Available permissions

Installing IBM Guardium Key Lifecycle Manager creates the SKLMAdmin user ID, which has the klmSecurityOfficer role as the default super user.

A permission from IBM Guardium Key Lifecycle Manager enables an action or the use of a endpoint. A role in IBM Guardium Key Lifecycle Manager is one or more permissions.

IBM Guardium Key Lifecycle Manager installation creates the following default groups:
klmSecurityOfficerGroup
Installation assigns the klmSecurityOfficer role to this group. The klmSecurityOfficer role replaces the previous klmApplicationRole role in the group that was named klmGroup. klmSecurityOfficerGroup replaces klmGroup.

The klmSecurityOfficer role has:

  • Root access to the entire set of permissions and endpoints that are described in Table 1 and Table 2.
  • Permission to any role or endpoint that might be created.
klmBackupRestoreGroup
Back up and restore IBM Guardium Key Lifecycle Manager.
LTOAdmin
Administer devices in the LTO endpoint with actions that include create, view, modify, delete, get (export), back up, and configure.
LTOOperator
Operate devices in the LTO endpoint with actions that include create, view, modify, and back up.
LTOAuditor
Audit devices in the LTO endpoint with actions that include view and audit.
klmGUICLIAccessGroup
Provides IBM Guardium Key Lifecycle Manager graphical user interface and command-line interface access to the users. Every product user must be a part of this group.
Note: Along with this access to the group, the users must be provided other accesses to be a functional product user.
A user who has any one of the permissions in Table 1 can view:
  • IBM Guardium Key Lifecycle Manager global configuration parameters that are defined in the SKLMConfig.properties file.
  • The key server status and last backup date.
Table 1. Permissions for actions
Permission Enables these actions Unrelated to endpoints Associated with endpoints
klmCreate Create but not view, modify, or delete objects.  
Check mark symbol
klmDelete Delete objects, but not view, modify, or create objects.  
Check mark symbol
klmGet Export a key or certificate for a client device.  
Check mark symbol
klmModify Modify objects, but not view, create, or delete objects.  
Check mark symbol
klmView View objects, but not create, delete, or modify objects. For example, you must have this permission to see the tasks you want to do on the graphical user interface.  
Check mark symbol
klmAdminDeviceGroup Administer. Create a endpoint, set default parameters, view, delete an empty endpoint. This permission does not provide access to devices, keys, or certificates.
Check mark symbol
  
klmAudit View audit data by using the tklmServedDataList command.
Check mark symbol
  
klmBackup Create and delete a backup of IBM Guardium Key Lifecycle Manager data.
Check mark symbol
  
klmConfigure Read and change IBM Guardium Key Lifecycle Manager configuration properties, or act on TLS certificate. Add, view, update, or delete the keystore.
Check mark symbol
  
klmRestore Restore a previous backup copy of IBM Guardium Key Lifecycle Manager data.
Check mark symbol
  

The klmSecurityOfficer role also has root access to permissions for all endpoints.

Table 2. Endpoints
Permission Allows actions on these objects
LTO LTO endpoint family
TS3592 3592 endpoint family
DS5000 DS5000 endpoint family
DS8000 DS8000 endpoint family
BRCD_ENCRYPTOR BRCD_ENCRYPTOR endpoint
ONESECURE ONESECURE endpoint
ETERNUS_DX ETERNUS_DX endpoint
XIV XIV® endpoint
IBM_SYSTEM_X_SED IBM_SYSTEM_X_SED endpoint
GPFS (IBM Spectrum Scale) GPFS endpoint family
GENERIC Objects in the GENERIC endpoint family.
userendpoint A user-defined instance such as myLTO that you manually create, based on a predefined endpoint family such as LTO.