D.6. Token Key Service-Specific ACLs

This section covers the default access control configuration attributes which are set specifically for the Token Key Service (TKS). The TKS ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for the TKS's administrative console and for access by other subsystems to the TKS.

D.6.1. certServer.tks.encrypteddata

Controls who can encrypt data.
allow(execute) group="Token Key Service Manager Agents"

Table D.67. certServer.tks.encrypteddata ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
Execute Encrypted data stored in the TKS. Allow TKS Agents

D.6.2. certServer.tks.group

Controls access to the internal database for adding users and groups for the TKS instance.
allow (modify,read) group="Administrators"

Table D.68. certServer.tks.group ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Create, edit, or delete user and group entries for the instance. Allow Administrators
read View user and group entries for the instance. Allow Administrators

D.6.3. certServer.tks.importTransportCert

Controls who can import the transport certificate used by the TKS to deliver keys.
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"

Table D.69. certServer.tks.importTransportCert ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Update the transport certificate. Allow Enterprise Administrators
read Import the transport certificate. Allow Enterprise Administrators

D.6.4. certServer.tks.keysetdata

Controls who can view information about key sets derived and stored by the TKS.
allow (execute) group="Token Key Service Manager Agents"

Table D.70. certServer.tks.keysetdata ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
Execute Create diversified key set data. Allow TKS Agents

D.6.5. certServer.tks.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"

Table D.71. certServer.tks.registerUser ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Register a new agent. Allow Enterprise Administrators
read Read existing agent information. Allow Enterprise Administrators

D.6.6. certServer.tks.sessionkey

Controls who can create the session keys used by the TKS instance to connections to the TPS.
allow (execute) group="Token Key Service Manager Agents"

Table D.72. certServer.tks.sessionkey ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
Execute Create session keys generated by the TKS. Allow TKS Agents

D.6.7. certServer.tks.randomdata

Controls who can create random data.
allow (execute) group="Token Key Service Manager Agents"

Table D.73. certServer.tks.randomdata ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
Execute Generate random data. Allow TKS Agents