1.0 Introduction
Welcome to the Fortanix Confidential Computing Manager (CCM) User Guide. This document describes the steps to create, update, and revoke third-party groups in CCM.
A Fortanix CCM third-party group is an entity that is created when two groups from different Fortanix CCM accounts wish to collaborate. During collaboration, they can share the objects of each other’s groups.
2.0 Create Multi-Party Groups
A Fortanix CCM third-party group is an entity that is created when two groups from different accounts wish to collaborate. During collaboration, they can share the objects of each other’s groups.
2.1 Create Source Group
The following section describes an example to explain the collaboration between three CCM groups from different CCM accounts using a workflow where one group will be the Source group and the other two groups will be the Recipient groups.
The steps to create a third-party source group for workflow collaboration are:
Log in to Fortanix CCM and create a new account, for example: DemoA or go to an existing account.
For steps to log in and create a new Fortanix CCM account, refer to User’s Guide: Logging In.On the Groups page, click ADD GROUP on the top-right corner of the screen to create the source group.
Figure 1: Create source group
In the Create Group form, enter the Name of the source group, for example: DemoA-Group1.
Click CREATE GROUP to create the source group.
Figure 2: Create source group
The group is successfully created.
Click the group to go to the detailed view of the source group.
Now create a new application in the source group to participate in the workflow collaboration. Click the add button on the Applications tile.
Figure 3: Source group - detailed view
Create an EDP or Enclave OS application in the source group.
For steps to create an application, refer to the User’s Guide: Add and Edit an application.
2.2 Create Recipient Groups
To create the recipient groups to participate in a workflow collaboration, follow the steps outlined below.
NOTE
To collaborate with the resources in the source group, you need to create two new additional groups in different Fortanix CCM accounts.
Create two new Fortanix CCM accounts, For example: DemoB and DemoC or log in to existing accounts if already present. For steps to log in and create a new Fortanix CCM account, refer to User’s Guide: Logging In
Repeat Steps 2 to 4 in Section 2.1: Create Source Group, to create the two new recipient groups, for example: DemoB-Group2 and Democ-Group3.
Now create a new dataset for the recipient groups to participate in the workflow collaboration.
Go to the detailed view of the group: DemoB-Group2 and click the add button
on the Datasets tile.In the CREATE NEW DATASET form,
Enter a Name for the dataset, for example: DatasetB.
Enter a Description (optional) and attach one or more key-value labels to the dataset for the Labels field (optional).
Select the group for the dataset, that is, DemoB-Group2.
Enter the URL of where the dataset can be accessed in the Location field.
In the Long Description field, enter the content in GitHub-flavoured Markdown file format. You can also use the Fetch Long Description button to get the Markdown file content from an external URL.
Enter the Credentials needed to access the data.
Click CREATE DATASET to create the dataset for the recipient group DemoB-Group2.
Figure 4: Create dataset for the recipient group
The dataset is created successfully.
Repeat Steps 3 to 4 above to create a dataset, for example: DatasetC for the recipient group DemoC-Group3.
Figure 5: Create dataset for the recipient group
2.3 Share Participation Token
For a Fortanix CCM source group to request a Fortanix CCM recipient group for collaboration, the source group must prove itself to be an authenticated group. This can be achieved if the recipient groups create a 'group participation token', that can be used to identify themselves. When the source group requests a recipient group for collaboration, the recipient group provides the group participation token to identify itself. The recipient group verifies the participation token in the request and authenticates the source group.
To share the participation token:
Go to the detailed view of DemoB-Group2 in the DemoB account and in the GENERAL tab, click the GENERATE TOKEN button in the “Participation Tokens” section to generate a new participation token.
Figure 6: Generate Token
Click the COPY icon to copy the participation token. This participation token must be shared with the source group for collaboration. How the token can be shared is out of the scope of this guide.
Figure 7: Copy participation token
Similarly, go to the detailed view of DemoC-Group3 in the DemoC account and repeat Steps 1 to 2 above to copy the participation token of DemoC-Group3 and share it with the source group.
You can also view the generated participation token by clicking the VIEW TOKENS button.
Figure 8: View token
2.4 Create Third-Party Shared Group
To create a third-party group for workflow collaboration, follow the steps outlined below:
Go to the detailed view of the source group, that is, DemoA-Group1, in the account DemoA.
Click the SHARE button on the top-right corner of the page.
Figure 9: Share group
In the TOKENS dialog box, paste the group participation token shared by the recipient group in Section 2.3: Share Participation Token.
Click SHARE to create the third-party group.
Figure 10: Enter participation token
On the Groups page, click the THIRD PARTY GROUPS tab.
On the Third Party Groups page, under the SOURCE ROLE tab, you will see that the source group DemoA-Group1 in the GROUP column is now associated with a recipient group DemoB-Group2 in the RECIPIENT GROUP column.
Figure 11: Source group association
In the STATUS column, you will see that the status of the third-party group creation is still in a Pending state.
NOTE
The recipient groups must accept the third-party group so that collaboration can begin between the respective source and the recipient groups
Go to the recipient group DemoB-Group2 and click the THIRD PARTY GROUPS tab.
Click the RECIPIENT ROLE tab. Observe that the recipient group DemoB-Group2 now shows an association with the source group DemoA-Group1.
Figure 12: Recipient group association
To approve the third-party group association, click the more option
icon for the recipient group row and expand the UPDATE STATUS menu.Click APPROVE to approve the collaboration.
Figure 13: Approve collaboration
The status is now updated to Accepted in the recipient and source groups.
Figure 14: Status accepted
Go to the source group and observe that the status is now updated to Accepted.
Figure 15: Status accepted
Similarly, repeat Steps 1 to 13 above to create a third-party shared group between the source group DemoA-Group1 and the recipient group DemoC-Group3 using the participation token shared by the DemoC-Group3 group member with DemoA-Group1 group administrator.
