. You can modify the group's access level to security objects at any time.

Parent topic: Managing User Groups

7.5.2 How a Multi-Master Cluster Affects User Groups

User groups are used at the Oracle Key Vault server and cluster level to group user roles and permissions.

When new servers are inducted into the cluster, Oracle Key Vault replaces any user group information that is in the cluster. You can create new user groups in the cluster from a read-write pair.

User groups created in a node after the node is added to an Oracle Key Vault cluster will have a cluster-wide presence. User groups created on two different nodes could have name conflicts. Oracle Key Vault automatically resolves the user group name conflicts. These conflicts will be displayed in the Conflicts Resolution page and administrators can choose to rename them.

Note the following:

  • You cannot change membership by adding or removing users when the user group is in a PENDING state. Similarly, users in a pending state cannot be added to, or removed from a user group in the ACTIVE state.
  • You cannot change access mapping for users and user groups if a wallet is in the PENDING state. Similarly, users and user groups in a pending state cannot be added to, or removed from a wallet access mapping even when the wallet is in the ACTIVE state.

Related Topics

Parent topic: Managing User Groups

7.5.3 Creating a User Group

You can create a user group when a set of users must manage a set of common security objects.

You can add users to the group when you create the group or later after creating the group.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab.

    The Manage Users page appears displaying the list of users.

  3. Select Manage Access from the left sidebar.

    The User Groups page appears displaying existing user groups.

    Description of user-groups-screenshot.png follows
    Description of the illustration user-groups-screenshot.png

  4. Click Create User Group.

    The Create User Group page appears.

    Description of create-user-group.png follows
    Description of the illustration create-user-group.png

  5. In the Name field, enter the name of the new group and in the Description field, a brief description.
  6. If you are using a multi-master cluster, then choose whether to select the Make Unique checkbox.
    Make Unique helps to control naming conflicts with names across the multi-master cluster environment. User groups that were created before an Oracle Key Vault conversion to a cluster node are not affected by naming conflicts.
    • If you select Make Unique, then the group name will be active immediately and this user group can be used in user operations. Clicking Make Unique also displays a list of users that you can add to the group.
    • If you do not select Make Unique, then the user group will be created in the PENDING state. Oracle Key Vault will then begin a name resolution operation and may rename the user group to a name that is unique across the cluster. If there is a naming collision, then the collision will be reported on the Conflicts page on any node in the cluster. The user group will then be renamed to a unique name. You will need to go to a read-write node of the cluster and either accept the renamed user group or change the user group name. If you change the user group name, then this will restart the name resolution operation and the user group will return to a PENDING state. A user group in the PENDING state cannot be used to perform most operations.
  7. In Description, optionally, enter a description for the user group.
  8. Click Save.

Related Topics

Parent topic: Managing User Groups

7.5.4 Adding a User to a User Group

You can add an existing user to a user group if that user must manage the same security objects as the group.

If both the user and user group are in the ACTIVE state, then you can add users to a group when you create the group or later after creating the groups.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Click the Users tab, then Manage Access.

    The User Groups page appears displaying a list of existing user groups.

  3. Click the pencil icon in the Details for the user group.

    The User Group Details page appears displaying a list of existing user groups.

  4. Click Add in the User Group Members pane.
    The Add User Group Members page appears displaying the list of existing users who are not in the user group.
  5. Check the boxes for the users you want to add.
  6. Click Save.

Parent topic: Managing User Groups

7.5.5 Granting a User Group Access to a Virtual Wallet

You can modify the access level to a virtual wallet for a user group as functional needs change.

However, you can only modify the access level if the user group and wallet are in the ACTIVE state.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access.

    The User Groups page appears displaying a list of existing user groups.

  3. Click the pencil icon in the Details column, for the user group that you want to modify.

    The User Group Details page appears.

  4. Click Add in the Access to Wallets section.

    The Add Access to User Group page appears.

  5. Select the wallet in Select Wallet.
  6. Set the access level to the selected wallet in Select Access Level.
    Select Read Only, Read and Modify, or Manage Wallet.
  7. Click Save.

Related Topics

Parent topic: Managing User Groups

7.5.6 Renaming a User Group

Depending on its status, you can change the name of a user group.

In a multi-master cluster, if the user group is in the PENDING state, then only the creator user can rename the user group.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access.
    The User Groups page appears.
  3. On the User Groups page, select the pencil icon in the Details column, for the user group that you want to modify.
    The User Group Details page appears.
  4. Enter a new name in the Name field.
    If this node is part of a multi-master cluster and you do not select Make Unique, the user group will enter the PENDING state after being renamed.
  5. Click Save.

Parent topic: Managing User Groups

7.5.7 Changing a User Group Description

A group description is useful for identifying the purpose of the group.

You can change this description at any time to match the purpose of the group. In a multi-master cluster, if the user group is in the PENDING state, then only the creator can modify the user group description.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, and then select Manage Access.
    The User Groups page appears.
  3. On the User Groups page, select the pencil icon in the Details column, for the user group that you want to modify.
    The User Group Details page appears.
  4. Enter a new description in the Description field.
  5. Click Save.

Parent topic: Managing User Groups

7.5.8 Removing a User from a User Group

Depending on the circumstances, you can remove a user from a user group.

In a multi-master cluster, if both the user and the user group are in the ACTIVE state, then you can remove users from a user group. You may want to remove these users when their function in the organization changes, and they no longer need to manage the same security objects as the group.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Click the Users tab, then Manage Access.

    The User Groups page appears displaying a list of existing user groups.

  3. Click the pencil icon in the Details for the user group.

    The User Group Details page appears.

  4. In the User Group Members region, check the boxes for the users you want to remove.
  5. Click Remove.
  6. Click OK to confirm.

Parent topic: Managing User Groups

7.5.9 Deleting a User Group

You can delete a user group when the users in the group do not need to access the same security objects.

Removing a user group automatically deletes the group's access to wallets and security objects. In a multi-master cluster, if a user group is in the PENDING state, then only the creator can delete it.
  1. Log in to the Oracle Key Vault management console to Oracle Key Vault as a user who has been granted the Key Administrator role.
  2. Select the Users tab, and then select Manage Access.

    The User Groups page appears.

  3. Check the boxes for the user groups that you want to delete.
  4. Click Delete.
  5. Click OK to confirm.

Parent topic: Managing User Groups