D.4. Key Recovery Authority-Specific ACLs
D.4.1. certServer.job.configuration
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.43. certServer.job.configuration ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. | Allow |
| |||
modify | Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. | Allow | Administrators |
D.4.2. certServer.kra.certificate.transport
allow (read) user="anybody"
Table D.44. certServer.kra.certificate.transport ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View the transport certificate for the KRA instance. | Allow | Anyone |
D.4.3. certServer.kra.configuration
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"
Table D.45. certServer.kra.configuration ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | Read the number of required recovery agent approvals. | Allow |
| |||
modify | Change the number of required recovery agent approvals. | Allow | Administrators |
D.4.4. certServer.kra.connector
allow (submit) group="Trusted Managers"
Table D.46. certServer.kra.connector ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit a new key archival request (for non-TMS only). | Allow | Trusted Managers |
D.4.5. certServer.kra.GenerateKeyPair
allow (execute) group="Key Recovery Authority Agents"
Table D.47. certServer.kra.GenerateKeyPair ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
Execute | Execute server-side key generation (TMS only). | Allow | KRA Agents |
D.4.6. certServer.kra.getTransportCert
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.48. certServer.kra.getTransportCert ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
download | Retrieve KRA transport certificate. | Allow | Enterprise Administrators |
D.4.7. certServer.kra.group
allow (modify,read) group="Administrators"
Table D.49. certServer.kra.group ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |
---|---|---|---|---|
modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators | |
read | View user and group entries for the instance. | Allow |
|
D.4.8. certServer.kra.key
allow (read,recover,download) group="Key Recovery Authority Agents"
Table D.50. certServer.kra.key ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Display public information about key archival record. | Allow | KRA Agents |
recover | Retrieve key information from the database to perform a recovery operation. | Allow | KRA Agents |
download | Download key information through the agent services pages. | Allow | KRA Agents |
D.4.9. certServer.kra.keys
allow (list) group="Key Recovery Authority Agents"
Table D.51. certServer.kra.keys ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
list | Search for and list a range of archived keys. | Allow | KRA Agents |
D.4.10. certServer.kra.registerUser
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.52. certServer.kra.registerUser ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
modify | Register a new user. | Allow | Enterprise Administrators |
read | Read existing user info. | Allow | Enterprise Administrators |
D.4.11. certServer.kra.request
allow (read) group="Key Recovery Authority Agents"
Table D.53. certServer.kra.request ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View a key archival or recovery request. | Allow | KRA Agents |
D.4.12. certServer.kra.request.status
allow (read) group="Key Recovery Authority Agents"
Table D.54. certServer.kra.request.status ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Retrieve the status of a key recovery request in the agents services pages. | Allow | KRA Agents |
D.4.13. certServer.kra.requests
allow (list) group="Key Recovery Authority Agents"
Table D.55. certServer.kra.requests ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
list | Retrieve details on a range of key archival and recovery requests. | Allow | KRA Agents |
D.4.14. certServer.kra.systemstatus
allow (read) group="Key Recovery Authority Agents"
Table D.56. certServer.kra.systemstatus ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View statistics. | Allow | KRA Agents |
D.4.15. certServer.kra.TokenKeyRecovery
allow (submit) group="Key Recovery Authority Agents"
Table D.57. certServer.kra.TokenKeyRecovery ACL Summary
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit or initiate key recovery requests for a token recovery. | Allow | KRA Agents |