Figure 16: Third party shared group
2.5 Create a Shared Workflow
The source group administrator will now initiate the collaboration between the source and recipient groups by creating a shared workflow. To create a shared workflow for workflow collaboration, the source group administrator will create placeholder nodes and assign these nodes to the group members of the recipient groups to update the node with a dataset or application for the collaboration.
To create a shared workflow, follow the steps outlined below. These steps must be performed by a source group administrator.
In the DemoA account, click the Workflows menu item in the CCM UI left navigation bar.
On the Workflows page, click +WORKFLOW to create a new workflow.
In the CREATE NEW WORKFLOW form,
Enter the workflow Name.
In the Group field (optional), select the source group for the shared workflow. If no group is selected, the default group will be considered.
Click CREATE WORKFLOW, to create the shared workflow.
Figure 17: Create shared workflow
On the workflow graph, add an application that belongs to the source group DemoA-Group1.
Figure 18: Add application to workflow graph
For more information on how to create a workflow graph, refer to User’s Guide: Create Workflow.
Add a dataset placeholder node that will be assigned to the recipient group DemoB-Group2.
Figure 19: Add dataset
Select the recipient group for the dataset.
Figure 20: Select recipient group
Figure 21: Select recipient group
Similarly, follow Steps 5 to 6 above to add a dataset placeholder node from DemoC-Group3 to the workflow graph.
Figure 22: Dataset added from recipient group
Make a connection between the application and the two datasets.
Click SAVE AS DRAFT to save the workflow as a draft so that the members of the recipient groups will see the draft workflow in their respective accounts and fill the placeholder nodes.
Figure 23: Connect the application and datasets
2.6 Fill the placeholder Nodes with Actual Data
The following steps must be performed by the recipient group members:
As a group member of the recipient group DemoB-Group2 in the account DemoB, go to the Workflows page and click the Draft workflow tab.
You will see the placeholder node that has been assigned to you by the group administrator of the source group DemoA-Group1.
Figure 24: Fill placeholder nodes with data
Click the placeholder node to add the dataset. In the ADD DATASET form, select the dataset that you created earlier in Section 2.2: Create Recipient Groups from the list.
Figure 25: Select dataset
After adding the dataset, click SAVE AS DRAFT to save the updated shared workflow.
Figure 26: Save workflow draft
As a group member of the recipient group DemoC-Group3, go to the DemoC account and repeat Steps 1 to 4 above to fill the placeholder node with the dataset that you created earlier in Section 2.2: Create Recipient Groups.
Figure 27: Save workflow draft
Now the workflow is complete with all the placeholder nodes filled by the respective recipient group members.
2.7 Request Approval to Create Approved Workflow
After a workflow with placeholder nodes is filled with the objects from the required recipient groups and is ready to go, each of the recipient groups should approve it.
NOTE
The source group cannot approve the request until all recipient groups approve it. This is to ensure that the recipient group members are confident about the data sharing.
After the shared workflow is approved by all participant groups, the shared workflow will be an approved workflow. To create an approved workflow, perform the steps outlined below:
As a group administrator of the source group DemoA-Group1, go to the Draft workflow tab, and click the REQUEST APPROVAL button to request the recipient group members for workflow approval.
Figure 28: Request shared workflow approval
The workflow is now pending approval from other recipient group members. Click the Pending tab to see the workflow in the pending approval state.
Figure 29: Pending approval
As group members from the recipient groups, you must approve the workflow. Go to the Workflows page in DemoB account, and in the Pending tab, click SHOW APPROVAL REQUEST to approve the workflow.
Figure 30: Approve the workflow
In the APPROVAL REQUEST – CREATE WORKFLOW dialog box, click APPROVE to approve the workflow.
Figure 31: Approve workflow
As a group member of the recipient group DemoC-Group3, repeat Steps 2 to 3 above to approve the workflow.
Figure 32: Approve workflow
After the recipient group members have approved the workflow, the group administrator of the source group must finally approve the workflow to complete the workflow approval process.
Figure 33: Approve workflow
The shared workflow will now appear in the Approved tab.
Figure 34: Workflow approved
NOTE
After a shared workflow is in the approved state, no further changes can be made to the workflow. If you want to make changes using the EDIT WORKFLOW option as described in User’s Guide: Create Workflow, a new version of the workflow will be created. After the new version of the workflow is approved, it supplants the first version of the workflow.
2.8 Run the Shared Workflow
A shared workflow can only be run by the owner of the workflow, that is, the source group administrator. The participants, that is, the recipient group members, cannot run the workflow.
To run the workflow using the Run button in the Fortanix CCM UI for an SGX application, the Azure Kubernetes Service (AKS) compute cluster and Job Specification have to be set up in the source group. For more information, refer to the User’s Guide: Deploy the Workflow Using Web Interface.
To run the workflow for a SGX application, refer to User’s Guide: Workflow Application using Fortanix Enclave OS – SGX.
To run the workflow for a Nitro application, refer to User’s Guide: Workflow Application using Fortanix Enclave OS – AWS Nitro.
To run the workflow for an ACI application, refer to User’s Guide: Workflow Application using Fortanix ACI.
2.9 Revoke Token
A “Group Participation Token” can be revoked by the recipient group member. Revoking a Group Participation Token does not affect the existing third-party group collaboration between the recipient group and the source group. The workflow collaboration will still work.
2.10 Revoke Status
To revoke the collaboration with the recipient or source group, click the More options icon on the Third Party Groups page, and click REVOKE against the source or recipient group’s row to revoke or break the collaboration. The workflow collaboration will not work after this. The collaboration can be revoked from the source or recipient groups.
Figure 36: Revoke collaboration status