Synchronizing Trustelem Groups with the Enterprise Vault CLI (BETA)

🎯 Goal

Automatically define access rights to shared vaults and collections in Enterprise Vault based on membership in Trustelem groups, using a custom JSON attribute called vaultSync.

🧩 Overall Workflow

The script reads all Trustelem groups that include the vaultSync attribute.

For each group:
- A shared vault is created or updated.
- Collections are created or removed according to the configuration.
- User permissions are applied.

If a user also has a vaultSync attribute, it overrides the group configuration.

🧷 Trustelem Configuration

Step 1 – Add custom attributes

🔹 `vaultSync` JSON attribute on a Trustelem Group (mandatory)

Example to adapt:

{ 
  "sharedVault": "SharedVault1",
  "collections": ["Collec1", "Collec2"],
  "createCollections": true,
  "deleteCollections": false,
  "role": "User",
  "permission": "view" 
}

Field	Type	Description
`sharedVault`	`string`	Name of the shared vault to sync
`collections`	`string[]`	List of collections to manage
`createCollections`	`boolean`	Auto-create missing collections
`deleteCollections`	`boolean`	Auto-remove collections not listed
`role`	`string`	User role in the vault: `"Owner"`, `"Admin"`, or `"User"`
`permission`	`string`	Permission in the collection: `"view"`, `"viewExceptPass"`, `"edit"`, `"editExceptPass"`, `"manage"`

🔹 `vaultSync` JSON attribute on a Trustelem User (optional)

Overrides group settings when applied.
Example to adapt:

[ 
  { 
    "sharedVault": "SharedVault1",
    "collections": ["Collec1"],
    "role": "Admin",
    "permission": "edit" 
  }
]

Step 2 – Generate a Trustelem API Key

In the Trustelem admin console, go to API Rest > New API key

Click the edit (pencil) icon

Check:
- users_read
- groups_read

Save.

Note the following values:
- KEY ID
- Bearer Token

🛠 CLI Script Configuration

Create the synchro.sh script:

#!/bin/bash
# --- Configuration ---
vault_id="to_replace"
vault_secret="to_replace"
vault_password="to_replace"
vault_url="to_replace"
trustelem_key_id="to_replace"
trustelem_bearer="to_replace"
trustelem_url="to_replace"
# --- Function: Connect and unlock the Vault CLI ---
connect_to_vault() {
    ./wv logout > /dev/null 2>&1
    ./wv config server "$vault_url" > /dev/null 2>&1
    export WV_CLIENTID=$vault_id
    export WV_CLIENTSECRET=$vault_secret
    export WV_TRUSTELEMKEYID=$trustelem_key_id
    export WV_TRUSTELEMBEARER=$trustelem_bearer
    export WV_TRUSTELEMURL=$trustelem_url
    export WV_TRUSTGROUPATTRIBUTE="vaultSync"
    export WV_TRUSTUSERATTRIBUTE="vaultSync"
    ./wv login --apikey > /dev/null 2>&1
    export WV_SESSION=$(./wv unlock "$vault_password" --raw)
}
# --- Main Execution ---
connect_to_vault
./wv syncgroups

Values to replace:

Variable	Description
`vault_id`	Enterprise Vault API account ID (see Settings > Security > API Keys)
`vault_secret`	API secret for the Vault account
`vault_password`	Master password for the Vault account
`vault_url`	Vault instance URL (e.g., `https://vault-yourdomain.trustelem.com`)
`trustelem_key_id`	KEY ID from Step 2
`trustelem_bearer`	Bearer Token from Step 2
`trustelem_url`	Trustelem admin URL (e.g., `https://admin-yourdomain.trustelem.com`)

⚙️ Detailed Synchronization Behavior

1. Shared Vault Management

If the shared vault doesn't exist:
- It is automatically created and the service account becomes the Owner.

If it already exists:
- The script checks if the service account is the Owner.
- If not, an error is returned.

2. Collection Management

With createCollections=true:
- Collections missing in the vault but listed in the JSON will be created.
- The service account is given manage rights on these.

With deleteCollections=true:
- Collections present in the vault but not in the list will be deleted.
- The service account must have manage rights to delete them.

If collections = ["*"]:
- No automatic create or delete, regardless of createCollections or deleteCollections.

⚠️ Important: Do not set both createCollections=true and deleteCollections=true at the same time.

🔸 Note on User Attributes: User-level vaultSync attributes cannot create or delete collections—only assign permissions.

3. User Membership & Permissions

If a user is not in Vault:
- An error is returned.

Adding users to collections:
- If the user is not already in a listed collection (or "*"), they are added with the role and permission defined.
- If the user has their own vaultSync config, it overrides the group config.
- The service account must have "manage" rights.

Updating permissions:
- If the user has different permissions in a collection, they are updated accordingly.
- Requires "manage" permission.

Removing from collections:
- If a user is in a collection not listed, they are removed.
- Requires "manage" permission.

🧾 Special Cases

Scenario	Behavior
🔁 Trustelem group renamed in AD	Synchronization continues (attribute remains present)
🗑 Trustelem group deleted	Synchronization stops, but the vault remains unchanged
♻️ Group deleted and recreated	Vault is no longer linked; re-adding the attribute resumes sync

✅ Permissions Summary

Action	Required Right (Service Account)
Create shared vault	None (becomes `Owner`)
Modify existing vault	Must be `Owner`
Create/delete collection	`manage`
Add/remove users from collections	`manage`
Update user permissions	`manage`