beautypg.com

Granting credentials – HP Secure Key Manager User Manual

Page 232

background image

Any request for these operations, from either the Management Console or the CLI, results in a request
for additional administrator accounts and passwords. The operation only continues when those
credentials are supplied. Otherwise, an error message appears.

Granting credentials

Administrators can grant their credentials to another administrator for a specific period of time. This
allows one administrator to execute several operations without having to enter multiple credentials
for each request. The granting administrator can specify:

The grantee

The length of the grant

The permitted operations

Credentials are granted for a particular administrator account, not a session. This lets an administrator
grant credentials from a different computer.

NOTE:

Credential grants cannot be inherited. One administrator can grant only their credentials to one other
administrator.

An administrator can grant credentials for the following operations:

Add/Modify keys

Delete keys

Add/Modify users and groups

Delete users and groups

Affect authorization policies

Modify LDAP settings for users and groups

Administrators that are not normally permitted to execute any of these operations cannot grant
credentials for them; those options are unavailable. Credentials cannot be granted for those operations
not listed.

NOTE:

Granting a credential does not affect that administrator’s access control privileges. For example, if
an administrator does not have the access control for Keys and Authorization Policies configuration,
that administrator will never be able to create a key, even if another administrator grants credentials
to the first administrator.

IMPORTANT:

If an administrator changes the SKM's system time or reboots it, all temporary administrator credentials
immediately expire.

Using the Management Console

232