Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CipherTrust Manager Administration

Group Mapping

search

Please Note:

Group Mapping

Groupmaps extend group-based configuration of CipherTrust Manager users to Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC) groups, associated with the Access Management LDAP or OIDC connection. A groupmap maps an LDAP or OIDC group belonging to a specific connection to a CipherTrust Manager group.

For example, an LDAP group can be mapped to the system defined `Key Users` group in order to allow the LDAP group's members to encrypt data. Alternatively, an LDAP or OIDC group can be mapped to a newly created CipherTrust Manager group where group-based key permissions can be configured.

Connection Requirements

To set up groupmaps, the LDAP or OIDC connection must be configured with information to find a given user's group membership on the authentication server. LDAP connections require six fields to allow groupmaps. OIDC connections require a group claim to allow groupmaps.

Note

Groupmaps are not applicable to the LDAP or OIDC connection available through connection manager.

CLI Commands

The groupmaps API and CLI can be used to create, delete, get, list, and modify mappings. A mapping is created by passing three parameters (connection name, connection group name, and CipherTrust Manager group name) to the create API. This returns an ID along with other information. The ID can be used to get, modify or delete the mapping. The list API supports searching for all mappings associated with (a) connection, (b) a CipherTrust Manager group, and/or (c) a connection group. Wildcards can be used in the list API.

Help about group mappings can be obtained via the ksctl groupmaps -h command.

A groupmap can be created via the following command:

$ ksctl groupmaps create -c <connection-name> -n <connection-group> -k <ciphertrust-manager-group-name>

The connection and CipherTrust Manager group must exist prior to creating a connection. The mapping links the connection group to the CipherTrust Manager group. The response shows information about the mapping; here is a sample response:

"id": "26a980d2-c20a-4307-b12a-4898aa575122",
        "created_at": "2018-09-28T20:50:28.978112Z",
        "updated_at": "2018-09-28T20:50:28.978112Z",
        "connection_name": "ldap22",
        "ldap_group_name": "admin_staff",
        "group_name": "group1"

You can use the returned ID in the ksctl groupmaps get, ksctl groupmaps delete and ksctl groupmaps modify commands. The ksctl groupmaps modify command allows modification of theCipherTrust Manager group name associated with a groupmap:

$ ksctl groupmaps modify -i <group-map-id> -k <ciphertrust-manager-group-name>

The ksctl groupmaps list command allows listing of all the available groupmaps:

$ ksctl groupmaps list [-s <skip>] [-l <limit>] [-c <connection-name>] [-n <connection-group>] [-k <ciphertrust-manager-group-name>]

For example, the following command will list all groupmaps associated with an LDAP connection named "hr-ldap":

$ ksctl groupmaps list -l 1000 -c hr-ldap

The * character can be used to perform wild card searches over connection names and group names.

Use Cases

The utility of group mappings is illustrated by the following examples.

Making all Users in a Specific LDAP Group members of Key Users Group

Assume that there is a LDAP connection named bababini containing a group named IT. All users in the IT group should have the ability to create keys. This can be achieved by creating a group map that maps the LDAP IT group into the built-in CipherTrust Manager 'Key Users' group:

$ ksctl groupmaps create -c bababini -g IT -k "Key Users"

Users in the LDAP group IT can create keys after issuing this command.

Two LDAP groups share keys

Assume that there is a LDAP connection named bababini containing two groups: IT and Engineering. It is desired to share cryptographic keys between the two LDAP groups. This can be achieved by the following steps:

  1. Create a key secure group called it-engg-shared-keys.

  2. Create cryptographic keys and allow all users in the it-engg-shared-keys group access to those keys.

  3. Create a group mapping between the IT and it-engg-shared-keys via the command:

    $ ksctl groupmaps create -c bababini -g IT -k it-engg-shared-keys

  4. Create a group mapping between the Engineering and it-engg-shared-keys via the command:

    $ ksctl groupmaps create -c bababini -g Engineering -k it-engg-shared-keys

Users in both groups can now share the keys created in step 2 above.