[Pki-users] confused about access control list

Christina Fu cfu at redhat.com
Wed Apr 29 16:59:41 UTC 2015 

Hi,
I was looking for an exact aci syntax example you tried that failed so I 
could help you better with.
Did you do something like:
resourceACLS: certServer.ee.request.enrollment:submit:allow (submit) 
user!="someBody" && group="Agents":All Agents other than someBody may 
submit an enrollment request

I got the syntax info from the link I gave you.  Let me know if that's 
what you tried.

Christina

On 04/24/2015 11:14 AM, Ali Khalidi wrote:
> In my test, I've added an user to CM and assigned him Agent group 
> permissions.
> now, I want to deny this user enrollment submission, so there are two 
> default and pre-existing ACLs of relevance:
> certServer.ca.request.enrollment and certServer.ee.request.enrollment
> in both I tried the following to the submit right:
> change the submit right from allow to deny -> the user can still 
> submit and enroll a certificate
> change back to allow, then added a deny rule with the username 
> specified -> the user can still submit and enroll a certificate
>
> these were just experiments to understand how ACLs work.
>
> my end goal, if possible with dogtag, and I would appreciate if you 
> point me to the right direction is:
> restrict an agent to submit and execute and enrollment based on a 
> specific certificate profile.
>
> having said the latter, the user_origreq looked promising for that 
> matter, but I have no clue how to create a new ACL with it. help is 
> appreciated in the area as well.
>
>
> Thanks,
>
> Ali
>
>
>
>
>
>
>
> On Fri, Apr 24, 2015 at 7:31 PM, Christina Fu <cfu at redhat.com 
> <mailto:cfu at redhat.com>> wrote:
>
>
>     On 04/22/2015 02:17 AM, Ali Khalidi wrote:
>>     I've tried a simple example of using the ACL to block profile
>>     listing and it works. however, I want to disable a CA agent from
>>     submitting/approving or executing any enrollment requests. I've
>>     went through all the ACLs, and whenever I encountered a submit
>>     right, I flipped to deny. despite that the agent still is able to
>>     submit and enroll certificates.
>>
>     information on access control can be found here:
>     https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authorization_for_CRTS_Users.html
>
>     It would help if you give us an acl example that you tried that
>     does not work?
>
>>
>>     another aspect, I was looking into the user_orgreq ACL plugin.
>>     can someone provide and an example on how this can be used in the
>>     context of ACLs?
>
>     The user_origreq is an access evaluator plugin for the
>     UserOrigReqAccessEvaluator.  Its primary purpose is for access
>     control during renewal.  It checks to see the the authenticated
>     user and the original request ownership match.
>
>     Hope this helps.
>
>>
>>     thanks,
>>
>>
>>     _______________________________________________
>>     Pki-users mailing list
>>     Pki-users at redhat.com  <mailto:Pki-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/pki-users
>
>
>     _______________________________________________
>     Pki-users mailing list
>     Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/pki-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150429/47d83d07/attachment.htm>

More information about the Pki-users mailing list