Managing user access

IBM Cloud Hyper Protect Crypto Services supports a centralized access control system, which is governed by IBM Cloud® Identity and Access Management, to help you manage users and access for your encryption keys.

Roles and permissions

The following table shows the roles that Hyper Protect Crypto Services supports.

Table 1. Roles and permissions
Roles	Permissions
Service administrator	Manages platform access and service access, grants access to vaults, creates and deletes service instances, and manages keys. An IBM Cloud account owner is automatically assigned the service administrator permission.
Crypto unit administrator	Provides signature keys, and signs Trusted Key Entry (TKE) administrative commands such as for adding another crypto unit administrator. In some cases, a crypto unit administrator can also be a master key custodian.
Master key custodian	Provides master key parts for initializing a service instance. In some cases, a master key custodian can also be a crypto unit administrator.
Service user	Manages root keys and standard keys through user interface and the API, and performs cryptographic operations through the PKCS #11 API or the Enterprise PKCS #11 over gRPC (GREP11) API. Based on the platform access roles and service access roles, service users can be further categorized with various permissions.

IAM platform access roles

With Cloud Identity and Access Management (IAM), you, as an account owner or a service administrator, can manage and define access for service users and resources in your IBM Cloud account.

To simplify access, Hyper Protect Crypto Services aligns with IAM roles so that each user has a different view of the service, according to the role the user is assigned. If you are a service administrator, you can assign Cloud IAM roles that correspond to the specific Hyper Protect Crypto Services permissions you want to grant to members of your team.

The following table lists the IBM Cloud IAM roles in the context of Hyper Protect Crypto Services. For complete IAM documentation and how to assign access, see Best practices for setting up custom roles for Unified Key Orchestrator.

Use IBM Cloud platform access roles to grant permissions at the account level, such as the ability to create or delete instances in your IBM Cloud account.

Table 2. Lists platform management roles as they apply to Hyper Protect Crypto Services
Action	Viewer	Editor	Operator	Administrator
View Hyper Protect Crypto Services instances.
Create Hyper Protect Crypto Services instances.
Delete Hyper Protect Crypto Services instances.
Invite new users and manage access policies.

If you're an account owner, you are automatically assigned Administrator platform access to your Hyper Protect Crypto Services service instances so you can further assign roles and customize access policies for others.

IAM service access roles

As a service administrator, you can use the service access roles to grant permissions of service users at the service level, such as the ability to view, create, or delete Hyper Protect Crypto Services keys.

As a Reader, you can browse a high-level view of keys. Readers cannot create, modify, or delete keys.
As a ReaderPlus, you have the same permissions as a Reader, with the additional ability to retrieve a standard key's material.
As a Writer, you can create, modify, rotate, and use keys. Writers cannot delete or disable keys.
As a Manager, you can perform all actions that a Reader, ReaderPlus and Writer can perform, including the ability to delete keys and set policies for keys.
As a VMware KMIP Manager, you can configure KMIP for VMware with Hyper Protect Crypto Services to enable encryption with your own root keys.
As a Vault Administrator, you can manage vaults, keystores, and templates, and perform destructive lifecycle actions on managed keys in Unified Key Orchestrator. Different vaults can be used to separate teams, lines of business, or customers. You can also add paid keystores if you already exceed the limit of free keystores.
As a Key Custodian - Creator, you can create and manage keys in Unified Key Orchestrator. For a complete key lifecycle, both the Key Custodian - Creator and Key Custodian - Deployer roles are needed.
As a Key Custodian - Deployer, you can deploy and manage keys in Unified Key Orchestrator. For a complete key lifecycle, both the Key Custodian - Creator and Key Custodian - Deployer roles are needed.

To implement separation of duties, assign Key Custodian - Creator and Key Custodian - Deployer roles to different people.

The following table shows how service access roles map to Hyper Protect Crypto Services permissions. IAM roles are the default roles provided. You can also define and create service-level custom roles according to the needs of your enterprise.

