Available permissions
Installing IBM Security Guardium Key Lifecycle Manager creates the
SKLMAdmin user ID, which has the
klmSecurityOfficer
role as the default super user.
A permission from IBM Security Guardium Key Lifecycle Manager enables an action or the use of a device group. A role in IBM Security Guardium Key Lifecycle Manager is one or more permissions.
IBM Security Guardium Key Lifecycle Manager installation creates the following
default groups.
- klmSecurityOfficerGroup
- Installation assigns the
klmSecurityOfficer
role to this group. TheklmSecurityOfficer
role replaces the previousklmApplicationRole
role in the group that was namedklmGroup
.klmSecurityOfficerGroup
replacesklmGroup
.The
klmSecurityOfficer
role has: - klmBackupRestoreGroup
- Back up and restore IBM Security Guardium Key Lifecycle Manager.
- LTOAdmin
- Administer devices in the LTO device family with actions that include create, view, modify, delete, get (export), back up, and configure.
- LTOOperator
- Operate devices in the LTO device family with actions that include create, view, modify, and back up.
- LTOAuditor
- Audit devices in the LTO device family with actions that include view and audit.
- klmGUICLIAccessGroup
- Provides IBM Security Guardium Key Lifecycle Manager graphical user interface
access to the users. Every product user must be a part of this group.Note: Along with this access to the group, the users must be provided other accesses to be a functional product user.
A user who has any one of the permissions in Table 1 can view:
- IBM Security Guardium Key Lifecycle Manager global configuration parameters that are defined in the SKLMConfig.properties file.
- The key server status and last backup date.
Permission | Enables these actions | Unrelated to device groups | Associated with device groups |
---|---|---|---|
klmCreate |
Create but not view, modify, or delete objects. | ![]() |
|
klmDelete |
Delete objects, but not view, modify, or create objects. | ![]() |
|
klmGet |
Export a key or certificate for a client device. | ![]() |
|
klmModify |
Modify objects, but not view, create, or delete objects. | ![]() |
|
klmView |
View objects, but not create, delete, or modify objects. For example, you must have this permission to see the tasks you want to do on the graphical user interface. | ![]() |
|
klmAdminDeviceGroup |
Administer. Create a device group, set default parameters, view, delete an empty device group. This permission does not provide access to devices, keys, or certificates. | ![]() |
|
klmAudit |
View audit data. | ![]() |
|
klmBackup |
Create and delete a backup of IBM Security Guardium Key Lifecycle Manager data. | ![]() |
|
klmConfigure |
Read and change IBM Security Guardium Key Lifecycle Manager configuration properties, or act on TLS certificate. Add, view, update, or delete the keystore. | ![]() |
|
klmRestore |
Restore a previous backup copy of IBM Security Guardium Key Lifecycle Manager data. | ![]() |
The klmSecurityOfficer
role also has root access to permissions for all device
groups.
Permission | Allows actions on these objects |
---|---|
LTO |
LTO device family |
TS3592 |
3592 device family |
DS5000 |
DS5000 device family |
DS8000 |
DS8000 device family |
BRCD_ENCRYPTOR |
BRCD_ENCRYPTOR device group |
ONESECURE |
ONESECURE device group |
ETERNUS_DX |
ETERNUS_DX device group |
XIV |
XIV® device group |
IBM_SYSTEM_X_SED |
IBM_SYSTEM_X_SED device group |
GPFS (IBM Spectrum Scale ) |
GPFS device family |
GENERIC |
Objects in the GENERIC device family. |
userdevicegroup | A user-defined instance such as myLTO that you manually create, based on a
predefined device family such as LTO. |