[Pki-users] confused about access control list
Christina Fu
cfu at redhat.com
Wed Apr 29 16:59:41 UTC 2015
Hi,
I was looking for an exact aci syntax example you tried that failed so I
could help you better with.
Did you do something like:
resourceACLS: certServer.ee.request.enrollment:submit:allow (submit)
user!="someBody" && group="Agents":All Agents other than someBody may
submit an enrollment request
I got the syntax info from the link I gave you. Let me know if that's
what you tried.
Christina
On 04/24/2015 11:14 AM, Ali Khalidi wrote:
> In my test, I've added an user to CM and assigned him Agent group
> permissions.
> now, I want to deny this user enrollment submission, so there are two
> default and pre-existing ACLs of relevance:
> certServer.ca.request.enrollment and certServer.ee.request.enrollment
> in both I tried the following to the submit right:
> change the submit right from allow to deny -> the user can still
> submit and enroll a certificate
> change back to allow, then added a deny rule with the username
> specified -> the user can still submit and enroll a certificate
>
> these were just experiments to understand how ACLs work.
>
> my end goal, if possible with dogtag, and I would appreciate if you
> point me to the right direction is:
> restrict an agent to submit and execute and enrollment based on a
> specific certificate profile.
>
> having said the latter, the user_origreq looked promising for that
> matter, but I have no clue how to create a new ACL with it. help is
> appreciated in the area as well.
>
>
> Thanks,
>
> Ali
>
>
>
>
>
>
>
> On Fri, Apr 24, 2015 at 7:31 PM, Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>> wrote:
>
>
> On 04/22/2015 02:17 AM, Ali Khalidi wrote:
>> I've tried a simple example of using the ACL to block profile
>> listing and it works. however, I want to disable a CA agent from
>> submitting/approving or executing any enrollment requests. I've
>> went through all the ACLs, and whenever I encountered a submit
>> right, I flipped to deny. despite that the agent still is able to
>> submit and enroll certificates.
>>
> information on access control can be found here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authorization_for_CRTS_Users.html
>
> It would help if you give us an acl example that you tried that
> does not work?
>
>>
>> another aspect, I was looking into the user_orgreq ACL plugin.
>> can someone provide and an example on how this can be used in the
>> context of ACLs?
>
> The user_origreq is an access evaluator plugin for the
> UserOrigReqAccessEvaluator. Its primary purpose is for access
> control during renewal. It checks to see the the authenticated
> user and the original request ownership match.
>
> Hope this helps.
>
>>
>> thanks,
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150429/47d83d07/attachment.htm>
More information about the Pki-users
mailing list