D.3. Certificate Manager-Specific ACLs

This section covers the default access control configuration attributes which are set specifically for the Certificate Manager. The CA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the CA's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading certificates.

D.3.1. certServer.admin.ocsp

Limits access to the Certificate Manager's OCSP configuration to members of the enterprise OCSP administrators group.
allow (modify,read) group="Enterprise OCSP Administrators"

Table D.13. certServer.admin.ocsp ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. Allow Enterprise OCSP Administrators
read Read the OCSP configuration. Allow Enterprise OCSP Administrators

D.3.2. certServer.ca.certificate

Controls basic management operations for certificates in the agents services interface, including importing and revoking certificates. The default configuration is:
allow (import,unrevoke,revoke,read) group="Certificate Manager Agents"

Table D.14. certServer.ca.certificate ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
import Retrieve a certificate by serial number. Allow Certificate Manager Agents
unrevoke Change the status of a certificate from revoked. Allow Certificate Manager Agents
revoke Change the status of a certificate to revoked. Allow Certificate Manager Agents
read Retrieve certificates based on the request ID, and display certificate details based on the request ID or serial number. Allow Certificate Manager Agents

D.3.3. certServer.ca.certificates

Controls operations for listing or revoking certificates through the agent services interface. The default configuration is:
allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents"

Table D.15. certServer.ca.certificates ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
revoke Revoke a certificates, or approve certificate revocation requests. Revoke a certificate from the TPS. Prompt users for additional data about a revocation request. Allow
Certificate Manager Agents
Registration Manager Agents
list List certificates based on a search. Retrieve details about a range of certificates based on a range of serial numbers. Allow
Certificate Manager Agents
Registration Manager Agents

D.3.4. certServer.ca.configuration

Controls operations on the general configuration for a Certificate Manager. The default configuration is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"

Table D.16. certServer.ca.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View CRL plug-in information, general CA configuration, CA connector configuration, CRL issuing points configuration, CRL profile configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. List CRL extensions configuration and CRL issuing points configuration. Allow
Administrators
Agents
Auditors
modify Add and delete CRL issuing points. Modify general CA settings, CA connector configuration, CRL issuing points configuration, CRL configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. Allow Administrators

D.3.5. certServer.ca.connector

Controls operations to submit requests over a special connector to the CA. The default configuration is:
allow (submit) group="Trusted Managers"

Table D.17. certServer.ca.connector ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit requests from remote trusted managers. Allow Trusted Managers

D.3.6. certServer.ca.connectorInfo

Controls access to the connector information to manage trusted relationships between a CA and KRA. These trust relationships are special configurations which allow a CA and KRA to automatically connect to perform key archival and recovery operations. These trust relationships are configured through special connector plug-ins.
allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group"

Table D.18. certServer.ca.connectorInfo ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Read connector plug-in settings. Allow Enterprise KRA Administrators
modify Modify connector plug-in settings. Allow
Enterprise KRA Administrators
Subsystem Group

D.3.7. certServer.ca.crl

Controls access to read or update CRLs through the agent services interface. The default setting is:
allow (read,update) group="Certificate Manager Agents"

Table D.19. certServer.ca.crl ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Display CRLs and get detailed information about CA CRL processing. Allow Certificate Manager Agents
update Update CRLs. Allow Certificate Manager Agents

D.3.8. certServer.ca.directory

Controls access to the LDAP directory used for publishing certificates and CRLs.
allow (update) group="Certificate Manager Agents"

Table D.20. certServer.ca.directory ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
update Publish CA certificates, CRLs, and user certificates to the LDAP directory. Allow Certificate Manager Agents

D.3.9. certServer.ca.group

Controls access to the internal database for adding users and groups for the Certificate Manager instance.
allow (modify,read) group="Administrators"

Table D.21. certServer.ca.group ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Create, edit, or delete user and group entries for the instance. Add or modify a user certificate within attributes Allow Administrators
read View user and group entries for the instance. Allow Administrators

D.3.10. certServer.ca.ocsp

Controls the ability to access and read OCSP information, such as usage statistics, through the agent services interface.
allow (read) group="Certificate Manager Agents"

Table D.22. certServer.ca.ocsp ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Retrieve OCSP usage statistics. Allow Certificate Manager Agents

D.3.11. certServer.ca.profile

Controls access to certificate profile configuration in the agent services pages.
allow (read,approve) group="Certificate Manager Agents"

Table D.23. certServer.ca.profile ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View the details of the certificate profiles. Allow Certificate Manager Agents
approve Approve and enable certificate profiles. Allow Certificate Manager Agents

D.3.12. certServer.ca.profiles

Controls access to list certificate profiles in the agent services interface.
allow (list) group="Certificate Manager Agents"

Table D.24. certServer.ca.profiles ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
list List certificate profiles. Allow Certificate Manager Agents

D.3.13. certServer.ca.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"

Table D.25. certServer.ca.registerUser ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Register a new agent. Allow Enterprise Administrators
read Read existing agent information. Allow Enterprise Administrators

D.3.14. certServer.ca.request.enrollment

Controls how the enrollment request are handled and assigned. The default setting is:
allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents"

Table D.26. certServer.ca.request.enrollment ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View an enrollment request. Allow Certificate Manager Agents
execute Modify the approval state of a request. Allow Certificate Manager Agents
submit Sumbit a request. Allow Anybody
assign Assign a request to a Certificate Manager agent. Allow Certificate Manager Agents
unassign Change the assignment of a request. Allow Certificate Manager Agents

D.3.15. certServer.ca.request.profile

Controls the handling of certificate profile-based requests. The default setting is:
allow (approve,read) group="Certificate Manager Agents"

