Contribute in GitHub: |

UKO User Roles

This topic covers the admin and operator user roles of UKO. There are three types of administrators in UKO:

Security administrator
UKO administrator
Vault administrator

Security administrator

The default security administrator is the hardcoded administrator who can add more security administrators, UKO administrators, and UKO operators. A security admin can also add, edit, or delete LDAP connections. LDAP directories have user lists that you can synchronize to the system and add the users with various roles.

A security administrator:

Can view the Administration page
Cannot view or download audit logs
Can view API but not passcodes

Regular security admins cannot delete or change the role of hardcoded security admin. But the hardcoded security admin can change the roles of regular security admins or delete them.

UKO administrator

UKO administrators can manage (add, edit, or delete) system roles and have access to all vaults. They can see other UKO Admins and UKO operator roles.

A UKO administrator

Can view and manage the Administration page
Can view and download audit logs
can view API and passcodes

UKO operator

A security administrator can assign the UKO operator role to users. Later, a UKO administrator can assign one or more of the Following UKO operator roles:

Vault Admin
Key Template Admin
Key Custodian 1
Key Custodian 2
UKO Auditor

A UKO operator without a vault-specific role:

Can view the Administration page
Cannot view or download audit logs
Can view API and passcodes

A UKO operator with a vault-specific role (except UKO Auditor):

Can view the Administration page
Cannot view or download audit logs
Can view API and passcodes

A UKO Auditor:

Can view the Administration page
Can view or download audit logs
Can view API and passcodes

For information about LDAP, see Lightweight Directory Access Protocol (LDAP). For information about user management, see Manage users.

Privileges of system roles and vault-specific roles

The following tables cover the privileges of system roles and vault-specific roles.

System roles

Scope	Security administrator	UKO administrator	UKO operator	CC ACSP manager	CC ACSP reader	Description
keys:read		✓				List and view individual keys from the database
keys:delete		✓				Delete keys
keys:list		✓	✓			List keys in general
keystores:read		✓				List and view individual keystore definitions
keystores:delete		✓				Delete keystores
keystores:list		✓	✓			List keystores in general
templates:read		✓				List and view individual key templates
templates:list		✓	✓			List key templates in general
templates:delete		✓				Delete key templates
vaults:read		✓				List and view individual key vaults
vaults:delete		✓				Delete key vaults
vaults:list	✓	✓	✓			Allows listing vaults in general
vaults:write		✓				Create and update key vaults
crypto_connect:servers:list		✓	✓	✓	✓	List CC ACSP servers
crypto_connect:servers:read		✓	✓	✓	✓	View CC ACSP servers
crypto_connect:servers:write				✓		Add and update CC ACSP servers
crypto_connect:servers:delete				✓		Remove CC ACSP servers
meta:get-analytics-statistics		✓	✓			View managed key analytics statistics
meta:get-analytics-settings		✓	✓			View managed key analytics settings
meta:get-analytics-schedules		✓	✓			View automation schedule for managed key analytics
meta:list-analytics-runs		✓	✓			View history of analytics runs
meta:set-analytics-settings		✓				Manage settings for managed key analytics
meta:create-analytics-schedule		✓				Create automation schedule for managed key analytics
meta:update-analytics-schedule		✓				Update automation schedule for managed key analytics
meta:delete-analytics-schedule		✓				Delete automation schedule for managed key analytics
meta:initiate-analytics-run		✓				Run managed key analytics
meta:get-analytics-run		✓				View the details of a single analitycs run
meta:stop-analytics-run		✓				Cancel managed key analytics

Vault-specific roles

Scope	Vault administrator	Key custodian 1	Key custodian 2	Key Template Admin	UKO auditor	Description
keys:read	✓	✓	✓	✓	✓	List and view individual keys from the database
keys:delete	✓	✓	✓			Delete keys
keys:write		✓	✓			Write keys
keys:write:dates		✓				Change dates of keys (for example, expiration date)
keys:write:tags		✓				Update tags for a key (not label tags from the naming scheme, just tags)
keys:pre_activation:activate			✓			Activate keys in PRE-ACTIVATION state
keys:pre_activation:destroy		✓	✓			Destroy keys in PRE-ACTIVATION state
keys:pre_activation:uninstall		✓	✓			Uninstall keys in PRE-ACTIVATION state
keys:active:deactivate		✓	✓			Deactivate keys that are in the ACTIVE state
keys:active:install		✓	✓			Install active keys in keystores
keys:active:uninstall		✓	✓			Uninstall active keys from keystores
keys:non_existing:generate		✓				Generate keys that are in the PRE-ACTIVATION state. To generate keys in ACTIVE state, the user must also have the keys:pre_activation:activate role.
keys:deactivated:uninstall		✓	✓			Uninstall deactivated keys from keystores
keys:deactivated:install			✓			Install deactivated keys in keystores
keys:deactivated:destroy			✓			Destroy keys in DEACTIVATED state
keys:deactivated:reactivate			✓			Reactivate keys that are in the DEACTIVATED state
keystores:write	✓					Create and update keystore definitions
keystores:read	✓	✓	✓	✓	✓	List and view individual keystore definitions
keystores:delete	✓					Delete keystores
templates:create				✓		Create key templates
templates:read	✓	✓	✓	✓	✓	List and view individual key templates
templates:write				✓		Create and update key templates. This role also allows the setup of hierarchy keys.
templates:list				✓		Allows listing key templates in general
templates:delete	✓					Delete key templates
vaults:read	✓	✓	✓	✓	✓	List and view individual key vaults