Entrust nShield Security Manual page 40

• nfast
group user
• Normal users.
Typically, normal users can carry out operations involving Security Worlds, cardsets and
keys, but not create Security Worlds, keys and cardsets.
enhanced access, enabling them to create Security Worlds, cardsets and keys. For
example, encrypted copies of keys are held in
only have read access to the files, whereas nfast group users have read and write access,
enabling them to create and use keys. nfast group users can also change the mode of an
HSM remotely.
Superuser access (e.g., root) is required for such tasks as software installation, starting
and stopping the hardserver and SNMP.
5.6.2. Access rights withdrawn
Customer Security Procedures should identify the requirements and timelines for
rescinding access rights. These may be for the following reasons:
• When a role holder leaves the company
• Moves department
• Changes roles
• Is long term sick
• Is suspended from duties.
5.6.3. Dos and don'ts for access control mechanisms
Most failures of security systems are not the result of inherent flaws in the system but
result from user error. The following basic rules apply to any security system:
• Keep your smart cards safe
• Always obtain smart cards from a trusted source: from Entrust or directly from the
smart card manufacturer
nShield Remote Administration Cards can only be supplied by

Entrust.
• Never insert a smart card used with nShield HSMs into a smart card reader you do
not trust
• Never connect a smart card reader you do not trust into your HSM
• Do not enter pass phrases into a server that you do not trust
• Never tell anyone your pass phrase
nShield® Security Manual
nfast
group users have
kmdata
(/opt/nfast/kmdata). Normal users
40 of 90