Trusted Key Entry (TKE) uses either smart cards or software CLI plug-in with IAM authentication. Commands that deals with managing keys locally on the smart card or CLI are not included. Those commands do not interact with the HSM domain.
Unified Key Orchestrator is used for multicloud key management and orchestration. Apart from setting default IAM roles, you can also create custom Unified Key Orchestrator roles according to your needs.
HSM APIs (the PKCS #11 API and the GREP11 API) are used for application-level encryption.
Key Management Interoperability Protocol (KMIP) adapter is used to configure the KMIP for VMware service with Hyper Protect Crypto Services to enable vSphere encryption or vSAN encryption by using your own root keys.

Table 3. Lists service access roles as they apply to Hyper Protect Crypto Services TKE commands
Action	Reader	ReaderPlus	Writer	Manager
TKE view state: `ibmcloud tke cryptounit-admins`,`ibmcloud tke cryptounit-compare`,`ibmcloud tke cryptounit-thrhlds`,`ibmcloud tke cryptounit-mk`.
TKE set context: `ibmcloud tke-cryptounit-add`, `ibmcloud tke-cryptounit-rm`.
TKE admin add or remove: `ibmcloud tke cryptounit-admin-add`, `ibmcloud tke cryptounit-admin-rm`.
TKE Set Admin Quorum Threshold: `ibmcloud tke -cryptounit-thrhld-set.`
TKE Master Key operations (load, rotate, clear, zeroize, recover): `ibmcloud tke cryptounit-mk-*`, `ibmcloud tke auto-init`, `ibmcloud tke auto-mk-rotate`, `ibmcloud tke auto-recover`.

Table 5. Lists service access roles as they apply to Unified Key Orchestrator
Action	Reader	Key custodian - Deployer	Key custodian - Creator	Vault administrator	Manager
Activate a preactive key.
Destroy a preactive key.
Deactivate an active key.
Assign an active key.
Unlink an active key.
Destroy a deactivated key.
Assign a deactivated key.
Reactivate a deactivated key.
Unlink a deactivated key.
Remove a destroyed key from Vault.
Read managed key details.
List managed keys.
Write or edit managed key details.
Rotate a managed key.
Delete a managed key.
Generate key materials for a key.
Distribute a key into assigned keystores.
Write key activation or expiration dates.
Write key tags.
Read keystore details.
List keystores.
Write or edit keystore details.
Delete an internal keystore, or disconnect from an external keystore.
Read key template details.
List key templates.
Write or edit key templates.
Delete key templates.
Read vault details.
List vaults.
Write or edit vault details.
Delete a vault.
Start billing of UKO base price by using external keystores.
Create a paid keystore beyond the free amount.

Table 6. Lists service access roles as they apply to Hyper Protect Crypto Services key resources
Action	Reader	ReaderPlus	Writer	Manager	KMS Key Purge
Create a key.
Import a key.
Retrieve a key.
Retrieve key metadata.
Retrieve key total.
List keys.
Wrap a key.
Unwrap a key.
Rewrap a key.
Patch a key.
Rotate a key.
Disable a key.
Enable a key.
Schedule deletion for a key.
Cancel deletion for a key.
Delete a key.
Purge a key.
Restore a key.
Set key policies.
List key policies.
Set instance policies.
List instance policies.
Create an import token.
Retrieve an import token.
Create a registration.¹
List registrations for a key.
List registrations for any key.
Update a registration.¹
Replace a registration.¹
Delete a registration.¹
Create a key ring.
List key rings.
Delete a key ring.
Create a key alias.
Delete a key alias.

1: This action is performed on your behalf by an integrated service that enables support for key registration. Learn more.

