Key Access Grants
In v0.7.0 of the platform creating grants is now deprecated in favor of key mappings. Version 0.7.0 of the platform will error when attempting to assign key access servers to attributes.
Key Access Grants (KAS Grants) are associations between a registered Key Access Server (KAS) and an Attribute. These grants can be applied at the namespace, definition, or value level of an attribute.
KAS Grants enable key split behaviors on TDFs with attributes, facilitating various collaboration scenarios around shared policies. Grants follow the specificity matrix below, which determines the KAS public keys used for encryption in various KAS grant scenarios:
Namespace KAS Grant | Attribute Definition KAS Grant | Attribute Value KAS Grant | Granted Data Encryption Key Utilized in Split |
---|---|---|---|
yes | no | no | namespace |
yes | yes | no | attribute definition |
no | yes | no | attribute definition |
yes | yes | yes | value |
no | yes | yes | value |
no | no | yes | value |
no | no | no | default KAS/platform key |
A KAS Grant in platform policy is straightforward, consisting of the attribute object ID (Namespace, Definition, Value) and the KAS Registry ID.
KAS Grants determine which keys are used during encryption and decryption based on the specific attributes of the TDF.