User's Guide: Custom Role

Prev Next

1.0 Introduction

This article describes the steps to create named Custom user roles that allow fine-grained control over what users can do in Fortanix-Data-Security-Manager (DSM) accounts and groups.

2.0 Enabling Custom Roles

NOTE

In Fortanix DSM version 4.9, the Custom user roles feature must be explicitly enabled by a system administrator using the System Administration Settings after the software upgrade has completed successfully.

For on-prem cluster only - A system administrator must perform the following steps to enable this feature on your on-prem cluster :

  1. In the Fortanix DSM user interface (UI), navigate to System AdministrationSettings NEW FEATURES tab.

  2. On the New Features page, enable the toggle for Custom Roles.

    Figure 1: Enable custom roles

WARNING

Enable this feature only after verifying the software upgrade has completed successfully. If you later decide to downgrade to any version <= 4.8 after enabling this feature, ensure that all custom roles in the cluster are removed and the feature is disabled before proceeding with the downgrade.

3.0 Custom Roles

Custom user roles allow fine-grained control over what users can do in the Fortanix DSM accounts and groups. There are two types of Custom user roles: Custom account role and Custom group role.

Before the introduction of Custom user roles, Fortanix DSM only had five built-in roles for users: Account Administrator, Account Member, Account Auditor, Group Administrator, and Group Auditor. These are now referred to as “system roles”.

An account administrator can create any number of Custom account roles, with custom account-level permissions.

Similarly, a custom group role allows a user to have a user-defined set of permissions that apply to operations performed on objects within the group.

3.1 Custom Account Role

A Custom account role has the following properties:

  • permissions : The set of account-level permissions assigned to the user.

  • exclusive: This can be set to true or false. If set to true, the Custom account role is marked as exclusive, meaning it cannot be assigned alongside any other role.

  • all-groups role (optional): This is the unique ID of a Custom group role. If provided, the user assigned this Custom account role will automatically receive the specified group role across all groups in Fortanix DSM.

NOTE

  • Each user can have multiple Custom account roles assigned, as long as none of them is marked as exclusive. If a role is marked exclusive, then only that exclusive role can be assigned to the user. The same restriction applies to “all-groups roles”.

  • All system account roles (Account Administrator, Account Member, and Account Auditor) are considered exclusive. For the definition of system account roles in terms of these properties, refer to Section 3.4: System Roles in Terms of Custom User Roles.

3.2 Custom Group Role

A Custom group role has the following properties:

  • permissions: The set of group-level permissions assigned to the user.

  • exclusive: This can be set to true or false. If set to true, the Custom group role is marked as exclusive, meaning it cannot be assigned alongside any other role.

NOTE

  • Each user can have multiple Custom group roles within any given group (in addition to the “all-groups role” inherited from Custom account role(s)) as long as none of the assigned roles is marked exclusive. If a role is marked exclusive, then only that exclusive role can be assigned to the user.

  • All system group roles (Group Administrator and Group Auditor) are considered exclusive. For the definition of system group roles in terms of the above properties, refer to Section 3.4: System Roles in Terms of Custom User Roles.

3.3 Managing Custom User Roles

The following restrictions apply to role objects to maintain referential integrity and enforce the exclusivity rules outlined earlier:

  • A Custom user role cannot be deleted if it is referenced anywhere, that is, if it is assigned to a user, or in the case of Custom group roles, if it is referenced in a Custom account role as an “all-groups role”.

  • When updating Custom accounts or group roles, the “exclusive” flag cannot be modified once it is set.

  • When updating Custom account roles, the “all-groups role” ID cannot be changed.

  • Additionally, to prevent privilege escalation, a user is not allowed to add permissions that they do not currently possess to a role.

  • This applies to both the creation and updating of account and group roles. For the same reason, users are not allowed to assign roles that are more powerful than their own to other users.

3.4 System Roles in Terms of Custom User Roles

The Fortanix DSM “system roles” can be expressed in terms of Custom user roles as follows:

  • Account Administrator:

    • permissions: all account-level permissions.

    • exclusive: true

    • all-groups role: Group Administrator

  • Account Member:

    • permissions: read as well as modify most objects in the account but does not have administrative privileges in the account.

    • exclusive: true

    • all-groups role: none

  • Account Auditor:

    • permissions: read permissions (such as getting audit logs, and so on.) at the account level but cannot modify anything.