Table 7. Lists service access roles as they apply to HSM APIs
Action	Reader	ReaderPlus	Writer	Manager
Get mechanism list and information
Create or delete keystore
List keystores
Generate key
Generate key pair
Store key
Generate random
List keys
Get or set key attribute
Wrap key
Rewrap key
Unwrap key
Update key
Encrypt
Decrypt
Sign
Verify
Digest

Table 8. Lists service access roles as they apply to KMIP adapter
Action	Reader	ReaderPlus	Writer	Manager	VMware KMIP Manager
Activate KMIP endpoint.
Deactivate KMIP endpoint.
Get status of KMIP endpoint.
Add client certificates to KMIP endpoint for usage of mutual TLS.
Delete client certificates from KMIP endpoint for usage of mutual TLS.

Assigning access to Hyper Protect Crypto Services in the UI

There are two common ways to assign access in the UI:

Access policies per user. You can manage access policies per user from the Manage > Access (IAM) > Users page in the UI. For information about the steps to assign IAM access, see Managing access to resources.
Access groups. Access groups are used to streamline access management by assigning access to a group once, then you can add or remove users as needed from the group to control their access. You manage access groups and their access from the Manage > Access (IAM) > Access groups page in the UI. For more information, see Assigning access to a group in the UI.

Assigning access to Hyper Protect Crypto Services in the CLI

For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access ro resources by using the CLI. The following example shows a command for assigning the Writer role for the service instance:

Use <hs-crypto> for the service name. Also, use quotations around role names that are more than one word like the example here.

ibmcloud iam user-policy-create USER@EXAMPLE.COM --service-name hs-crypto --service-instance <instance-id> --roles "Writer"

Assigning access to Hyper Protect Crypto Services by using the API

For step-by-step instructions for assigning, removing, and reviewing access, see Assigning access to resources by using the API or the Create a policy API docs. Role cloud resource names (CRN) in the following table are used to assign access with the API.

Table 9. Role ID values for API use
Role name	Role CRN
Viewer	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Viewer`
Operator	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Operator`
Editor	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Editor`
Administrator	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Administrator`
Reader	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Reader`
ReaderPlus	`crn:v1:bluemix:public:hs-crypto::::serviceRole:ReaderPlus`
Writer	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Writer`
Manager	`crn:v1:bluemix:public:hs-crypto::::serviceRole:Manager`
VMware KMIP Manager	`crn:v1:bluemix:public:hs-crypto::::serviceRole:VMwareKMIPManager`
Vault Administrator	`crn:v1:bluemix:public:hs-crypto::::serviceRole:VaultAdministrator`
Key Custodian - Creator	`crn:v1:bluemix:public:hs-crypto::::serviceRole:KeyCustodianCreator`
Key Custodian - Deployer	`crn:v1:bluemix:public:hs-crypto::::serviceRole:KeyCustodianDeployer`

The following example is for assigning the Writer role for the service instance:

Use <hs-crypto> for the service name, and refer to the Role ID values table to ensure that you're using the correct value for the CRN.

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Hyper Protect Crypto Services",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:hs-crypto::::serviceRole:Writer"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "hs-crypto"
        }
      ]
    }
  ]
}

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
      .name("iam_id")
      .value("IBMid-123453user")
      .build();

PolicySubject policySubjects = new PolicySubject.Builder()
      .addAttributes(subjectAttribute)
      .build();

PolicyRole policyRoles = new PolicyRole.Builder()
      .roleId("crn:v1:bluemix:public:hs-crypto::::serviceRole:Writer")
      .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
      .name("accountId")
      .value("ACCOUNT_ID")
      .operator("stringEquals")
      .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
      .name("serviceName")
      .value("hs-crypto")
      .operator("stringEquals")
      .build();

PolicyResource policyResources = new PolicyResource.Builder()
      .addAttributes(accountIdResourceAttribute)
      .addAttributes(serviceNameResourceAttribute)
      .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
      .type("access")
      .subjects(Arrays.asList(policySubjects))
      .roles(Arrays.asList(policyRoles))
      .resources(Arrays.asList(policyResources))
      .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

System.out.println(policy);

