Skip to content

Set User Access to Ranger KMS

To give user access to the keys needed for encryption create a policy in Apache Ranger KMS as follows:

  1. Log in to Ranger and select Access Manager>Resource Based Policies.

  2. Under KMS, click privacera_kms.

  3. Under List of Policies: privacera_kms, click Add New Policy.

  4. In the Create Policy screen, enter the following information to create a policy and provide access to the user:

    • Policy Name: Enter the access policy name.

    • Policy Label: Optional label name.

    • Key Name: Type a character to list the existing key names that are already generated in Ranger.

    • Description: Enter a description for the policy.

    • Audit Logging: Toggle Yes or No.

  5. Under Allow Conditions, select the following:

    • Select Role: Enter or select from existing roles.

    • Select Group: Enter or select from existing group.

    • Select User: This is the username that will be used in the encryption API - select or enter a new user name.

    • Add Permissions: Select user permissions - Create, Delete, Rollover, Set Key Material, Get, Get Keys, Get Metadata, Generate EEK, Decrypt EEK, Select/Deselect All.

    • Delegate Admin: If this user is delegate as the admin.

  6. Similarly, for specific users, you can select users to Exclude from Allow Conditions, Deny Conditions, Exclude from Deny Conditions.

  7. Click Add to save the policy. 

Set User Access for Encryption Service#

To set user access for the Encryption Service in the Apache Ranger KMS, use the following steps:

  1. Log in to the Ranger portal.

  2. Under the Access Manager tab, select privacera_kms policy.

  3. Click the edit button next to the all - key policy.

  4. Under Allow Conditions, search and select privacera_service_discovery user in the Select User dropdown list. For more information on the user, see Add Discovery User for Encryption Service.