D.2. Common ACLs
This section covers the default access control configuration that is common for all four subsystem types. These access control rules manage access to basic and common configuration settings, such as logging and adding users and groups.
Important
These ACLs are common in that the same ACLs occur in each subsystem instance's
acl.ldif file. These are not shared ACLs in the sense that the configuration files or settings are held in common by all subsystem instances. As with all other instance configuration, these ACLs are maintained independently of other subsystem instances, in the instance-specific acl.ldif file.
D.2.1. certServer.acl.configuration
Controls operations to the ACL configuration. The default configuration is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.2. certServer.acl.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View ACL resources and list ACL resources, ACL listing evaluators, and ACL evaluator types. | Allow |
| |||
| modify | Add, delete, and update ACL evaluators. | Allow | Administrators |
D.2.2. certServer.admin.certificate
Controls which users can import a certificate through a Certificate Manager. By default, this operation is allowed to everyone. The default configuration is:
allow (import) user="anybody"
Note
This entry is associated with the CA administration web interface which is used to configure the instance. This ACL is only available during instance configuration and is unavailable after the CA is running.
Table D.3. certServer.admin.certificate ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| import | Import a CA administrator certificate, and retrieve certificates by serial number. | Allow | Anyone |
D.2.3. certServer.auth.configuration
Controls operations on the authentication configuration.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators
Table D.4. certServer.auth.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View authentication plug-ins, authentication type, configured authentication manager plug-ins, and authentication instances. List authentication manager plug-ins and authentication manager instances. | Allow |
| |||
| modify | Add or delete authentication plug-ins and authentication instances. Modify authentication instances. | Allow | Administrators |
D.2.4. certServer.clone.configuration
Controls who can read and modify the configuration information used in cloning. The default setting is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators"
Table D.5. certServer.clone.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View original instance configuration. | Allow | Enterprise Administrators |
| modify | Modify original instance configuration. | Allow | Enterprise Administrators |
D.2.5. certServer.general.configuration
Controls access to the general configuration of the subsystem instance, including who can view and edit the CA's settings.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.6. certServer.general.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View the operating environment, LDAP configuration, SMTP configuration, server statistics, encryption, token names, subject name of certificates, certificate nicknames, all subsystems loaded by the server, CA certificates, and all certificates for management. | Allow |
| |||
| modify | Modify the settings for the LDAP database, SMTP, and encryption. Issue import certificates, install certificates, trust and untrust CA certificates, import cross-pair certificates, and delete certificates. Perform server restart and stop operations. Log in all tokens and check token status. Run self-tests on demand. Get certificate information. Process the certificate subject name. Validate the certificate subject name, certificate key length, and certificate extension. | Allow | Administrators |
D.2.6. certServer.log.configuration
Controls access to the log configuration for the Certificate Manager, including changing the log settings.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.7. certServer.log.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View log plug-in information, log plug-in configuration, and log instance configuration. List log plug-ins and log instances (excluding NTEventLog). | Allow |
| |||
| modify | Add and delete log plug-ins and log instances. Modify log instances, including log rollover parameters and log level. | Allow | Administrators |
D.2.7. certServer.log.configuration.fileName
Restricts access to change the file name of a log for the instance.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody
Table D.8. certServer.log.configuration.fileName ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View the value of the fileName parameter for a log instance. | Allow |
| |||
| modify | Change the value of the fileName parameter for a log instance. | Deny | Anyone |
D.2.8. certServer.log.content.system
Controls who can view the instance's logs.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors"
Table D.9. certServer.log.content.system ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View log content. List all logs. | Allow |
|
D.2.9. certServer.log.content.transactions
Controls who can view the instance's transactions logs.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors"
Table D.10. certServer.log.content.transactions ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View log content. List all logs. | Allow |
|
D.2.10. certServer.log.content.signedAudit
Controls who has access to the signed audit logs. The default setting is:
allow (read) group="Auditors"
Table D.11. certServer.log.content.signedAudit ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |
|---|---|---|---|---|
| read | View log content. List logs. | Allow |
|
D.2.11. certServer.registry.configuration
Controls access to the administration registry, the file that is used to register plug-in modules. Currently, this is only used to register certificate profile plug-ins.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.12. certServer.registry.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View the administration registry, supported policy constraints, profile plug-in configuration, and the list of profile plug-ins. | Allow |
| |||
| modify | Register individual profile implementation plug-ins. | Allow | Administrators |