    • exclusive: true

    • all-groups role: Group Auditor

  • Group Administrator:

    • permissions: all group permissions.

    • exclusive: true

  • Group Auditor:

    • permissions: read permissions in a group.

    • exclusive: true

To learn more about the system roles, refer to Role-Based Access Control Authorization (RBAC).

4.0 Creating a Custom Account Role

Perform the following steps to create a Custom account role:

  1. In the Fortanix DSM UI, navigate to Users CUSTOM ACCOUNT ROLES tab and click + to add a new custom account role.

    Figure 2: Add new custom account role form

  2. In the Add New Custom Account Role form, do the following:

    • Custom Role Name: Enter a name for the custom account role.

    • ADD DESCRIPTION (Optional): Enter a description to indicate the purpose of the role.

    • Exclusive Role: Enable the toggle button to mark this Custom account role as exclusive , meaning it cannot be assigned alongside any other custom account role. If disabled, users can be assigned this role in combination with other custom roles.

    • Select Permissions: You can configure the following permissions for the Custom account role:

      • Account

        • Manage Logging: A user with this permission is allowed to update the Log Management settings in the account configuration. This includes adding, deleting, or modifying custom log management integrations, as well as enabling or disabling audit logging to help debug applications encountering invalid API requests (4XX errors). For more information, refer to User’s Guide: Logging.

        • Manage Auth: A user with this permission is allowed to update the Authentication settings in the account configuration. They can configure either password-based authentication or Single Sign-On (SSO) authentication. For more information, refer to User’s Guide: Authentication.

        • Manage Workspace CSE: A user with this permission is allowed to create, update, and delete the Google Workspace Client-Side Encryption (CSE) API settings in the account configuration. For more information, refer to User’s Guide: Workspace CSE Client-Side Encryption.

        • Unwrap Workspace CSE Privileged: A user with this permission can unwrap the Data Encryption Key (DEK) to decrypt Google Workspace application data and invoke the privileged unwrap API. This permission is required to export all of your organization's Workspace data.

        • Manage Account Client Configs: A user with this permission is allowed to create, update, and delete the Client Configuration options for the PKCS#11, KMIP, and Common client in the account configuration. For more information, refer to User’s Guide: Client Configurations.

        • Create Account Approval Policy: A user with this permission is allowed to create a Quorum approval policy for an account. For more information, refer to User’s Guide: Quorum Policy.

          NOTE

          Updating or deleting account Quorum approval policy is managed by the policy itself.

        • Set Approval Request Expiry: A user with this permission is allowed to update quorum approval request expiration time.

        • Manage Approval Request Settings: A user with this permission is allowed to manage settings related to how approval requests are processed, including default approval timeouts and reviewer configurations.

        • Update Account Custom Metadata Attributes: A user with this permission is allowed to update an account's custom metadata attributes.

        • Manage Account Subscription: A user with this permission is allowed to manage an account’s subscription (only relevant for SaaS accounts).

        • Manage Account Profile: A user with this permission is allowed to manage an account’s profile settings. They can update the account name, upload a custom logo, and modify the country, description, organization, phone number, and notification preferences. For more information, refer to User’s Guide: Account Customization.

        • Manage Key Expiry Alerts: A user with this permission is allowed to configure alerts for upcoming key expirations, ensuring timely renewal or rotation of cryptographic keys.

        • Delete Account: A user with this permission is allowed to delete an account.

        • Manage Replication: A user with this permission is allowed to configure and manage data replication settings for high availability and disaster recovery.

      • Administrative Apps

        • Create Admin Apps: A user with this permission is allowed to create an account administrative app.

        • Update Admin Apps: A user with this permission is allowed to update an account administrative app.

        • Delete Admin Apps: A user with this permission is allowed to delete an account administrative app.

        • Retrieve Admin App Secrets: A user with this permission is allowed to retrieve account administrative app credentials.

        • Manage Admin Apps: A user with this permission is allowed to create, update, delete, retrieve and view all account administrative apps. For more information, refer to User’s Guide: Authentication.

      • Custom Roles

        • Create Custom Roles: A user with this permission is allowed to create a custom account role for a user.

        • Update Custom Roles: A user with this permission is allowed to update a custom account role for a user.

        • Delete Custom Roles: A user with this permission is allowed to delete a custom account role for a user.

        • Manage Custom Roles: A user with this permission is allowed to create, update, and delete a custom account role for a user.

      • Users

        • Invite Users To Account: A user with this permission is allowed to invite users to an account.

