Authorization for Certificate System Users
401
17.6. Authorization for Certificate System Users
Authorization is the mechanism that checks whether a user is allowed to perform an operation.
Authorization points are defined in certain groups of operations that require an authorization check.
17.6.1. Access Control Lists (ACLs)
Access control lists
(ACLs) are the mechanisms that specify the authorization to server operations. An
ACL exists for each set of operations where an authorization check occurs. Additional operations can
be added to a ACL.
17.6.2. Access Control Instructions (ACIs)
The ACL contains
access control instructions
(ACIs) which specifically allow or deny operations, such
as read or modify. The ACI also contains an evaluator expression. The default implementation of ACLs
specifies users, groups, and IP addresses as possible evaluator types. Each ACI in an ACL specifies
whether access is allowed or denied, what the specific operator is being allowed or denied, and which
users, groups, or IP addresses is being allowed or denied to perform the operation.
17.6.3. Changing Privileges
The privileges of Certificate System users are changed by changing the access control lists (ACL)
that are associated with the group in which the user is a member, for the users themselves, or for
the IP address of the user. New groups are assigned access control by adding that group to the
access control lists. For example, a new group for administrators who are only authorized to view logs,
LogAdmins
, can be added to the ACLs relevant to logs to allow read or modify access to this group. If
this group is not added to any other ACLs, members of this group only have access to the logs.
17.6.4. How ACIs Are Formed
The access for a user, group, or IP address is changed by editing the ACI entries in the ACLs. In
the ACL interface, each ACI is shown on a line of its own. In this interface window, the ACI has the
following syntax:
allow|deny (operator) user|group|IP="name"
For example, the following is an ACI that allows administrators to perform read operations:
allow (read) group="Administrators"
An ACI can have more than one operator. The operators are separated with a comma with no space
on either side. For example:
allow (read,modify) group="Administrators"
An ACI can have more than one group, user, or IP address by separating them with two pipe symbols
(
||
) with a space on either side. For example:
Summary of Contents for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Page 15: ...xv Index 525 ...
Page 16: ...xvi ...
Page 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Page 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...
Page 154: ...132 ...
Page 194: ...172 ...
Page 238: ...216 ...
Page 244: ...222 ...
Page 246: ...224 ...
Page 286: ...264 ...
Page 292: ...270 ...
Page 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...
Page 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...
Page 398: ...376 ...
Page 412: ...390 ...
Page 472: ...450 ...
Page 506: ...484 ...
Page 528: ...506 ...
Page 546: ...524 ...