When you log on to a hardware security module (HSM) using hsm_mgmt_tool, your identity determines which commands you can run. HSM supports three user types — CO, CU, and AU — each with a distinct set of permissions.
HSM user types
CO
A crypto officer (CO) manages HSM configuration and user accounts. COs can create and delete users, create and delete keys, and configure HSM parameters.
CU
A crypto user (CU) performs cryptographic operations. For example, a CU can encrypt and decrypt data, and create and manage certificates.
AU
An appliance user (AU) performs cluster-level maintenance. AUs can clone and synchronize HSMs within a cluster.
Permissions of HSM users
| Command | CO | CU | AU | Unauthorized user |
|---|---|---|---|---|
changePswd | Yes | Yes (own password only) | No | No |
createUser | Yes | No | No | No |
deleteUser | Yes | No | No | No |
findAllKeys | Yes | No | Yes | No |
getAttribute | No | Yes | No | No |
getCert | Yes | Yes | Yes | No |
getCertReq | Yes | Yes | Yes | No |
getHSMInfo | Yes | Yes | Yes | Yes |
getKeyInfo | No | Yes | No | No |
info | Yes | Yes | Yes | Yes |
listAttributes | Yes | Yes | Yes | Yes |
listUsers | Yes | Yes | Yes | Yes |
loginHSM | No | No | No | Yes |
logoutHSM | Yes | Yes | Yes | No |
server | Yes | Yes | Yes | No |
setAttribute | No | Yes | No | No |
quit | Yes | Yes | Yes | Yes |
shareKey | No | Yes | No | No |
storeCert | Yes | No | No | No |
Troubleshooting permission errors
If a command fails with either of the following errors, the current user identity does not have permission to run that command:
HSM Error: No user is logged in to do this operationHSM Error: The current logged in user is not authorized to do this operation
Log in with an identity that has the required permission, or contact a CO to adjust user permissions.