Module access policy visualization
- UpdatedJul 31, 2025
- 3 minutes to read
- Zurich
- Now Platform Security
Use module access policy visualization to view all relevant cryptographic module information on a single UI page.
Key Management Framework admins and cryptographic managers can use the module access policy UI page to view all access control mechanisms related to a single cryptographic module. Use the information collected on this UI page to determine who has access to encrypted information on your instance.
Users with the sn_kmf.admin or sn_kmf.cryptographic_manager roles can access the module access policy visualization UI page by navigating to .
Results Labels
Module access policies contain a Result field, which determines whether to grant access to the selected cryptographic module. The UI page displays a label on elements on the UI page based on the value of that field.
| UI label | Result field value | Definition |
|---|---|---|
 |
Track or Allow | Access is granted to all users, including scripts. |
 |
Reject | Access is denied unless a track module access policy is found. |
 |
StrictReject | Access is denied. |
 |
N/A | The module access policy doesn’t exist on the instance. Access is denied to all. |
Global policies
Use the Global policies section to review the module access policies that control platform-level access. Select the Manage button below any of the policies to navigate to that policy record. If the policy doesn't exist, an Add button appears below that entry. Select the Add button to navigate to a new policy record where you can define the policy. |
 |
| Policy | Definition |
|---|---|
| Default rule | The default rule policy defines the behavior when no existing rule matches an access request. |
| Platform backend | The platform backend policy governs internal platform code access to cryptographic keys. |
| Script engine | The script engine policy governs whether the script engine is permitted to access cryptographic keys. |
| System user | The system user policy governs whether the system user is permitted to access cryptographic keys. |
Helpful resources
| Use the Helpful resources section to find links to product documentation, relevant knowledge articles, and a brief description on how module access policies are evaluated on the platform. For a deeper look into how module access policies are evaluated, see Module access policy debugger. |  |
Granular policies
Use the Granular policies section to view lists of module access policies, separated by policy type. Use the tabs above the list to select a policy category to display.
By default, the each list displays only active policies. Use the filter icon to change the default filter for the list. |
 |
Users with access
| Use the Users with access section to see a list of all users that have access to the selected cryptographic module. The list is grouped by user, as single users can posses multiple roles that grant access to a cryptographic module. |  |
Related Content
- Key Management Framework key life-cycle states
KMF supports several cryptographic key life-cycle states through the enforcement of specific allowable actions. For example, only keys that are in the active state can be used fully for their intended cryptographic purpose. The following table provides further detail on the varying key life-cycle states.
- Roles installed with Key Management Framework
The Key Management Framework (KMF) introduces specific roles for cryptographic module and key management-related configurations.
- Module access policy debugger
Use the module access policy debugger to review logging information and understand why your users are or aren’t granted access to an encryption context.
- Encryption and Key Management subscription bundle
With Key Management, Field Encryption is upgraded at no additional charge to include highly configurable encryption modules. You can also optionally upgrade to the unlimited-use license. Subscribe to the new encryption entitlement bundle, Platform Encryption, which includes Field Encryption Enterprise and Cloud Encryption.