Groups

What are Groups?

Groups are a way to share a file with more than just one individual user. The purpose of groups is to support collaboration within tiCrypt. Unlike teams which are access-based, groups are entirely cryptographic.

Groups are:

• Managed by Sub-admins and Users with group permissions.
• Help PIs to share a project or multiple files with an isolated number of users.
• Play a significant role in combination with projects.
• Help Admins to manage large desktop infrastructures.

What is the Difference between Groups and Teams?

Groups are a way to share a file with more than just one individual user. The purpose of groups is to support collaboration within tiCrypt.

Teams are designed to for quota and resource management allowing admins to manage hardware resources for the specified teams.

Teams are access-based, groups are entirely cryptographic.

What is the Difference Between Groups and Projects?

Groups use common resources, which are standard file directories in the Vault. Both group's and project's members may come from different teams. Projects restrict users from touching resources; they do not use standard file directories like groups do.

To access a resource in projects, you need to:

• Satisfy the project security level (aka security requirements).
• Be a project member (aka project memberships).
• Have permission from an admin to join projects.

To access a resource in groups, you need to:

• Be part of the group (aka have the group key).
• Have permissions from an admin to join groups.

info

To learn more about the interplay between groups and projects read the Enforcing CUI Restrictions on Hierarchical Data blog.

What are the Project-Tagged Groups?

By default, all groups have no project (Unlocked), but you can tag groups with projects.

Once tagged, the groups are only accessible to project members from the project that tagged the group. Multiple groups may be tagged with the same project tags.

Project-tagged groups require you to meet their project security levels and fulfill all their security requirements to view the group's contents.

If you do not meet the project security levels, you can only view the tagged group in your Vault but cannot access its contents.

note

• Project-tagged groups are entirely cryptographic and also include the layer of access control.
• Resources tagged by a project label inherit all the security requirements associated with the project.

What are the Requirements to Create a Project-Tagged Group?

To tag a group with a project, you must:

• Be a project member of that project.
• Satisfy the security requirements of that project.
• Have permissions from admins to perform this operation.

Optionally, you can delegate a group to a project leader or a sub-admin.

How to Maximize Restrictions in a Project-Tagged Group?

To maximize sensitive project restrictions you tag the following elements:

• The project itself.
• VMs using the project with their drives for group members.
• Groups that are part of the project.

note

Project-tagged VMs restrict moving files outside their drives.

What is the Groups Mechanism When Adding New Managers?

Managing group members is handled by the group owner or a sub-admin with edit group permissions. You cannot add managers to a project-tagged group unless you are a member of the same tagged project.

You may be required to enter your password before adding a new manager to a group. If you select no permissions for a manager, they will be added as a member of the group.

How Many Types of Groups are in tiCrypt?

There are two types of groups in tiCrypt.

• The Groups in the Vault.

  • Also Accessible from Open Overlay in the Groups sub-section.
  • Also Accessible from Management in the Groups sub-section.

• The VM Groups in the Virtual Machines.

Groups

Groups in the Vault are by default cryptographic. They aim to create an group-member-isolated environment for users, unreachable by admin's access controls.

Groups in the Vault are fully encrypted and designed for users who work with sensitive data.
Each group member may come from a different team.

VM Groups

VM Groups in the Virtual Machines are access-controlled. Their purpose is to divide VM users into categories.

By default there are three groups in the Virtual Machines section.

• Everybody: includes all members of the Virtual machine.
• Managers: includes only the managers and the owners of the virtual machine.
• Nobody: includes no users from the Virtual machine.

The Nobody group is used when a VM owner chooses not to share the VM with anyone else.

Can I Change My VM Group Name After Creation?

No.

You cannot edit your VM Group name after creation; you must re-create the group from scratch to rename it.

What User Roles Can Be Owner of an Access Directory?

The owner of the access directory can be the user, manager, or the owner of the selected VM.

Who Should Have Read-Write Access to Access Directories?

As a best practice, only VM owners should have read-write access to access directories.

Access-mode allows the selected access directory owner to read-write on the drive associated with the access directory.

How do I Recover User Group Data from a User Who Left the Institution?

Prevention

This scenario must be prevented from the beginning.
To achieve this, several precautions can be taken:

• Have all users sign a contract with the institution that includes a data protocol in case the user leaves the institution.
• Ensure users accept the T&C's that pop-up when they log into tiCrypt.
• Designate an encrypted drive for the group members who will transfer their findings at the end of the research.

Extreme Scenario

If it is the case that a user has left the institution without following the data guidelines, you may consider recovering the user's private key via the escrow mechanism.

To recover a user's private key:

• Contact the Escrow users groups from your institution.
• The Escrow users will come together, each holding a part of the user's private key, and hand it to the Site-key admin.
• The Site-key admin will digitally sign the Escrow key.
• Once the private key is recovered, the escrow team will sync with a Super-admin to re-login into the system.
• The user group data will be shared with the super-admin in the Vault or transferred to a super-admin-owned virtual machine.
  • Optionally, you can download the user data to a secured offline local machine or a thumb drive.

Legal Actions

• Directly ask the user for their private key password so that an admin can log in and transfer the data to a secured encrypted drive.
• Request a data transfer from the user, according to the institution's legal guidelines for handling the user's data.
• If no cooperation is agreed upon, open a legal dispute with the user to the level that allows data recovery.

What is tiCrypt Group Policy?

The group policy stands for hierarchical tiCrypt infrastructure. Although every individual is a user of tiCrypt, users may have various roles (e.g., admin, user, sub-admin, etc.) that include varying levels of responsibility.

tip

• Follow the instructions in Role Dynamics.
• To learn more about group policies navigate to the group policy article.

Under What Circumstances do I Own Group-shared Data?

Suppose a member of your group is leaving the institution and the data the member shared with you is in their possession.

It is important to avoid this scenario and set up group rules that enforce action when someone leaves the group.

VM User Profiles are an efficient tool to control data access for the current group members via access-control permisions.

Sensitive group-shared data should be added to an encrypted drive. When a user shares a group file with you, it is placed in the Shared with Me directory.

What Happens With Group Data Upon Group Deletion?

When you delete a group, members lose access to all shared files unless you specifically shared the files with them. The group file system is also deleted upon group removal. Only the group owner can delete the group; the managers and members can only leave it.

If a user leaves the group, you can still access the previously shared group file.

The member leaving the organization may transfer their group files to an encrypted drive, allowing the group leader to access them via VM configurations.

To add group data to a drive, use the following workflow:

1. Create a VM Configuration with a new read-only encrypted drive.
2. Launch the VM Configuration and Connect the VM Configuration.
3. Add Group Members to the VM Configuration.
4. Group members transfer the data from their Vault to the Group VM.

Do I Have Permission to Use Groups As a Sub-admin?

Yes.

However, to use a group, you must have permission from an admin with cryptographic access.

Only the users with the group keys can edit groups.