Create a secret group with criteria to organize secrets entered in Password2 fields automatically when they share a common criteria, such as table, scope, or application.

Before you begin

Role required: admin, KMF_admin, sn_secrets.secret_manager, and sn_kmf.cryptographic_manager

Secrets within this type of secret group must all share common criteria. For groups without this restriction, consider creating a basic secret group. Learn about creating a basic secret group in Create a basic secret group.

Procedure

  1. Navigate to All > Secrets Management > Secret Groups.
  2. Select New.
  3. At the What type of Secret Group would you like to create? prompr, select Secret Group with Criteria.
  4. In the Secret Group form, fill in the fields.
    Table 1. Secret group fields
    FieldDescription
    Group Name Name for the group
    Note: Secret group names can only contain lowercase characters, numbers, and underscores( _ )
    Secret Type Whether the group is Instance accessible or Client accessible.
    Autogen Module Generates a new cryptographic module for this secret group. This module encrypts and decrypts your data. This field is enabled by default.
    Application Scoped application for this record. This read-only field is automatically populated with the current scope.
    Short Description Description of the group
    Criterion Type The criteria the secrets in this group shares.
    • Scope
    • Package
    • Target table
    • Secret column
    • Filter record
    Crypto Module Select the cryptographic module to use with this group. This module encrypts and decrypts your data. This field is only visible when Autogen Module isn’t selected. For details on module access policies, see Module access policy overview
    Note: You can review the module access policies related to your secret group using the Manage instance access button.
    Note: Depending on your configuration, the Crypto Module might use an automatically selected value.
    When the Criterion Type field is set to Package, and the Autogen Module field is selected: The Crypto Module field is empty and read-only. An existing Password2 submodule is used. If a Password2 submodule isn’t found, the instance level Glide Encrypter module is used.
    When the Criterion Type field is set to Package, and the Autogen Module field is deselected: (The Autogen Module field can only be deselected by Enterprise users) The Crypto Module field is editable, and admins can select a crypto module to use.
  5. Select and hold (or right-click) the form header and select Save.
    Note: When created, a secret group is inactive by default.
  6. After saving the record, additional fields might appear based on how you’ve configured your group.
    Table 2. Additional secret group fields
    FieldDescription
    Target Scope Scope shared by the secrets to be assigned to this group. This field is only available when you select Scope in the Criteria Type field.
    Target Package Package shared by the secrets to be assigned to this group. This field is only available when you select Package in the Criteria Type field.
    Target Table Table shared by the secrets to be assigned to this group. This field is only available when you select Table or Secret Column in the Criteria Type field.
    Target Scope Application scope of the table selected in the Target Table field. This field is only visible when you select Table, Filter Column, or Secret Column in the Criteria Type field.
    Secret Column Table column that contains the pasword2 secrets you include in this group. The fields available in this list are determined by the table selected in the Target Table field.
    Note: If there are no columns on the select table that contain secrets, this field only displays – None -- as a selection.
    Filter Column The column on the table selected in Target Table you want to use as a filter. This field can’t be a Password2 field.
    Filter value The value you want to use as a filter. This filter applies to the field select in the Filter Column field.

Example: An instance accessible group containing all email account passwords for an email server

Group containing all email account passwords for a specific email server

What to do next

After creating your group, any new records matching the criteria will be encrypted. To encrypt existing records using this group's cryptographic module, you must run a security job. For details, see Run secrets management security jobs.

Client-accessible groups need a customer-provided public key to encrypt your secrets. For steps on uploading this key, see Upload a public key for Secrets Management.