When a user logs on to a hardware security module (HSM) by using the hsm_mgmt_tool HSM management tool, the user identify must be verified. Different user identities have different permissions on HSMs. This topic describes HSM user types and the permissions that each type of user has.
HSM user types
CO
A crypto officer (CO) can perform management operations on HSMs. For example, a CO can create users, create and delete keys, and configure HSM-related parameters.
CU
A crypto user (CU) can perform cryptographic operations. For example, a CU can encrypt and decrypt data, and create and manage certificates.
AU
An appliance user (AU) can perform cloning and synchronization operations on HSMs in your cluster.
Permissions of HSM users
Command | CO | CU | AU | Unauthorized user |
changePswd | √ | √ (Only the password of the CU can be changed.) | × | × |
createUser | √ | × | × | × |
deleteUser | √ | × | × | × |
findAllKeys | √ | × | √ | × |
getAttribute | × | √ | × | × |
getCert | √ | √ | √ | × |
getCertReq | √ | √ | √ | × |
getHSMInfo | √ | √ | √ | √ |
getKeyInfo | × | √ | × | × |
info | √ | √ | √ | √ |
listAttributes | √ | √ | √ | √ |
listUsers | √ | √ | √ | √ |
loginHSM | × | × | × | √ |
logoutHSM | √ | √ | √ | × |
server | √ | √ | √ | × |
setAttribute | × | √ | × | × |
quit | √ | √ | √ | √ |
shareKey | × | √ | × | × |
storeCert | √ | × | × | × |
If you receive the HSM Error: No user is logged in to do this operation or HSM Error: The current logged in user is not authorized to do this operation error message, you do not have permissions to run the command.