D.3. Certificate Manager-Specific ACLs
D.3.1. certServer.admin.ocsp
allow (modify,read) group="Enterprise OCSP Administrators"
Table D.13. certServer.admin.ocsp ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
modify | Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. | Allow | Enterprise OCSP Administrators |
read | Read the OCSP configuration. | Allow | Enterprise OCSP Administrators |
D.3.2. certServer.ca.certificate
allow (import,unrevoke,revoke,read) group="Certificate Manager Agents"
Table D.14. certServer.ca.certificate ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
import | Retrieve a certificate by serial number. | Allow | Certificate Manager Agents |
unrevoke | Change the status of a certificate from revoked. | Allow | Certificate Manager Agents |
revoke | Change the status of a certificate to revoked. | Allow | Certificate Manager Agents |
read | Retrieve certificates based on the request ID, and display certificate details based on the request ID or serial number. | Allow | Certificate Manager Agents |
D.3.3. certServer.ca.certificates
allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
Table D.15. certServer.ca.certificates ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | ||
---|---|---|---|---|---|
revoke | Revoke a certificates, or approve certificate revocation requests. Revoke a certificate from the TPS. Prompt users for additional data about a revocation request. | Allow |
| ||
list | List certificates based on a search. Retrieve details about a range of certificates based on a range of serial numbers. | Allow |
|
D.3.4. certServer.ca.configuration
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.16. certServer.ca.configuration ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | View CRL plug-in information, general CA configuration, CA connector configuration, CRL issuing points configuration, CRL profile configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. List CRL extensions configuration and CRL issuing points configuration. | Allow |
| |||
modify | Add and delete CRL issuing points. Modify general CA settings, CA connector configuration, CRL issuing points configuration, CRL configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. | Allow | Administrators |
D.3.5. certServer.ca.connector
allow (submit) group="Trusted Managers"
Table D.17. certServer.ca.connector ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit requests from remote trusted managers. | Allow | Trusted Managers |
D.3.6. certServer.ca.connectorInfo
allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group"
Table D.18. certServer.ca.connectorInfo ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | ||
---|---|---|---|---|---|
read | Read connector plug-in settings. | Allow | Enterprise KRA Administrators | ||
modify | Modify connector plug-in settings. | Allow |
|
D.3.7. certServer.ca.crl
allow (read,update) group="Certificate Manager Agents"
Table D.19. certServer.ca.crl ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Display CRLs and get detailed information about CA CRL processing. | Allow | Certificate Manager Agents |
update | Update CRLs. | Allow | Certificate Manager Agents |
D.3.8. certServer.ca.directory
allow (update) group="Certificate Manager Agents"
Table D.20. certServer.ca.directory ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
update | Publish CA certificates, CRLs, and user certificates to the LDAP directory. | Allow | Certificate Manager Agents |
D.3.9. certServer.ca.group
allow (modify,read) group="Administrators"
Table D.21. certServer.ca.group ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
modify | Create, edit, or delete user and group entries for the instance. Add or modify a user certificate within attributes | Allow | Administrators |
read | View user and group entries for the instance. | Allow | Administrators |
D.3.10. certServer.ca.ocsp
allow (read) group="Certificate Manager Agents"
Table D.22. certServer.ca.ocsp ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Retrieve OCSP usage statistics. | Allow | Certificate Manager Agents |
D.3.11. certServer.ca.profile
allow (read,approve) group="Certificate Manager Agents"
Table D.23. certServer.ca.profile ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View the details of the certificate profiles. | Allow | Certificate Manager Agents |
approve | Approve and enable certificate profiles. | Allow | Certificate Manager Agents |
D.3.12. certServer.ca.profiles
allow (list) group="Certificate Manager Agents"
Table D.24. certServer.ca.profiles ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
list | List certificate profiles. | Allow | Certificate Manager Agents |
D.3.13. certServer.ca.registerUser
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.25. certServer.ca.registerUser ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
modify | Register a new agent. | Allow | Enterprise Administrators |
read | Read existing agent information. | Allow | Enterprise Administrators |
D.3.14. certServer.ca.request.enrollment
allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents"
Table D.26. certServer.ca.request.enrollment ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View an enrollment request. | Allow | Certificate Manager Agents |
execute | Modify the approval state of a request. | Allow | Certificate Manager Agents |
submit | Sumbit a request. | Allow | Anybody |
assign | Assign a request to a Certificate Manager agent. | Allow | Certificate Manager Agents |
unassign | Change the assignment of a request. | Allow | Certificate Manager Agents |
D.3.15. certServer.ca.request.profile
allow (approve,read) group="Certificate Manager Agents"
Table D.27. certServer.ca.request.profile ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
