Authorization for Certificate System Users
401
17.6. Authorization for Certificate System Users
Authorization is the mechanism that checks whether a user is allowed to perform an operation.
Authorization points are defined in certain groups of operations that require an authorization check.
17.6.1. Access Control Lists (ACLs)
Access control lists
(ACLs) are the mechanisms that specify the authorization to server operations. An
ACL exists for each set of operations where an authorization check occurs. Additional operations can
be added to a ACL.
17.6.2. Access Control Instructions (ACIs)
The ACL contains
access control instructions
(ACIs) which specifically allow or deny operations, such
as read or modify. The ACI also contains an evaluator expression. The default implementation of ACLs
specifies users, groups, and IP addresses as possible evaluator types. Each ACI in an ACL specifies
whether access is allowed or denied, what the specific operator is being allowed or denied, and which
users, groups, or IP addresses is being allowed or denied to perform the operation.
17.6.3. Changing Privileges
The privileges of Certificate System users are changed by changing the access control lists (ACL)
that are associated with the group in which the user is a member, for the users themselves, or for
the IP address of the user. New groups are assigned access control by adding that group to the
access control lists. For example, a new group for administrators who are only authorized to view logs,
LogAdmins
, can be added to the ACLs relevant to logs to allow read or modify access to this group. If
this group is not added to any other ACLs, members of this group only have access to the logs.
17.6.4. How ACIs Are Formed
The access for a user, group, or IP address is changed by editing the ACI entries in the ACLs. In
the ACL interface, each ACI is shown on a line of its own. In this interface window, the ACI has the
following syntax:
allow|deny (operator) user|group|IP="name"
For example, the following is an ACI that allows administrators to perform read operations:
allow (read) group="Administrators"
An ACI can have more than one operator. The operators are separated with a comma with no space
on either side. For example:
allow (read,modify) group="Administrators"
An ACI can have more than one group, user, or IP address by separating them with two pipe symbols
(
||
) with a space on either side. For example:
Содержание CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
Страница 1: ...Red Hat Certificate System 7 3 Administration Guide Publication date May 2007 updated March 25 2010 ...
Страница 15: ...xv Index 525 ...
Страница 16: ...xvi ...
Страница 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Страница 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...
Страница 154: ...132 ...
Страница 194: ...172 ...
Страница 238: ...216 ...
Страница 244: ...222 ...
Страница 246: ...224 ...
Страница 286: ...264 ...
Страница 292: ...270 ...
Страница 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...
Страница 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...
Страница 371: ...Configuring Mappers 349 Figure 15 9 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...
Страница 398: ...376 ...
Страница 412: ...390 ...
Страница 472: ...450 ...
Страница 500: ...Appendix A Certificate and CRL Extensions 478 Parameter namen Table A 8 IssuerAlternativeName Configuration Parameters ...
Страница 506: ...484 ...
Страница 528: ...506 ...
Страница 546: ...524 ...