Module access policy debugger

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Use the module access policy debugger to review logging information and understand why your users are or aren’t granted access to an encryption context.

    Module access policies (MAPs) define instance-level controls for access to cryptographic modules. Callers (for example, a user or script) require explicit access in order to use a cryptographic module for encryption and decryption. It's not always clear which MAPs are evaluated when callers attempt to access a cryptographic module. Use the debugger to see which policies are evaluated when a caller attempts to access a cryptographic module, and learn why access is or isn’t being granted.

    This flowchart shows how your instance evaluates requests for access to a cryptographic module.

    Flowchart showing the how access to cryptographic modules are evaluated

    Control access to the debug logs

    Access to the module access debug logs is determined by role. Users with the sn_kmf.admin and sn_kmf.cryptographic_manager roles always have access to the debugger. Grant access to other roles using the glide.kmf.module_access_policies.debugger.authorized.roles system property. The value of this property is a comma-separated list of roles that access the debug logs.

    Enable or disable the debugger

    To enable debug logging messages for module access policies, navigate to All > Diagnostics > Session Debug > Debug Module Access Policies > .

    When you’re finished debugging, you can disable the logging messages by navigating to All > Diagnostics > Session Debug > Disable All > .

    Access the logs

    After enabling debugging, navigate to a page that triggers a MAP evaluation to view the MAP debug logs. Debug messages appear the bottom of the page.
    Tip:
    You can use impersonation to troubleshoot access for other users. For details on impersonation, see Impersonating users. To view the debug logs from the perspective of another user, make sure that your module access policies with the role type have the Impersonation field set as true.
    Example debug output

    In this example, a caller invokes two access requests to the global.fuji cryptographic module. A symmetric encryption, which is granted, and a symmetric decryption, which was denied.

    Understanding log entries

    Debugging information is structured using this format.

    1. This first line displays the cryptographic module receiving the access request.
    2. The lines between the first and last line displays the evaluated MAPs in the order that they were evaluated, and includes their name, type, target, granular operation, and result.
    3. The last line displays the Policy Decision (if applicable) and the net access result for the caller (whether the caller is granted access).

    Each line starts with an icon that indicates its message type.

    Table 1. Message icons
    Icon Message type
    Informational icon Informational message
    MAP grant access icon Module access policy grants access
    MAP deny access icon Module access policy denies access
    Caller grant access icon Caller is granted access
    Caller deny access icon Caller is denied access
    No MAP icon No module access policy to evaluate

    Debug log examples

    Access granted message
    Debugging output for granted access
    Access denied message
    Debugging output for denied access
    Access denied (No module access policies to evaluate
    Debugging output for denied access due to no MAP policies
    Access denied (insufficient privileges)
    Debugging output for denied access due to insufficient privileges