approve | Modify the approval state of a certificate profile-based certificate request. | Allow | Certificate Manager Agents |
read | View a certificate profile-based certificate request. | Allow | Certificate Manager Agents |
D.3.16. certServer.ca.requests
allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
Table D.28. certServer.ca.requests ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | ||
---|---|---|---|---|---|
list | Retrieve details on a range of requests, and search for certificates using a complex filter. | Allow |
|
D.3.17. certServer.ca.systemstatus
allow (read) group="Certificate Manager Agents"
Table D.29. certServer.ca.systemstatus ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View statistics. | Allow | Certificate Manager Agents |
D.3.18. certServer.ee.certchain
allow (download,read) user="anybody"
Table D.30. certServer.ee.certchain ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
download | Download the CA's certificate chain. | Allow | Anyone |
read | View the CA's certificate chain. | Allow | Anyone |
D.3.19. certServer.ee.certificate
allow (renew,revoke,read,import) user="anybody"
Table D.31. certServer.ee.certificate ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
renew | Submit a request to renew an existing certificate. | Allow | Anyone |
revoke | Submit a revocation request for a user certificate. | Allow | Anyone |
read | Retrieve and view certificates based on the certificate serial number or request ID. | Allow | Anyone |
import | Import a certificate based on serial number. | Allow | Anyone |
D.3.20. certServer.ee.certificates
allow (revoke,list) user="anybody"
Table D.32. certServer.ee.certificates ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
revoke | Submit a list of certificates to revoke. | Allow |
Subject of Certificate to be Revoked must match Certificate presented to authenticate to the CA.
|
list | Search for certificates matching specified criteria. | Allow | Anyone |
D.3.21. certServer.ee.crl
allow (read,add) user="anybody"
Table D.33. certServer.ee.crl ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Retrieve and view the certificate revocation list. | Allow | Anyone |
add | Add CRLs to the OCSP server. | Allow | Anyone |
D.3.22. certServer.ee.profile
allow (submit,read) user="anybody"
Table D.34. certServer.ee.profile ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit a certificate request through a certificate profile. | Allow | Anyone |
read | Displaying details of a certificate profile. | Allow | Anyone |
D.3.23. certServer.ee.profiles
allow (list) user="anybody"
Table D.35. certServer.ee.profiles ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
list | List certificate profiles. | Allow | Anyone |
D.3.24. certServer.ee.request.ocsp
allow (submit) ipaddress=".*"
Table D.36. certServer.ee.request.ocsp ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit OCSP requests. | Allow | All IP addresses |
D.3.25. certServer.ee.request.revocation
allow (submit) user="anybody"
Table D.37. certServer.ee.request.revocation ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit a request to revoke a certificate. | Allow | Anyone |
D.3.26. certServer.ee.requestStatus
allow (read) user="anybody"
Table D.38. certServer.ee.requestStatus ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Retrieve the status of a request and serial numbers of any certificates that have been issued against that request. | Allow | Anyone |
D.3.27. certServer.job.configuration
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.39. certServer.job.configuration ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. | Allow |
| |||
modify | Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. | Allow | Administrators |
D.3.28. certServer.profile.configuration
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.40. certServer.profile.configuration ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | View certificate profile defaults and constraints, input, output, input configuration, output configuration, default configuration, policy constraints configuration, and certificate profile instance configuration. List certificate profile plug-ins and certificate profile instances. | Allow |
| |||
modify | Add, modify, and delete certificate profile defaults and constraints, input, output, and certificate profile instances. Add and modify default policy constraints configuration. | Allow | Administrators |
D.3.29. certServer.publisher.configuration
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.41. certServer.publisher.configuration ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | View LDAP server destination information, publisher plug-in configuration, publisher instance configuration, mapper plug-in configuration, mapper instance configuration, rules plug-in configuration, and rules instance configuration. List publisher plug-ins and instances, rules plug-ins and instances, and mapper plug-ins and instances. | Allow |
| |||
modify | Add and delete publisher plug-ins, publisher instances, mapper plug-ins, mapper instances, rules plug-ins, and rules instances. Modify publisher instances, mapper instances, rules instances, and LDAP server destination information. | Allow | Administrators |
D.3.30. certServer.securitydomain.domainxml
allow (read) user="anybody";allow (modify) group="Subsystem Group"
Table D.42. certServer.securitydomain.domainxml ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | ||
---|---|---|---|---|---|
read | View the security domain configuration. | Allow | Anybody | ||
modify | Modify the security domain configuration by changing instance information and adding and removing instances. | Allow |
|