Relations between users, groups, roles, and protected objects
To do useful work on protected objects, an IBM® Security Guardium® Key Lifecycle Manager user must have one or more roles. The role must enable an action such as create an object, such as a device, in the LTO device family.
A user can be a member of a group. A group might have one or more roles. A role specifies authorization for an operation on protected objects. For example, protected objects include devices, device groups, cryptographic objects (certificates, keys, key pairs, and key groups), and rollover settings for certificates and key groups.