        • Delete Users From Account: A user with this permission is allowed to delete users from an account.

        • Update Users Account Role: A user with this permission is allowed to update another user’s account role. When assigning a new role to another user, the principal user must already have that role in order to assign it.

        • Update Users Account Enabled State: A user with this permission is allowed to enable or disable a user in an account or tenant account.

        • Manage Account Users: A user with this permission is allowed to invite users to the account, delete users, update another user's account role, enable or disable users within an account or tenant, and retrieve all users in the account.

      • External Roles

        • Create External Roles: A user with this permission is allowed to create an account external role.

        • Sync External Roles: A user with this permission is allowed to sync account external roles.

        • Delete External Roles: A user with this permission is allowed to delete an account external role.

        • Manage External Roles: A user with this permission is allowed to create, synchronize, and delete account external roles, as well as retrieve a list of all external roles.

      • Security Object Policies

        • Create Account Security Object Policies: A user with this permission is allowed to create account-level security object policy, that is, Cryptographic policy.

        • Update Account Security Object Policies: A user with this permission is allowed to update account-level security object policy, that is, Cryptographic policy.

        • Delete Account Security Object Policies: A user with this permission is allowed to delete account-level security object policies, that is, Cryptographic policy.

        • Manage Account Security Object Policies: A user with this permission is allowed to create, update, and delete account-level security object policies, that is, Cryptographic policy.

          For more information, refer to User’s Guide: Cryptographic Policy.

      • Child Accounts

        • Create Child Accounts: A user with this permission is allowed to create a tenant account.

        • Update Child Accounts: A user with this permission is allowed to update a tenant account.

        • Delete Child Accounts: A user with this permission is allowed to delete a tenant account.

        • Create Child Accounts Users: A user with this permission is allowed to add users to a tenant account.

        • Get Child Accounts: A user with this permission is allowed to view all the tenant accounts.

        • Get Child Account Users: A user with this permission is allowed to view all the users from a tenant account.

        • Manage Child Accounts: A user with this permission is allowed to do all the operations in a tenant account.

          NOTE

          The above permissions are only applicable to Fortanix DSM SaaS accounts with a reseller subscription.

      • Miscellaneous

        • Create Local Groups: A user with this permission is allowed to create a local group in the account.

        • Create External Groups: A user with this permission is allowed to create a new group backed by an external HSM/KMS.

        • Allow Quorum Reviewer: A user with this permission is allowed to participate as a quorum approver in a Quorum approval policy for the account.

        • Allow Key Custodian: A user with this permission is allowed to participate in the Key custodian policy to add and view a key component.

      • Read

        • Get Admin Apps: A user with this permission is allowed to view all the account administrative apps.

        • Get All Approved Requests: A user with this permission grants read access to all quorum approval requests in the account.

        • Get Custom Roles: A user with this permission is allowed to view all the custom roles from the account.

        • Get External Roles: A user with this permission is allowed to view all the external roles from the account.

        • Get All Users: A user with this permission is allowed to view all the users from an account.

        • Get Account Usage: A user with this permission is allowed to view the usage metrics of a particular account.

      • Plugin Permissions:

        • Manage account plugin signing keys: A user with this permission is allowed to create, rotate, and delete plugin signing keys used to verify the integrity of account-level plugins.

      • All Groups Role (optional): Optionally, you can also select a Custom group role for the Custom account role. If selected, the user will have the specified group role in all the Fortanix DSM groups.

  3. Click SAVE to save the new custom role.

    The Custom account role is created successfully. To view the newly created Custom account role, navigate to Users CUSTOM ACCOUNT ROLES tab. The new role will appear in the list of available custom roles.

4.1 Editing a Custom Account Role

Perform the following steps to edit a custom account role:

  1. In the Fortanix DSM UI, navigate to Users CUSTOM ACCOUNT ROLES tab.

  2. In the Custom roles table, click the overflow menu next to the role you want to modify, and select EDIT ROLE from the drop down menu.

    Figure 3: Edit custom account role

  3. Update the permissions as needed, and then click SAVE to apply the changes.

4.2 Deleting a Custom Account Role

A Custom account role can be deleted only if no users are assigned to it. If users are currently assigned to the role, you must remove them before proceeding with its deletion.

Perform the following steps to delete a custom account role:

  1. In the Fortanix DSM UI, navigate to UsersCUSTOM ACCOUNT ROLES tab.

  2. In the Custom roles table, click the overflow menu next to the role you want to delete, and select DELETE ROLE from the drop down menu.

