Skip to main content

Role Management

A role defines a user's ability to run OTF and bulk decryption in PK Protect. After encrypting a column, the database owner or the individual table owner, grants decrypt permission to users who need to access the values in an encrypted column.

A user with a role missing appropriate permissions that attempts to decrypt data cannot successfully decrypt the data in the file/table. Once a role is defined, it can be assigned to individual users and to group of users in the ACL Management screen. A user can have multiple roles.

*Note: ACL validation is done only while performing OTF decryption. However, no ACL validation is done while executing bulk decryption from PK Protect user interface. To know more details on OTF decryption, refer Appendix L: OTF Decryption.


There are two parameters that can be used to restrict a role's permissions: sensitive types, and day/time schedules.

Access the Role Management screen from the menu under Access Control > Role Management.

Select the module from the Select Module drop-down for which you want to view or add roles.

The screen is divided into two sections:

  1. In the top section of the screen, roles can be created or deleted. Once a role is defined, it will get listed in the top panel along with its Id, name, and description. Select a role to view or edit the details in the bottom section of the screen.


    Click the Update ACL button to update the Access Control list (ACL) for the cluster.
    The role can be deleted by clicking the Trash icon under the Actions column.

  2. The bottom section consists of the following two panels:

    1. Sensitive Types Access Permissions: Use this panel to identify which sensitive types a user has permissions to decrypt.


      To add or remove sensitive types, perform the following steps:

      1. Check/Uncheck the checkboxes corresponding to the sensitive types that you want to add/remove.

      2. Click Save to save the desired changes. Otherwise, click Reset to restore the panel to its initial values.      

    2. Day and Time Schedules: Use this panel to identify the days and times when a role is allowed to decrypt. When no time restrictions are set, a role can decrypt at any time.


      To add/edit day and time schedules, perform the following steps:

      1.  Click the Pen icon under the Actions column corresponding to the day for which a user wants to set the time interval. The Time Schedule pop-up appears: 

      2. Specify the start and end time in the Start Time and End Time cells.

      3. Specify the Type: Timed or Full Day. On opting the Timed option, decryption can be performed only within the specified time interval. However, Full Day option enables the user to perform decryption any time in the respective day.

      4. Click the + Add Schedule button. The time schedule will get listed in the bottom panel along with its start time, end time, and type. The schedules can be edited and deleted by clicking Pen and Trash icons, respectively.

      5. Click the Save button to apply the time selection. Otherwise, click the Cancel button.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.