Ldap administrators, Using multiple administrator accounts, High access administrators – HP Secure Key Manager User Manual

Using multiple administrator accounts

Most likely, you will want to create multiple administrators. When doing so, you should assign access

controls that mirror your organization’s procedures. For example, if you separate the tasks of key

management, system backup, and device configuration, you’ll want to create unique administrators

for each of those roles.
When creating an administrator, you should assign the minimum amount of access controls needed. For

example, a backup administrator will only need the Backup & Restore access controls. (You’ll probably

also want to assign an Administrative Access access control to most of your administrators.)

NOTE:

We strongly discourage the sharing of administrator accounts. Each administrator should have their

own administrator account.

High Access Administrators

When creating or modifying an administrator, you can select the High Access Administrator field. High

Access administrators have all access controls. They, therefore, have full control over the configuration of

the SKM appliance: they can create and delete administrator accounts, change administrator passwords,

and assign and revoke access controls. When you select this option, you’ll notice that the system will

automatically enable all of the access controls for that administrator.

NOTE:

Take great caution when creating High Access Administrators. It might be helpful to think of such

administrators as super users who can change the passwords of local administrators, assign and revoke

permissions, and create and delete administrators.

Both local and LDAP administrators can be High Access Administrators.
The admin account created during first-time initialization is a local High Access Administrator.

Default Administrator

The SKM appliance ships with a default administrator (admin), which is a local High Access

Administrator. Once the initial configuration is complete, you must log in as admin; thereafter, you can

create different administrators and log in with a different username.

Local and LDAP Administrators

The SKM appliance supports two types of administrators: local and LDAP. Functionally, local and LDAP

administrators have the same capabilities. For example, both local and LDAP administrators can be High

Access administrators. You can have multiple local and LDAP administrators at the same time.

Administrator passwords

Local administrators are created within the SKM environment, either on the local device, or on a member

of a cluster. They are managed entirely on the SKM appliance. Local administrator usernames are

restricted to letters and numbers only, must start with a letter, and can be up to 30 characters long. Local

administrator passwords must adhere to the SKM appliance’s password policies. These are discussed in

“Password Management Overview” on page 207.

202

Using the Management Console