Oracle Key Vault Administrators
Separation of administrative duties is required for secure systems. Oracle Key Vault distinguishes between key, system, and audit management functions. The corresponding roles for these functions are system administrator, key administrator, and audit manager. If desired, one user can be granted multiple roles. However, for separation of duties, it is recommended that different users have different administrative roles. This would enable one administrator to perform one part of an operation and the other to perform a different but related part of the operation: for example, only system administrators can enroll endpoints and only key administrators can create endpoint groups.
Endpoint administrators, by default, do not have a default Oracle Key Vault role. Their task is to upload and download security objects between Oracle Key Vault and the endpoints with the okvutil utility. Some organizations delegate the endpoint administrator tasks to their DBAs and other organizations delegate it to their IT security personnel.
Oracle Key Vault Users and Roles
Oracle Key Vault post-installation includes creating the initial roles and users. After installation, only administrators who have a role can grant it to other administrators or revoke it from them. If a situation arises where there are no users with a particular role, you can use the recovery passphrase to repeat the post-installation configuration and grant each role to a new or an existing user account.
Oracle Key Vault System Administrator
The Oracle Key Vault system administrator performs the tasks listed below:
- Creates, modifies, and deletes users
- Enrolls endpoints and deletes them
- Sets up high availability
- Configures alerts and key rotation reminders
- Schedules backups
- Starts and stops Oracle Key Vault
- Grants the System Administrator role to and revokes it from other users
The key administrator manages access to security objects and virtual wallets, and performs the tasks listed below:
- Controls user and endpoint access to virtual wallets
- Creates and manages user groups
- Creates and alters endpoint groups
- Has Read, Modify, and Manage access on all virtual wallets and security objects
- Grants the Key Administrator role to other users
Oracle Key Vault Audit Manager
The Oracle Key Vault audit manager manages audit data, which are records of users’ and endpoints’ actions. For this purpose, this role has Read access on all security objects. This role can grant the Audit Manager role to other users.