Available permissions

Installing IBM Security Guardium Key Lifecycle Manager creates the SKLMAdmin user ID, which has the klmSecurityOfficer role as the default super user.

A permission from IBM Security Guardium Key Lifecycle Manager enables an action or the use of a device group. A role in IBM Security Guardium Key Lifecycle Manager is one or more permissions.

IBM Security Guardium Key Lifecycle Manager installation creates the following default groups.
klmSecurityOfficerGroup
Installation assigns the klmSecurityOfficer role to this group. The klmSecurityOfficer role replaces the previous klmApplicationRole role in the group that was named klmGroup. klmSecurityOfficerGroup replaces klmGroup.

The klmSecurityOfficer role has:

  • Root access to the entire set of permissions and device groups that are described in Table 1 and Table 2.
  • Permission to any role or device group that might be created.
klmBackupRestoreGroup
Back up and restore IBM Security Guardium Key Lifecycle Manager.
LTOAdmin
Administer devices in the LTO device family with actions that include create, view, modify, delete, get (export), back up, and configure.
LTOOperator
Operate devices in the LTO device family with actions that include create, view, modify, and back up.
LTOAuditor
Audit devices in the LTO device family with actions that include view and audit.
klmGUICLIAccessGroup
Provides IBM Security Guardium Key Lifecycle Manager graphical user interface access to the users. Every product user must be a part of this group.
Note: Along with this access to the group, the users must be provided other accesses to be a functional product user.
A user who has any one of the permissions in Table 1 can view:
  • IBM Security Guardium Key Lifecycle Manager global configuration parameters that are defined in the SKLMConfig.properties file.
  • The key server status and last backup date.
Table 1. Permissions for actions
Permission Enables these actions Unrelated to device groups Associated with device groups
klmCreate Create but not view, modify, or delete objects.  
Check mark symbol
klmDelete Delete objects, but not view, modify, or create objects.  
Check mark symbol
klmGet Export a key or certificate for a client device.  
Check mark symbol
klmModify Modify objects, but not view, create, or delete objects.  
Check mark symbol
klmView View objects, but not create, delete, or modify objects. For example, you must have this permission to see the tasks you want to do on the graphical user interface.  
Check mark symbol
klmAdminDeviceGroup Administer. Create a device group, set default parameters, view, delete an empty device group. This permission does not provide access to devices, keys, or certificates.
Check mark symbol
 
klmAudit View audit data.
Check mark symbol
 
klmBackup Create and delete a backup of IBM Security Guardium Key Lifecycle Manager data.
Check mark symbol
 
klmConfigure Read and change IBM Security Guardium Key Lifecycle Manager configuration properties, or act on TLS certificate. Add, view, update, or delete the keystore.
Check mark symbol
 
klmRestore Restore a previous backup copy of IBM Security Guardium Key Lifecycle Manager data.
Check mark symbol
 

The klmSecurityOfficer role also has root access to permissions for all device groups.

Table 2. Device groups
Permission Allows actions on these objects
LTO LTO device family
TS3592 3592 device family
DS5000 DS5000 device family
DS8000 DS8000 device family
BRCD_ENCRYPTOR BRCD_ENCRYPTOR device group
ONESECURE ONESECURE device group
ETERNUS_DX ETERNUS_DX device group
XIV XIV® device group
IBM_SYSTEM_X_SED IBM_SYSTEM_X_SED device group
GPFS (IBM Spectrum Scale) GPFS device family
GENERIC Objects in the GENERIC device family.
userdevicegroup A user-defined instance such as myLTO that you manually create, based on a predefined device family such as LTO.