    Figure 4: Delete custom account role

  3. On the Delete custom account role confirmation dialog box, click DELETE to confirm the deletion.

4.3 Assigning a User to a Custom Account Role

After creating a custom account role, you can invite a user to the account with that role using their EMAIL address.

Perform the following steps to invite a user with a custom account role through email:

  1. In the Fortanix DSM UI, navigate to Users USERS tab and click + to add a new user.

  2. In the Add new users to the account form, do the following:

    1. Select the INVITE BY EMAIL option.

    2. Enter the user’s email address.

    3. Optionally, enter the first and last name of the invitee user.

    4. Select the Custom account role option.

    5. From the Select a custom role drop down, select an existing custom account role.

  3. Click INVITE to invite the user to this role.

    Figure 5: Invite user with custom account role form

4.4 Changing a User’s Role to a Custom Account Role

4.4.1 Edit a User’s Role

Perform the following steps to edit the role of a user to the Custom account role:

  1. In the Fortanix DSM UI, navigate to Users USERS tab.

  2. In the Users table, go to the detailed view of the user whose role you want to update and click EDIT next to the user's name.

    Figure 6: Edit user role

  3. In the Edit role dialog box, select the Custom account role radio button, and then choose the required custom role from the drop down menu to change the user’s role.

    Figure 7: Select the role

  4. Click SAVE to save the new role for the user.

4.4.2 Edit an External User Role

Perform the following steps to edit the role of a user to the Custom account role:

  1. In the Fortanix DSM UI, navigate to Users USERS tab, click + to add a new LDAP user.

  2. On the Add new users to the account page, select the SEARCH LDAP DIRECTORY option.

  3. Click SEARCH DIRECTORY. The users are listed in the table.

  4. In the Users table, go to the detailed view of the user whose role you want to update and click EDIT next to the user's name.

    Figure 8: Edit user role

  5. In the Edit role dialog box, select the Custom account role radio button, and then choose the required custom role from the drop down menu to change the user’s role.

    Figure 9: Select the role

  6. Click SAVE to save the new role for the external user.

5.0 Creating a Custom Group Role

You can create a Custom group role using either of the following three methods:

  • Option 1: From the Groups CUSTOM GROUP ROLES tab.

  • Option 2: From the External Roles page while mapping a user to a group.

  • Option 3: While inviting a user to an account as an account member.

5.1 Option 1 - From the Custom Group Role Tab

Perform the following steps to create a Custom group role from the Groups CUSTOM GROUP ROLE tab:

  1. In the Fortanix DSM UI, navigate to Groups CUSTOM GROUP ROLES tab, and click + to add a new Custom group role.

    Figure 10: Add custom group roles

  2. In the Add New Custom Group Role form, do the following:

    • Role Name: Enter the name of the Custom group role.

    • ADD DESCRIPTION (Optional): Enter a brief description of the purpose or intended usage of the Custom group role.

    • Exclusive Role: Enable the toggle button to mark this Custom group role as exclusive, meaning it cannot be assigned alongside any other custom group role. If disabled, users can be assigned this role in combination with other custom roles.

    • Select Permissions: You can configure the following permissions for the Custom group role :

      • Group

        • Create Group Approval Policy: A user with this permission is allowed to create a Quorum approval policy for a group. For more information, refer to User’s Guide: Quorum Policy.

          NOTE

          Updating or deleting group Quorum approval policy is managed by the policy itself.

        • Update Group External Links: A user with this permission is allowed to add, delete, update, or sync keys in an existing HSM/External KMS group configuration. Note that this is only useful for groups backed by external HSM/KMS.

          For more information, refer to Cloud Data Control Guides and User’s Guide: HSM Gateway.

        • Manage Group Client Configs: A user with this permission is allowed to create, update, and delete the Client Configuration options for the PKCS#11, KMIP, and Common client in the group configuration. For more information, refer to User’s Guide: Client Configurations.

        • Update Group Profile: A user with this permission is allowed to update the name and description, as well as the custom metadata of the groups created using Fortanix DSM SaaS easy wizard integrations.

        • Delete Group: A user with this permission is allowed to delete a group.

        • Map External Roles for Apps: A user with this permission is allowed to:

          • Create external roles for mapping and set permissions for applications authorized through LDAP.

          • Update or delete a group’s external role for applications authorized through LDAP.

