Access control overview

Edit online

The access control system restricts or permits the use of commands based on roles and user profiles.

Use the CNM utility to create roles that correspond to the needs and privileges of assigned users.

To access the privileges assigned to a role that are not authorized for a default role, a user must log on to the coprocessor by using a unique user profile. Each user profile is associated with a role and multiple profiles can use the same role. The coprocessor authenticates logons by using the passphrase that is associated with the profile that identifies the user.

Note: The term user applies to both humans and programs.

The coprocessor always has at least one role, the default role. Use of the default role does not require a user profile. Any user can use the services permitted by the default role without logging on to or being authenticated by the coprocessor.

For example, a basic system might include the following roles:
  • Access control administrator: Can create new user profiles and modify the access rights of current users.
  • Key management officer: Can change the cryptographic keys. This responsibility is best shared by two or more individuals making use of rights to enter the first or subsequent key parts.
  • General user: Can use cryptographic services to protect their work, but has no administrative privileges. If your security plan does not require logon authentication for general users, address their requirements in the default role.
Note: Few individuals would be assigned the roles of key-management officer or access control administrator. Generally, the larger population would not log on and thus would have rights granted in the default role.