Identity and Access Management

AIStor Key Manager controls access through a combination of Enclaves and Identities.

An Enclave is an isolated namespace in which Key Manager stores cryptographic keys. A single Key Manager instance can have multiple enclaves, where a user with access to one enclave cannot perform operations on another.

Within an enclave, Key Manager has two distinct privilege levels:

• admin has full access to all operations (read, write, delete) within an enclave
• user has limited access to operations (read) within an enclave

The Key Manager also has a SysAdmin or root user identity that is automatically generated by the HSM by default. You can alternatively specify a custom SysAdmin identity in the Key Manager config file. This identity has full access to cluster operations and can perform read, write, and delete operations against all enclaves.