Authorization policy configuration page – HP Secure Key Manager User Manual
Page 134
Description
Component
A check mark in the box indicates that the key is deletable via an XML request by the
key owner (or any user for global keys). After a key is created, this value may be
changed.
Deletable
A check mark in the box indicates that the key is exportable via an XML request. An
exportable key can be exported by its owner and by members of a group with “Export”
permission for the key. A global key marked exportable can be exported by any user.
After a key is created, this value may be changed.
Exportable
To import a key to the server, you must enter the properly encoded bytes of the key in
the Key field.
Key
Click Import to import the key.
Import
Authorization Policy Configuration Page
An authorization policy enables you to limit how a group may use a key. You implement an
authorization policy when establishing a key's group permissions. The policies are applied to a key
separately for each group; groups that share a key do not necessarily share the same authorization
policy.
NOTE:
The key owner is never limited by the key's policy restrictions.
Authorization policies define two kinds of limits:
•
Rate Limits: The number of cryptographic operations (per hour) that members of the group can
perform. The default is unlimited operations. If a user attempts to perform an operation and has
exceeded the rate limit, an error is returned and the connection is closed.
NOTE:
Rate limiting is done on a per-user basis, not on a per-group basis. If the limit is 500 operations,
each user in the group can perform 500 operations with the key.
•
Time Limits: The hours or days in which members of the group can perform operations. The default
is unlimited access. If a member of a restricted group attempts to use the key outside of the desig-
nated time, an error is returned and the connection is closed.
For more information on the Group Permissions section please see
Once an authorization policy is defined it is associated with a key and a group through the Group
Permissions section in the Management Console. Individual keys can be associated with multiple
groups which may in turn have differing or conflicting authorization policies. In this case, the server
chooses the least restrictive authorization policy available (the most operations per hour for the current
time of day).
By default, no authorization policies are assigned to any group.
Using the Management Console
134