Required User Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on Oracle Cloud Infrastructure (OCI) resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Get compartment | GetOCICompartmentCCKM | |
| Add compartment | ReadOCICompartmentsCCKM AddOCICompartmentsCCKM |
|
| Get defined tags | No permissions reqd | |
| List buckets | No permissions reqd | |
| Get subscribed regions | No permissions reqd | |
| Get vaults | GetOCIVaultsCCKM | |
| Add vaults | ReadOciVault AddOCIVaultsCCKM |
|
| Update ACLs for vault | ApplyAclsCCKM | |
| Create key | CreatKeyCCKM | keycreate |
| Refresh key by id | SyncKeysCCKM | keysynchronize |
| Delete backup by key id | DeleteKeyCCKM | deletebackup |
| Restore key by id | UpdateRestoreKeyCCKM | keyrestore |
| Schedule delete the key by id | DeleteKeyCCKM | keydelete |
| Cancel delete the key by id | DeleteKeyCCKM | keycanceldelete |
| Create a synchronize job | ReadOciVault SyncKeysCCKM SyncStatusKeysCCKM ReadOCICompartmentsCCKM |
keysynchronize |
| Cancel synchronization job by id | SyncStatusKeysCCKM | keysynchronize |
| Add key version to key by id | AddKeyVersionCCKM if source_key_tier == local CreateKey if source_key_tier == dsm GetDSMDomainCCKM if source_key_tier == hsm-luna |
If source-key-tier is local keyrotatetobyok if source-key-tier is EXTERNAL hyokkeyrotate else keyrotatetonative |
| Upload Key | if source_key_tier == local CreatKeyCCKM if source_key_tier == dsm GetDSMDomainCCKM if source_key_tier == hsm-luna pending |
keyupload |
| Enable a key | UpdateKeyCCKM | keyupdate |
| Disable a key | UpdateKeyCCKM | keyupdate |
| Change Compartment of a key | UpdateKeyCCKM | keyupdate |
| Schedule delete the key version by id | DeleteKeyCCKM | keydelete |
| Cancel deletion of the key | DeleteKeyCCKM | keycanceldelete |
| Enable auto-rotation | UpdateKeyCCKM ReadJob |
keyupdate |
| Disable auto-rotation | UpdateKeyCCKM | keyupdate |
| Create report | CreateReportCCKM ReadOciVault ReportStatusCCKM |
reportcreate |
| Create Issuer | AddOciIssuerCCKM | view |
| Create OCI External Vaults | CreateOciExternalVaultCCKM | view |
| Create external keys in OCI external vault | CreatKeyCCKM ReadKey |
view hyokkeycreate |
| Enables OCI external vault | UpdateOciVault | view |
| Disables OCI external vault | UpdateOciVault | view |
Read Operations (get)
| Operation | Required Permissions | ACLs |
|---|---|---|
| List compartment | ReadOCICompartmentsCCKM | |
| Get compartment by id | ReadOCICompartmentsCCKM | |
| List vaults | ReadOciVault | |
| Get vaults by id | PermissionCCKMAddOCIVAULTS | |
| List key | ReadKeyCCKM | If key material origin is HYOK-CCKM: viewhyokkey else: view |
| Get key by id | ReadKeyCCKM | If key material origin is HYOK-CCKM: viewhyokkey else: view |
| List synchronization jobs | SyncStatusKeysCCKM | |
| Get synchronization job by id | SyncStatusKeysCCKM | |
| List key version | ReadKeyCCKM | |
| Get Key Version details | ReadKeyCCKM | |
| List Report | ReportStatusCCKM | reportview |
| Get Report by ID | ReportStatusCCKM | reportview |
| Get Contents | ReportStatusCCKM | reportview |
| Download report by id | ReportStatusCCKM | reportdownload |
| List Issuer | ReadOciIssuerCCKM | view |
| Get issuer by id | ReadOciIssuerCCKM | view |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update vaults by id | UpdateOciVault | |
| Update key by id | UpdateKeyCCKM | If key material origin is HYOK-CCKM: hyokkeyupdate else: keyupdate |
| Update issuer by id | UpdateOciIssuerCCKM | view |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete compartment by id | DeleteOCICompartmentsCCKM | |
| Delete vault by id | DeleteOCIVaultsCCKM | |
| Delete key by id | DeleteKeyCCKM | If key material origin is HYOK-CCKM: hyokkeydelete else: keydelete |
| Delete Report by ID | DeleteReportsCCKM | reportdelete |
| Delete issuer | DeleteOciIssuerCCKM | view |