        • Map External Roles for Users: A user with this permission is allowed to:

          • Create external roles for mapping and define group roles for users authorized through LDAP.

          • Update or delete external roles for users authorized through LDAP.

        • Map External Roles: A user with this permission is allowed to map external roles for apps and users in a group.

        • Add Users To Group: A user with this permission is allowed to add users to a group.

        • Delete Users From Group: A user with this permission is allowed to delete users from a group.

        • Update Users Group Role: A user with this permission is allowed to update the user’s role in a group.

        • Manage Group Users: A user with this permission is allowed to add or delete users and update a user’s role within a group.

        • Manage Group Wrapping Key: A user with this permission is allowed to add, delete, and update the key encryption key (KEK) within a group.

      • Security Object Policies

        • Create Group Security Object Policies: A user with this permission is allowed to create various group-level security object policies, including Cryptographic policy, Key undo policy, Key metadata policy, Export permissions policy for a particular group.

        • Update Group Security Object Policies: A user with this permission is allowed to update various group-level security object policies, including Cryptographic policy, Key undo policy, Key metadata policy, Export permissions policy for a particular group.

        • Delete Group Security Object Policies: A user with this permission is allowed to delete various group-level security object policies, including Cryptographic policy, Key undo policy, Key metadata policy, Export permissions policy for a particular group.

        • Manage Group Security Object Policies: A user with this permission is allowed to create, update, delete, and various group-level security object policies, including Cryptographic policy, Key undo policy, Key metadata policy, Export permissions policy for a particular group.

        For more information, refer to User’s Guide: Cryptographic Policy.

      • Custodian policy

        • Create Group Custodian Policy: A user with this permission is allowed to create a Key custodian policy for a particular group.

        • Update Group Custodian Policy: A user with this permission is allowed to update the Key custodian policy for a particular group.

        • Delete Group Custodian Policy: A user with this permission is allowed to delete the Key custodian policy for a particular group.

        • Manage Group Custodian Policy: A user with this permission is allowed to create, update, and delete the Key custodian policy for a particular group.

          For more information, refer to User’s Guide: Key Components.

      • Apps

        • Create Apps: A user with this permission is allowed to create cryptographic apps in Fortanix DSM groups.

          NOTE

          • This permission does not apply to Fortanix DSM Admin apps.

          • This permission does not apply to Fortanix DSM LDAP apps, as their mappings are determined dynamically.

          • A user creating the app must have all the necessary group permissions required for performing cryptographic operations.

          • The app permissions will be restricted based on the user’s permissions in that group.

        • Update Apps: A user with this permission is allowed to update cryptographic apps in Fortanix DSM groups.

        • Retrieve App Secrets: A user with this permission is allowed to retrieve cryptographic app secrets.

        • Delete Apps: A user with this permission is allowed to delete cryptographic apps in a group.

        • Manage Apps: A user with this permission is allowed to create, delete, or update cryptographic apps in a group and retrieve cryptographic app secrets from a group.

      • Plugins

        • Create Plugins: A user with this permission is allowed to create a plugin in a group.

        • Update Plugins: A user with this permission is allowed to update a plugin in a group.

        • Invoke Plugins: A user with this permission is allowed to invoke a plugin added to a group.

        • Delete Plugins: A user with this permission is allowed to delete a plugin from a group.

        • Manage Plugins: A user with this permission is allowed to create, delete, or update plugins in a group, and invoke the plugins added to a group.

      • Security Objects

        • Create Security objects: A user with this permission is allowed to:

          • Generate keys in a group.

          • Import keys into a group.

          • Import keys from components into a group.

          • Import keys from components into a group.

          • Copy keys into a group. This permission is required in the destination group.

        • Export Security Objects: A user with this permission is allowed to:

          • Export keys from a group.

          • Export a key by wrapping it with another key from a group.

          • Export key as components from a group.

        • Copy Security Objects: A user with this permission is allowed to copy a key from the source group to another group. This permission is required in the source group.

        • Wrap Security Objects: A user with this permission is allowed to use a key to wrap another key. This permission is required in the group where the wrapping key resides.

        • Unwrap Security Objects: A user with this permission is allowed to use a key to unwrap another key. This permission is required in the group where the unwrapping key resides.

        • Update Security Objects Enabled State: A user with this permission is allowed to enable or disable a security object in a group.

        • Rotate Security Objects: A user with this permission is allowed to update the Key rotation policy to rotate a key automatically.

