D.2. Common ACLs

This section covers the default access control configuration that is common for all four subsystem types. These access control rules manage access to basic and common configuration settings, such as logging and adding users and groups.

Important

These ACLs are common in that the same ACLs occur in each subsystem instance's acl.ldif file. These are not shared ACLs in the sense that the configuration files or settings are held in common by all subsystem instances. As with all other instance configuration, these ACLs are maintained independently of other subsystem instances, in the instance-specific acl.ldif file.

D.2.1. certServer.acl.configuration

Controls operations to the ACL configuration. The default configuration is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"

Table D.2. certServer.acl.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View ACL resources and list ACL resources, ACL listing evaluators, and ACL evaluator types. Allow
Administrators
Agents
Auditors
modify Add, delete, and update ACL evaluators. Allow Administrators

D.2.2. certServer.admin.certificate

Controls which users can import a certificate through a Certificate Manager. By default, this operation is allowed to everyone. The default configuration is:
allow (import) user="anybody"

Note

This entry is associated with the CA administration web interface which is used to configure the instance. This ACL is only available during instance configuration and is unavailable after the CA is running.

Table D.3. certServer.admin.certificate ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
import Import a CA administrator certificate, and retrieve certificates by serial number. Allow Anyone

D.2.3. certServer.auth.configuration

Controls operations on the authentication configuration.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators

Table D.4. certServer.auth.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View authentication plug-ins, authentication type, configured authentication manager plug-ins, and authentication instances. List authentication manager plug-ins and authentication manager instances. Allow
Administrators
Agents
Auditors
modify Add or delete authentication plug-ins and authentication instances. Modify authentication instances. Allow Administrators

D.2.4. certServer.clone.configuration

Controls who can read and modify the configuration information used in cloning. The default setting is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators"

Table D.5. certServer.clone.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View original instance configuration. Allow Enterprise Administrators
modify Modify original instance configuration. Allow Enterprise Administrators

D.2.5. certServer.general.configuration

Controls access to the general configuration of the subsystem instance, including who can view and edit the CA's settings.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"

Table D.6. certServer.general.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View the operating environment, LDAP configuration, SMTP configuration, server statistics, encryption, token names, subject name of certificates, certificate nicknames, all subsystems loaded by the server, CA certificates, and all certificates for management. Allow
Administrators
Agents
Auditors
modify Modify the settings for the LDAP database, SMTP, and encryption. Issue import certificates, install certificates, trust and untrust CA certificates, import cross-pair certificates, and delete certificates. Perform server restart and stop operations. Log in all tokens and check token status. Run self-tests on demand. Get certificate information. Process the certificate subject name. Validate the certificate subject name, certificate key length, and certificate extension. Allow Administrators

D.2.6. certServer.log.configuration

Controls access to the log configuration for the Certificate Manager, including changing the log settings.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"

Table D.7. certServer.log.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View log plug-in information, log plug-in configuration, and log instance configuration. List log plug-ins and log instances (excluding NTEventLog). Allow
Administrators
Agents
Auditors
modify Add and delete log plug-ins and log instances. Modify log instances, including log rollover parameters and log level. Allow Administrators

D.2.7. certServer.log.configuration.fileName

Restricts access to change the file name of a log for the instance.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody

Table D.8. certServer.log.configuration.fileName ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View the value of the fileName parameter for a log instance. Allow
Administrators
Agents
Auditors
modify Change the value of the fileName parameter for a log instance. Deny Anyone

D.2.8. certServer.log.content.system

Controls who can view the instance's logs.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors"

Table D.9. certServer.log.content.system ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View log content. List all logs. Allow
Administrators
Agents
Auditors

D.2.9. certServer.log.content.transactions

Controls who can view the instance's transactions logs.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors"

Table D.10. certServer.log.content.transactions ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View log content. List all logs. Allow
Administrators
Agents
Auditors

D.2.10. certServer.log.content.signedAudit

Controls who has access to the signed audit logs. The default setting is:
allow (read) group="Auditors"

Table D.11. certServer.log.content.signedAudit ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View log content. List logs. Allow
Auditors

D.2.11. certServer.registry.configuration

Controls access to the administration registry, the file that is used to register plug-in modules. Currently, this is only used to register certificate profile plug-ins.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"

Table D.12. certServer.registry.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View the administration registry, supported policy constraints, profile plug-in configuration, and the list of profile plug-ins. Allow
Administrators
Agents
Auditors
modify Register individual profile implementation plug-ins. Allow Administrators