IBM Cloud Docs
Setting up custom roles for Unified Key Orchestrator

Setting up custom roles for Unified Key Orchestrator

To manage users and access to Unified Key Orchestrator keys, keystores, and vaults, Hyper Protect Crypto Services provides default service-level IAM access roles to assign and control access. If you want to set up more granular custom roles to manage user access to meet the requirements of your enterprise, here are some best practices that you can follow.

Step 1: Create custom IAM roles

To create a custom role, complete the following steps:

  1. In the UI, go to Manage > Access (IAM), and select Roles.

  2. Click Create.

  3. Enter a name for your role. This name must be unique within the account. You can see this role name in the UI when you assign access to the service.

  4. Enter an ID for the role. This ID is used in the CRN, which is used when you assign access by using the API. The role ID must begin with a capital letter and use alphanumeric characters only; for example, MyVaultAdministrator.

  5. Optionally, you can enter a succinct and helpful description that helps the users who are assigning access know what level of access this role assignment gives a user. This description is also displayed in the UI when you assign access to the service.

  6. From the list of services, select Hyper Protect Crypto Services.

  7. Select Add to add actions for the role.

    The following table lists the suggested custom roles and corresponding actions for your reference:

    Table 1. Custom roles and actions corresponding to the Unified Key Orchestrator operations
    Role Description Actions
    My vault administrator Manages vaults.
    • hs-crypto.managed-keys.read
    • hs-crypto.managed-keys.list
    • hs-crypto.target-keystores.read
    • hs-crypto.target-keystores.list
    • hs-crypto.key-templates.read
    • hs-crypto.key-templates.list
    • hs-crypto.vaults.read
    • hs-crypto.vaults.list
    • hs-crypto.vaults.write
    • hs-crypto.vaults.delete
    • hs-crypto.uko.initiate-paid-upgrade
    • hs-crypto.uko.add-paid-keystore
    My keystore administrator Manages keystores.
    • hs-crypto.managed-keys.read
    • hs-crypto.managed-keys.list
    • hs-crypto.target-keystores.read
    • hs-crypto.target-keystores.list
    • hs-crypto.target-keystores.write
    • hs-crypto.target-keystores.delete
    • hs-crypto.key-templates.read
    • hs-crypto.key-templates.list
    • hs-crypto.vaults.read
    • hs-crypto.vaults.list
    • hs-crypto.uko.initiate-paid-upgrade
    • hs-crypto.uko.add-paid-keystore
    My key administrator Manages special permissions for administrative tasks, such as destructive actions.
    • hs-crypto.managed-keys.deactivated-destroy
    • hs-crypto.managed-keys.destroyed-remove
    • hs-crypto.managed-keys.read
    • hs-crypto.managed-keys.list
    • hs-crypto.managed-keys.delete
    • hs-crypto.target-keystores.read
    • hs-crypto.target-keystores.list
    • hs-crypto.key-templates.read
    • hs-crypto.key-templates.list
    • hs-crypto.key-templates.write
    • hs-crypto.key-templates.delete
    • hs-crypto.vaults.read
    • hs-crypto.vaults.list
    My key custodian - creator Manages and creates keys. For a complete key lifecycle, both Creator and Deployer roles are needed. To implement separation of duties, assign Creator and Deployer role to different people.
    • hs-crypto.managed-keys.preactivation-destroy
    • hs-crypto.managed-keys.active-install
    • hs-crypto.managed-keys.active-uninstall
    • hs-crypto.managed-keys.deactivated-install
    • hs-crypto.managed-keys.deactivated-uninstall
    • hs-crypto.managed-keys.read
    • hs-crypto.managed-keys.list
    • hs-crypto.managed-keys.write
    • hs-crypto.managed-keys.generate
    • hs-crypto.managed-keys.distribute
    • hs-crypto.managed-keys.write-dates
    • hs-crypto.managed-keys.write-tags
    • hs-crypto.target-keystores.read
    • hs-crypto.target-keystores.list
    • hs-crypto.key-templates.read
    • hs-crypto.key-templates.list
    • hs-crypto.key-templates.write
    • hs-crypto.vaults.read
    • hs-crypto.vaults.list
    My key custodian - deployer Manages and deploys keys. For a complete key lifecycle, both Creator and Deployer roles are needed. To implement separation of duties, assign Creator and Deployer role to different people.
    • hs-crypto.managed-keys.preactivation-activate
    • hs-crypto.managed-keys.preactivation-destroy
    • hs-crypto.managed-keys.active-deactivate
    • hs-crypto.managed-keys.active-install
    • hs-crypto.managed-keys.active-uninstall
    • hs-crypto.managed-keys.deactivated-install
    • hs-crypto.managed-keys.deactivated-reactivate
    • hs-crypto.managed-keys.deactivated-uninstall
    • hs-crypto.managed-keys.read
    • hs-crypto.managed-keys.list
    • hs-crypto.managed-keys.write
    • hs-crypto.managed-keys.distribute
    • hs-crypto.managed-keys.write-dates
    • hs-crypto.managed-keys.write-tags
    • hs-crypto.target-keystores.read
    • hs-crypto.target-keystores.list
    • hs-crypto.key-templates.read
    • hs-crypto.key-templates.list
    • hs-crypto.vaults.read
    • hs-crypto.vaults.list
    My reader Performs read-only actions for auditing purposes.
    • hs-crypto.managed-keys.read
    • hs-crypto.managed-keys.list
    • hs-crypto.target-keystores.read
    • hs-crypto.target-keystores.list
    • hs-crypto.key-templates.read
    • hs-crypto.key-templates.list
    • hs-crypto.vaults.read
    • hs-crypto.vaults.list

  8. Click Create after you select the appropriate actions for your custom role.

Step 2: Assign IAM roles to users

Before users can access Unified Key Orchestrator vaults, keystores, or keys, you need to grant users the appropriate IAM roles by completing the following steps:

  1. From the menu bar, click Manage > Access (IAM), and select Users to browse the existing users in your account.

  2. Select the user, and click the Actions icon Actions icon to open a list of options for that user.

    Click Invite users to add a user to your account if the user is not in the table. For more information, see Inviting users to an account.

  3. From the options menu, click Assign access.

  4. Click Access policy.

  5. Under Service, select Hyper Protect Crypto Services and click Next.

  6. Under Resources, select resources that you want to assign access to and click Next.

    • If you want to assign the user access to all the Hyper Protect Crypto Services instances under your account, select All resources.
    • If you want to assign the user access to part of the Hyper Protect Crypto Services resources under you account, select Specific resources and add the corresponding conditions based on your needs. For example, select the Service Instance ID and specify the instance from the list.

  7. Under Roles and actions, choose a combination of platform and service access roles to assign access for the user and click Next.

    • Check the box for at least the Viewer role under Platform access. For more information about the IAM platform roles, see Platform access roles.
    • Check the box for the corresponding custom role that you set up in Step 1 based on your needs.

    If you don't have any custom roles, you can select the existing IAM roles that cover the actions that you want to assign to the user. You can view the specific actions that correspond to the role by clicking the number.

  8. (Optional) Under Conditions (optional), click Review to check the access policy.

  9. After confirmation, click Add > Assign.

What's next