Create users to create keys. Each user can access and use only its own keys. Here is an exmaple where we create three users that can only see the keys of the CA they own.
Best practice is to not use the password flag on the CLI. This is shown for example purposes for scripting needs.
CODE
# /opt/cloudhsm/bin/cloudhsm-cli user create --username ejbca_root --role crypto-user --password <PASSWORD>
# /opt/cloudhsm/bin/cloudhsm-cli user create --username ejbca_issuing --role crypto-user --password <PASSWORD>
# /opt/cloudhsm/bin/cloudhsm-cli user create --username ejbca_managementca --role crypto-user --password <PASSWORD>