Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CipherTrust Manager Administration

Group Mapping

search

Please Note:

Group Mapping

Group maps extend group-based configuration of CipherTrust Manager users to Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC) groups, associated with the Access Management LDAP or OIDC connection. A group map associates an LDAP or OIDC group belonging to a specific connection to a CipherTrust Manager group.

For example, an LDAP group can be mapped to the system defined `Key Users` group in order to allow the LDAP group's members to encrypt data. Alternatively, an LDAP or OIDC group can be mapped to a newly created CipherTrust Manager group where group-based key permissions can be configured.

Connection Requirements

To set up group maps, the LDAP or OIDC connection must be configured with information to find a given user's group membership on the authentication server. LDAP connections require six fields to allow group maps. OIDC connections require a group claim to allow group maps.

Note

Group maps are not applicable to the LDAP or OIDC connection available through connection manager.

Create a Group Map

  1. Login to CipherTrust Manager as admin or another user in the User Admins group.

  2. Navigate to Access Management>Groups.

  3. Click the desired group name.

  4. Click + Add Group Map.

  5. Provide the following configuration details:

    • Strategy - select ldap or oidc from the drop-down menu.

    • Connection Name - select the desired OIDC or LDAP connection from the drop-down menu.

    • Connection Group Name - type in the name for the OIDC or LDAP group.

  6. Click Add Group Map to confirm.

View and Delete Group Maps for a Group

  1. Login to CipherTrust Manager as admin or another user in the User Admins group.

  2. Navigate to Access Management>Groups.

  3. Click the desired group name.

  4. View the currently mapped groups in the Connection groups mapped to the <CipherTrust Manager group name> group.

  5. If desired, delete a groupmap by clicking the trash can icon to the right of the groupmap row.

Example Use Cases

The utility of group mappings is illustrated by the following examples. LDAP groups are shown in the examples, but OIDC groups can also apply to these scenarios.

Making All Users in a Specific LDAP Group Members of Key Users Group

Assume that there is a LDAP connection named bababini containing a group named IT. All users in the IT group should have the ability to create keys. This can be achieved by creating a group map that maps the LDAP IT group into the built-in CipherTrust Manager 'Key Users' group:

  1. Login to CipherTrust Manager as admin or another user in the User Admins group.

  2. Navigate to Access Management>Groups.

  3. Click the 'Key Users' group name.

  4. Click + Add Group Map.

  5. Provide the following configuration details:

    • Strategy - select ldap from the drop-down menu.

    • Connection Name - select the bababini connection from the drop-down menu.

    • Connection Group Name - type in IT.

  6. Click Add Group Map to confirm.

Users in the LDAP group IT can now create keys.

Two LDAP Groups Share Keys

Assume that there is a LDAP connection named bababini containing two groups: IT and Engineering. It is desired to share cryptographic keys between the two LDAP groups. This can be achieved by the following steps:

  1. Create a user-defined group on CipherTrust Manager called it-engg-shared-keys.

  2. Create cryptographic keys and allow all users in the it-engg-shared-keys group access to those keys.

  3. Create a group mapping between the IT and it-engg-shared-keys.

    1. Click the it-engg-shared-keys group name.

    2. Click + Add Group Map.

    3. Provide the following configuration details:

      • Strategy - select ldap from the drop-down menu.

      • Connection Name - select the bababini connection from the drop-down menu.

      • Connection Group Name - type in IT.

    4. Click Add Group Map to confirm.

  4. Create a group mapping between the Engineering and it-engg-shared-keys via the command

    1. Click the it-engg-shared-keys group name.

    2. Click + Add Group Map.

    3. Provide the following configuration details:

      • Strategy - select ldap from the drop-down menu.

      • Connection Name - select the bababini connection from the drop-down menu.

      • Connection Group Name - type in Engineering.

    4. Click Add Group Map to confirm.

Users in both LDAP groups can now share all the keys granting access permissions to the it-engg-shared-keys group.