        • Delete Security Objects: A user with this permission is allowed to delete keys from a group.

        • Destroy Security Objects: A user with this permission is allowed to destroy keys from a group.

        • Revoke Security Objects: A user with this permission is allowed to mark a security object as deactivated or compromised in a group. The user can also set the deactivation date for the keys.

        • Activate Security Objects: A user with this permission is allowed to activate keys in a group. The user can also set the activation date for the keys.

        • Revert Security Objects: A user with this permission is allowed to restore the state of the security objects if a Key undo policy is configured for the group. If the revert operation moves the key back to a different group, this permission is also required in that destination group.

        • Delete Key Material: A user with this permission is allowed to delete the key material from a key.

        • Move Security Objects: A user with this permission is allowed to move a key from its current group to a different group by updating its group association.

        • Update Key Operations: A user with this permission is allowed to modify a key’s permissions within a group.

        • Update Security Objects Policies: A user with this permission is allowed to update individual security objects' policies, such as RSA Options, and the Key access justification policy for GCP External Key Manager.

        • Update Security Objects Profile: A user with this permission is allowed to update the key name, description, and custom metadata, as well as download the public key of keys in a group.

        • Scan External Security Objects: A user with this permission is allowed to scan keys in HSM/External KMS groups.

        • Restore External Security Objects: A user with this permission is allowed to restore an external key from its backup in Fortanix DSM when the external key has been purged from an external KMS.

        • Derive Security Objects: A user with this permission is allowed to use a key to derive another key.

        • Transform Security Objects: A user with this permission is allowed to use a BIP32 key that accepts an index input to create a non-hardened child in the same network as the parent key.

        • Encapsulate Security Objects: A user with this permission is allowed to encapsulate a key using an algorithm such as Hybrid Public Key Encryption (HPKE).

        • Decapsulate Security Objects: A user with this permission is allowed to decapsulate an encapsulated key using the recipient’s private key.

      • Miscellaneous

        • Wrap Workspace CSE: A user with this permission is allowed to wrap the Data Encryption Key (DEK) used to encrypt the Google Workspace application’s data.

        • Unwrap Workspace CSE: A user with this permission is allowed to unwrap the Data Encryption Key (DEK) and decrypt the Google Workspace application’s data.

        • Workspace CSE: A user with this permission is allowed to both wrap the Data Encryption Key (DEK) used to encrypt the Google Workspace application’s data and unwrap the DEK to decrypt the data.

      • Read

        • Get Group: A user with this permission is allowed to retrieve all the group details, including all groups that have external roles configured.

        • Get Security Objects: A user with this permission is allowed to retrieve all the keys in a group.

        • Get Apps: A user with this permission is allowed to retrieve all the apps in a group, including app credentials and LDAP groups if the app is authorized through LDAP.

        • Get Plugins: A user with this permission is allowed to retrieve all the plugins in a group.

        • Get Group Approval Requests: A user with this permission is allowed to retrieve all approval requests for a group.

        • Get Audit Logs: A user with this permission is allowed to retrieve the audit logs of a particular session.

  3. Click SAVE to save the custom group role.

    The custom group role is now created. To view the newly created Custom group role, navigate to Groups CUSTOM ACCOUNT ROLES tab. The new role will appear in the list of available custom roles.

5.2 Option 2 - From the External Roles Tab

Perform the following to create a custom group role from the EXTERNAL ROLES tab:

  1. In the Fortanix DSM UI, navigate to Groups EXTERNAL ROLES tab and click + to add a new external role.

    NOTE

    Ensure that you have the LDAP integration configured in the Account settings page.

    Figure 11: Add external roles

    This will display the external roles are mapped in a table.

  2. In the Import External Roles from LDAP Directory form, update the fields and click SEARCH DIRECTORY.

  3. In the Groups for users column, click MAP TO GROUPS for the external role to which you want to assign a group.

    Figure 12: Map external role to a group

  4. In the MAPPING TO GROUPS dialog box, click the MAP GROUPS FOR USERS tile.

  5. From the Search for groups to add to column, select the group you want to map to the external role.

  6. In the Current groups column, Click EDIT to change the default Group Auditor role to a Custom Group Role.

  7. Select the CUSTOM GROUP ROLE option and click ADD NEW CUSTOM GROUP ROLE to create a new custom group role for the external role.

