How to control user access to tokens

Edit online

An openCryptoki administrator can configure user access to the token directories (including the respective token object repositories) in a way that a certain user can access the token directory of one token but not the token directory of another token.

A user who wants to access a certain token repository and the pertaining token objects must be a member of a certain token-specific user group. For a member of such a group, there are no further impacts on using openCryptoki. Users that are not a member of a token-specific group do not have access to the token, that is, they will not even see that token being available with the pkcsconf -t command or using the C_GetTokenInfo() function.

Note: All users must still be members of the pkcs11 group to be able to use openCryptoki in general (see General access control).

By default all tokens remain to be owned by the pkcs11 group. If an openCryptoki administrator, who needs root access, wants a token to be individually access-protected, then they must explicitly configure this protection. The administrator must create a token-specific user group, add the desired users into it, and then configure openCryptoki and the token directories appropriately (see Individual access control).