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: 'IBMid-123453user',
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:hs-crypto::::serviceRole:Writer',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: 'ACCOUNT_ID',
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceName',
  value: 'hs-crypto',
  operator: 'stringEquals',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute]
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

iamPolicyManagementService.createPolicy(params)
  .then(res => {
    examplePolicyId = res.result.id;
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

policy_subjects = PolicySubject(
  attributes=[SubjectAttribute(name='iam_id', value='IBMid-123453user')])
policy_roles = PolicyRole(
  role_id='crn:v1:bluemix:public:hs-crypto::::serviceRole:Writer')
account_id_resource_attribute = ResourceAttribute(
  name='accountId', value='ACCOUNT_ID')
service_name_resource_attribute = ResourceAttribute(
  name='serviceName', value='hs-crypto')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute,
        service_name_resource_attribute])

policy = iam_policy_management_service.create_policy(
  type='access',
  subjects=[policy_subjects],
  roles=[policy_roles],
  resources=[policy_resources]
).get_result()

print(json.dumps(policy, indent=2))

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: core.StringPtr("IBMid-123453user"),
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:hs-crypto::::serviceRole:Writer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr("ACCOUNT_ID"),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceName"),
  Value:    core.StringPtr("hs-crypto"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute}
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))

Assigning access to Hyper Protect Crypto Services by using Terraform

The following example is for assigning the Writer role for your service instance:

Use <hs-crypto> for the service name.

resource "ibm_iam_user_policy" "policy" {
  ibm_id = "test@example.com"
  roles  = ["Writer"]

  resources {
    service = "hs-crypto"
  }
}

For more information, see ibm_iam_user_policy.

Managing access to multiple instances

If you have multiple Hyper Protect Crypto Services instances in different accounts, you might need to leverage IBM Cloud enterprises to manage accounts and user access.

Create the enterprise hierarchy

With IBM Cloud enterprises, you can centrally manage multiple accounts and resources. You can create an enterprise hierarchy as needed by nesting account groups or accounts within the enterprise account. The access management to the enterprise and the child accounts is isolated to provide greater security. To learn how to create an enterprise and add accounts to an enterprise, see Best practices for organizing resources and assigning access.
Organize account resources in resource groups

Hyper Protect Crypto Services instances are associated with child accounts of the enterprise. Within each account, you can organize service instances in resource groups so that you can assign different access policies to each resource group to enable independent access control. For how to create resource groups and organize resources, see Best practices for organizing resources.
Assign access to manage the enterprise and resources

Based on the Hyper Protect Crypto Services IAM platform roles and service roles that are listed, you can assign users respective access to each tier of the enterprise hierarchy. You can also group users or service IDs by defining access groups to streamline the process of assigning access. For more information about assigning access, Access management in the cloud.
Use IBM Cloud API keys

You can create IBM Cloud API keys for users or services to track and control API usage. The user API key is associated with the user identity and inherits all access that the user is assigned. The service API key is granted the access that is associated with a specific service ID. API keys can also be used to generate IAM tokens for API calls authentication. For how to manage API keys, see Managing user API keys and Managing service ID API keys.

The following example shows how to use the enterprise to manage multiple instances and user access. Assume that your organization has two Hyper Protect Crypto Services instances for development and production, and two separate teams are managing and operating these instances. you can create the following enterprise hierarchy to better manage accounts, instances, and user access:

Figure 2. An example of the enterprise hierarchy and user access management

Use separate accounts and distinct resource groups to manage instances for development purpose and production purpose.
Assign users the minimum access to the corresponding resources. For example, assign the enterprise managers the administrator role for accounts and billing management. Assign the developer team members the editor and manager roles for performing operations toward the development instance. Assign other members the viewer and reader role for viewing only instance resources.

What's next

Account owners and admins can invite users and set service policies that correspond to the Hyper Protect Crypto Services actions the users can perform. For more information about assigning user roles, see Managing access to resources.