    Figure 13: Create a group custom role

  8. Update the role name, permissions, and description as per your requirement. For detailed information about these fields, refer to Section 5.1: Option 1 - From the Custom Group Role Tab.

  9. Click SAVE CUSTOM ROLE to save the new Custom group role.

  10. Click SAVE at the bottom of the form to assign this new Custom group role to the External role.

5.3 Option 3 - From the Users Tab

Perform the following steps to create a Custom group role:

  1. In the Fortanix DSM UI, navigate to Users USERS tab and click + to invite a user to a custom group role.

  2. In the Add new users to the account form, do the following:

    1. Select the INVITE BY EMAIL option.

    2. Enter the email of the user to invite for the custom group role.

    3. Optionally, enter the first and last name of the invitee user.

    4. Select Account member.

  3. Click INVITE.

  4. In the Assigning the new user to groups section, from the first column select the group to which you want to assign the user.

  5. In the second column, click EDIT to change the default Group Auditor role to a Custom Group Role.

  6. Select the CUSTOM GROUP ROLE option and click ADD NEW CUSTOM GROUP ROLE to create a new custom group role for the user.

    Figure 14: Create a group custom role

  7. Update the role name, permissions, and description as per your requirement. For detailed information about these fields, refer to Section 5.1: Option 1 - From the Custom Group Role Tab.

  8. Click SAVE CUSTOM ROLE to save the new Custom group role.

  9. Click SAVE at the bottom of the form to assign this new Custom group role to the user.

5.4 Editing a Custom Group Role

Perform the following steps to edit a Custom group role:

  1. In the Fortanix DSM UI, navigate to Groups CUSTOM GROUP ROLES tab.

  2. In the Custom group roles table, click the overflow menu next to the role you want to modify, and select EDIT ROLE from the drop down menu.

    Figure 15: Edit custom group role

  3. Update the permissions as needed, then click SAVE to apply the changes.

5.5 Deleting a Custom Group Role

Perform the following steps to delete a custom group role:

  1. In the Fortanix DSM UI, navigate to Groups CUSTOM GROUP ROLES tab.

  2. In the Custom roles table, click the overflow menu next to the role you want to delete, and select DELETE ROLE from the drop down menu.

    Figure 16: Delete custom group role

  3. On the Delete custom group role confirmation dialog box, click DELETE to confirm the deletion.

5.6 Assigning a Custom Group Role to User/External Role

A custom group role can be assigned to a user during the following scenarios:

  • Inviting a user to an account as an Account member on the Users page.

  • Inviting a user to an account as a Custom account role on the Users page.

  • Mapping a user to a group as External Roles on the External Roles page.

5.6.1 Assigning a Custom Group Role to a User

Perform the following steps to assign a user to a Custom group role:

  1. In the Fortanix DSM UI, navigate to Users USERS tab and click + to invite a user to a Custom group role.

  2. In the Add new users to the account form, do the following:

    1. Select the INVITE BY EMAIL option.

    2. Enter the email of the user to invite for the custom group role.

    3. Optionally, enter the first and last name of the invitee user.

    4. Select Account member or Custom account role.

  3. Click INVITE.

  4. In the Assigning the new user to groups section, from the first column select the group to which you want to assign the user.

  5. In the second column, click EDIT to change the default Group Auditor role to a Custom Group Role.

  6. Select the CUSTOM GROUP ROLE option and click ADD NEW CUSTOM GROUP ROLE to create a new custom group role for the user.

    Figure 17: Create a Group Custom Role

  7. Update the role name, permissions, and description as per your requirement. For detailed information about these fields, refer to Section 5.1: Option 1 - From the Custom Group Role Tab.

  8. Click SAVE CUSTOM ROLE to save the new Custom group role.

  9. Click SAVE at the bottom of the form to assign this new custom group role to the user.

5.6.2 Assigning a Custom Group Role to an External Role

Perform the following steps to assign a Custom group role to an external role:

  1. In the Fortanix DSM UI, navigate to Groups EXTERNAL ROLES tab.

  2. In the Groups for users column, click MAP TO GROUPS for the external role to which you want to assign a group.

    Figure 18: Map external role to a group

  3. In the MAPPING TO GROUPS dialog box, select the MAP GROUPS FOR USERS tile.

  4. In the MAPPING TO GROUPS FOR USERS window, select the group to which you want to assign the external role with a Custom group role from the first column.

  5. In the Current groups column, select the Custom group role option and assign the external role to a custom group role.