Authorization for CMS Users
348
Netscape Certificate Management System Administrator’s Guide • February 2003
How ACIs are Formed
You change the access for a user, group, or IP address by editing the ACI entries in
the ACLs. You can change who is allowed or denied access by adding a user,
group, or IP address to the ACIs in an ACL entry. In the ACL interface, each ACI is
shown on a line of its own. In this interface window, the ACI has the following
syntax:
allow|deny (operator) user|group|IP=”name”
For example, the following is an ACI that allows Administrators to perform the
read operation for the tasks associated with this ACL:
allow (read) group=”Administrators”
An ACI can have more than one operator. The operators are separated with a
comma with no space on either side. For example:
allow (read,modify) group=”Administrators”
An ACI can have more than one group, user, or IP address by separating them with
two pipe symbols (||) with a space on either side. For example:
allow (read) group=”Administrators” || group=”Auditors”
In the CMS console interface, you create or modify ACIs in an editor that allows
you to do this in a graphical environment. You choose from allow or deny in the
Allow and Deny field, then you choose one of the operations that are possible for
this ACL in the Operations field, and then you list those groups, users, or IP
addresses that are being granted or denied this access in the Syntax field.
Allow and Deny
An ACI can either allow an operation for the specified group, user ID, or IP
address, or deny the operation for the specified group, user ID, or IP address.
Generally, you do not have to create ACIs to deny access. If a group, user ID, or IP
address is not allowed access to an operation—that is, there are no allow ACIs that
when evaluated, would include the user ID, group, or IP address—the group, user
ID, or IP address is denied access.
If a user is not allowed access to any of the operations for a resource, then this user
is considered denied; they do not specifically need to be denied access. For
example, user
JohnB
is a member of the group Administrators. If an ACL has only
the following ACI,
JohnB
would be denied any access since he does not match any
of the allow ACIs:
Allow (read,modify) group=”Auditors” || user=”BrianC”
Summary of Contents for Certificate Management System 6.1
Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Page 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Page 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Page 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Page 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Page 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Page 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...