Roles Tab

A custom role entitles its holder to a specific set of operations that can be applied to a particular set of crypto objects including keys, certificates, and secrets. A custom role is specified in terms of permissions. Each permission specifies a group of objects and a set of permitted operations for this group:

  • group 1 ← op1, op2, .., opN
  • group 2 ← op10, op20, .., opNN

The following schema presents the relationship between the elements that define a role:

  • A user has a single role.
  • The role is a set of permissions.
  • Each permission specifies
    • The name of the group that this permission references.
    • List of permitted management and the cryptography operations

Roles model

Main Page

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles

→ presents the following:

Table of Roles

Each row presents the following attributes:

Name
The name of a role.
Key Groups
Key Groups permitted for use by the role.
Last update
The date of the last update.
[]
See Commands.

Add Role

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles ˃ Create

→ The New Role dialog appears.

  1. Name the role.
  2. Click the Add permission button.
    → The New permission dialog appears.
    • Click Group Name ▼
      → The list of the defined key groups appears.
    • Select a key group.
    • Note
      Alternatively, you could just enter the name of a key group. It can be a new name representing a not yet existing key group. In the case of the new key group name, the permission becomes relevant when the key or secret material is assigned to this group.

    • Click Operations ▼
      → The list of operations specified in Summary of ACL Controlled Operations appears.
    • Select operations that shall be allowed for the specified key groups.
    • Click Add.
  3. To add additional permission, repeat the previous step.
  4. Click Add Role.

The added role appears on the Roles page.

Commands

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles ˃ select Role ˃ []

→ The list of commands appears.

Show Permissions

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles ˃ select Role ˃ []˃ Show Permissions

→ Permissions of the role appear in a table format:

  • Group - the name of the key group.
  • Operations - list of the permitted operations for the group.

Edit

Note
The system does not allow modifying the "user" and "so" roles. Use the clone command to create a role similar to "user" or "so" roles and modify the cloned role as needed.

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles ˃ select Role ˃ []˃ Edit

→ Permissions of the role appear in a table format:

  • Group - the name of the key group.
  • Operations - list of the permitted operations for the group.
  • [] - allows to Edit or Delete the permission.

The Add permission option allows adding new permissions.

The dialog is the same as in the Roles Tab.

Clone

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles ˃ select Role ˃ []˃ Clone

→ The New Role dialog appears with the table of permissions cloned from the selected role.

  • Name - "<original name>_clone". Change it as needed.

All other dialogs are identical to Edit.

Tweak the cloned permissions as needed for the new role.

Note
Although you can clone the SOClosedSecurity officer - UKC partition administrator role. role, the cloned role addresses non-SOClosedSecurity officer - UKC partition administrator role. users.

Delete

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Roles ˃ select Role ˃ []˃ Clone

→ The Delete Role dialog appears.

You can't delete a role if there are users titled with this role. To find all users with the selected role,

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Users ˃ <name of the role> ˃

Note
The system does not allow deleting the "user" and "so" roles.

User Groups Tab

A User Group ties up a list of users and a set of roles. Instead of assigning a user to a particular role, the user is added to one (or more) user groups. Membership in a user group entitles its member with ALL roles granted to the group:

Roles in User Groups

Main Page

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ User Groups

→ presents the following:

Table of User Groups

Each row presents the following attributes:

Name
The name of a user group.
Roles
The list of roles granted to the group members.
Users
The list of internal CORE users that are members of this group.
Expression
A regular expression that identifies the SSOClosedSingle Sign-On members of the user group.

Add User Group

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ User Groups ˃ Create

→ The New user group dialog appears.

  1. Name the group.
  2. Click the Roles ▼ button and select the required roles or leave them empty.
  3. Click the Users ▼ button and select the new members of the group or leave them empty.
  4. If the system is registered with OIDCClosedOpenID Connect is identity layer on top of the OAuth 2.0 protocol providers,
  5.   → the Expression field appears.

    Enter the regular expression. See the examples below.

    Tip
    To generate and test a regular expression, use online tools such as open-source Rustexp or other popular tool.

  6. Click Add user group.

The added group appears in the table.

About SSO Expressions

SSOClosedSingle Sign-On expressions are the standard Regular Expressions that use the following elements:

<OIDCClosedOpenID Connect is identity layer on top of the OAuth 2.0 protocol claim name>: <regular expression regarding the expected data in the claim>

Warning
It is important to check that your regular expressions are securely written. Care should be taken to ensure that a malicious attacker cannot exploit them.

For example:

  • Terminate the expression with a "$" so that extraneous characters cannot be added.
  • Ensure proper use of special characters, such as using "\." instead of just a "." to denote a period in an expression.

Warning
See here for more information about issues with regular expressions, and specifically the section on Potential Mitigations.

To specify the matching criteria, use the standard Regular Expression syntax:

  • In its simplest form, the regular expression is the exact email address or a list of exact addresses. For example, an OR-list of two emails:
  • (email: foo@dep\.company\.com)|(email: bar@dep\.company\.com)

  • To specify any person whose email claims to belong to the above department, we could use regex on any string notation:
  • email:.*@dep\.company\.com$.

  • In the most general case, a regular expression applies certain AND / OR logic to the matched patterns.
  • Note
    To specify and test a regular expression, use online tools such as open-source Rustexp or similar online tools.

Examples:

  1. A single expression
  2. Any person with the @group.division.company.com email address:

    email: .*@group\.division\.company\.com$

    Notes:

    1. email: - specifies the type of PI claim that must be used to evaluate the expression.
    2. . - (dot) means ANY SINGLE character.
    3. .* - (dot followed by an asterisk) means any characters.
    4. \. - (escaped dot) means the dot character itself.

    Warning
    It is important to check that the regular expression is secure. For example, if this regex did not have the trailing "$", an attacker could use an address such as foo@group.division.company.com.attacker.com for malicious purposes.

  3. A or B expression
  4. Any person from one of the following groups and divisions:

    (email: .*@groupA\.divisionA\.company\.com)|(email: .*@groupB\.divisionB\.company\.com)

    Notes:

    1. Use the parenthesis ( ) to separate each clause of compound expression.
    2. The "|" symbol indicates logical OR.
    3. To specify A or B or C, use (A)|(B)|(C).
  5. A and B expression
  6. Any person from the group "A" that also has string 25519 in the subject (sub:) claim returned by the OIDCClosedOpenID Connect is identity layer on top of the OAuth 2.0 protocol provider:

    (?=.*(email: .*@groupA\.divisionA\.company\.com))
    (?=.*(sub:[0-9]*25519[0-9]*))

    Notes:

    1. (?=A)(?=B) checks that both A and B conditions are met.
    2. [0-9]* indicates any sequence of digits
  7. Disable Character Case Sensitivity
  8. To disable sensitivity to character case (lowercase vs. uppercase), use the (?i) directive. For example, the following expression matches all <name.lastname>@company.com users from the Company regardless of the character cases in the provided subject.

    (?i)(sub:\w*\.\w*@COMPANY\.com)$

    Note
    By default, information received in the email: claim is case insensitive.

Commands

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ User Groups ˃ select group ˃ []

→ The list of commands appears.

Edit
Partition SOClosedSecurity officer - UKC partition administrator role. ˃User Groups ˃ select group ˃ []˃ Edit
You may add or delete Roles, Users, and Expressions.
Delete
Partition SOClosedSecurity officer - UKC partition administrator role. ˃ User Groups ˃ select group ˃ [Delete
You are asked to confirm this step.