Table D.27. certServer.ca.request.profile ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
approve Modify the approval state of a certificate profile-based certificate request. Allow Certificate Manager Agents
read View a certificate profile-based certificate request. Allow Certificate Manager Agents

D.3.16. certServer.ca.requests

Controls who can list certificate requests in the agents services interface.
allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents"

Table D.28. certServer.ca.requests ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
list Retrieve details on a range of requests, and search for certificates using a complex filter. Allow
Certificate Manager Agents
Registration Manager Agents

D.3.17. certServer.ca.systemstatus

Controls who can view the statistics for the Certificate Manager instance.
allow (read) group="Certificate Manager Agents"

Table D.29. certServer.ca.systemstatus ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View statistics. Allow Certificate Manager Agents

D.3.18. certServer.ee.certchain

Controls who can access the CA certificate chain in the end-entities page.
allow (download,read) user="anybody"

Table D.30. certServer.ee.certchain ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
download Download the CA's certificate chain. Allow Anyone
read View the CA's certificate chain. Allow Anyone

D.3.19. certServer.ee.certificate

Controls who can access certificates, for most operations like importing or revoking certificates, through the end-entities page.
allow (renew,revoke,read,import) user="anybody"

Table D.31. certServer.ee.certificate ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
renew Submit a request to renew an existing certificate. Allow Anyone
revoke Submit a revocation request for a user certificate. Allow Anyone
read Retrieve and view certificates based on the certificate serial number or request ID. Allow Anyone
import Import a certificate based on serial number. Allow Anyone

D.3.20. certServer.ee.certificates

Controls who can list revoked certificates or submit a revocation request in the end-entities page.
allow (revoke,list) user="anybody"

Table D.32. certServer.ee.certificates ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
revoke Submit a list of certificates to revoke. Allow
Subject of Certificate to be Revoked must match Certificate presented to authenticate to the CA.
list Search for certificates matching specified criteria. Allow Anyone

D.3.21. certServer.ee.crl

Controls access to CRLs through the end-entities page.
allow (read,add) user="anybody"

Table D.33. certServer.ee.crl ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Retrieve and view the certificate revocation list. Allow Anyone
add Add CRLs to the OCSP server. Allow Anyone

D.3.22. certServer.ee.profile

Controls some access to certificate profiles in the end-entities page, including who can view details about a profile or submit a request through the profile.
allow (submit,read) user="anybody"

Table D.34. certServer.ee.profile ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit a certificate request through a certificate profile. Allow Anyone
read Displaying details of a certificate profile. Allow Anyone

D.3.23. certServer.ee.profiles

Controls who can list active certificate profiles in the end-entities page.
allow (list) user="anybody"

Table D.35. certServer.ee.profiles ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
list List certificate profiles. Allow Anyone

D.3.24. certServer.ee.request.ocsp

Controls access, based on IP address, on which clients submit OCSP requests.
allow (submit) ipaddress=".*"

Table D.36. certServer.ee.request.ocsp ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit OCSP requests. Allow All IP addresses

D.3.25. certServer.ee.request.revocation

Controls what users can submit certificate revocation requests in the end-entities page.
allow (submit) user="anybody"

Table D.37. certServer.ee.request.revocation ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit a request to revoke a certificate. Allow Anyone

D.3.26. certServer.ee.requestStatus

Controls who can view the status for a certificate request in the end-entities page.
allow (read) user="anybody"

Table D.38. certServer.ee.requestStatus ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Retrieve the status of a request and serial numbers of any certificates that have been issued against that request. Allow Anyone

D.3.27. certServer.job.configuration

Controls who can configure jobs for the Certificate Manager.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"

Table D.39. certServer.job.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. Allow
Administrators
Agents
Auditors
modify Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. Allow Administrators

D.3.28. certServer.profile.configuration

Controls access to the certificate profile configuration. The default setting is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"

Table D.40. certServer.profile.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View certificate profile defaults and constraints, input, output, input configuration, output configuration, default configuration, policy constraints configuration, and certificate profile instance configuration. List certificate profile plug-ins and certificate profile instances. Allow
Administrators
Agents
Auditors
modify Add, modify, and delete certificate profile defaults and constraints, input, output, and certificate profile instances. Add and modify default policy constraints configuration. Allow Administrators

D.3.29. certServer.publisher.configuration

Controls who can view and edit the publishing configuration for the Certificate Manager. The default configuration is:
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"

Table D.41. certServer.publisher.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View LDAP server destination information, publisher plug-in configuration, publisher instance configuration, mapper plug-in configuration, mapper instance configuration, rules plug-in configuration, and rules instance configuration. List publisher plug-ins and instances, rules plug-ins and instances, and mapper plug-ins and instances. Allow
Administrators
Agents
Auditors
modify Add and delete publisher plug-ins, publisher instances, mapper plug-ins, mapper instances, rules plug-ins, and rules instances. Modify publisher instances, mapper instances, rules instances, and LDAP server destination information. Allow Administrators

D.3.30. certServer.securitydomain.domainxml

Controls access to the security domain information maintained in a registry by the domain host Certificate Manager. The security domain configuration is directly accessed and modified by subsystem instances during configuration, so appropriate access must always be allowed to subsystems, or configuration could fail.
allow (read) user="anybody";allow (modify) group="Subsystem Group"

Table D.42. certServer.securitydomain.domainxml ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View the security domain configuration. Allow Anybody
modify Modify the security domain configuration by changing instance information and adding and removing instances. Allow
Subsystem Groups
Enterprise Administrators