beautypg.com

Multiple credentials sections – HP Secure Key Manager User Manual

Page 212

background image

NOTE:

Credential grants cannot be inherited. One administrator can grant only their credentials to one other

administrator.

An administrator can grant credentials for the following operations:

Add/Modify keys

Delete keys

Add/Modify users and groups

Delete users and groups

Affect authorization policies

Modify LDAP settings for users and groups

Administrators that are not normally permitted to execute any of these operations cannot grant credentials

for them; those options are unavailable. Credentials cannot be granted for those operations not listed.

NOTE:

Granting a credential does not affect that administrator’s access control privileges. For example, if an

administrator does not have the access control for Keys and Authorization Policies configuration, that

administrator will never be able to create a key, even if another administrator grants credentials to

the first administrator.

IMPORTANT:

If an administrator changes the SKM’s system time or reboots it, all temporary administrator credentials

immediately expire.

NOTE:

If the SKM is configured to use NTP, modifications to the NTP system time can extend the life span of

a granted credential.

NOTE:

Granted credentials are not included in backups.

Multiple credentials in clusters

To implement multiple credentials on SKMs within a cluster, you must adhere to the following guidelines:

All devices within the cluster must have the multiple credentials feature enabled. The feature can

be enabled on one device and replicated to the others.

For each device within the cluster, the number of administrators with High Access Administrator

access control must be greater than or equal to the number of administrators required to authorize

an operation. If not, the feature is not be enabled.

To add a new device to a cluster with multiple credentials enabled:

1.

Make sure that the new device has the correct number of administrators with High Access

Administrator access control.

2.

Disable the multiple credentials feature for the cluster by disabling the feature for one device within

the cluster. This action requires confirmation from multiple administrators.

3.

Add the new device to the cluster. For information on adding a device to a cluster, refer to

Join Cluster

212

Using the Management Console

See also other documents in the category HP Storage: