Re: [Pki-users] confused about access control list
Hi,
I was looking for an exact aci syntax example you tried that failed so I
could help you better with.
Did you do something like:
resourceACLS: certServer.ee.request.enrollment:submit:allow (submit)
user!="someBody" && group="Agents":All Agents other than
someBody may
submit an enrollment request
I got the syntax info from the link I gave you. Let me know if that's
what you tried.
Christina
On 04/24/2015 11:14 AM, Ali Khalidi wrote:
In my test, I've added an user to CM and assigned him Agent group
permissions.
now, I want to deny this user enrollment submission, so there are two
default and pre-existing ACLs of relevance:
certServer.ca.request.enrollment and certServer.ee.request.enrollment
in both I tried the following to the submit right:
change the submit right from allow to deny -> the user can still
submit and enroll a certificate
change back to allow, then added a deny rule with the username
specified -> the user can still submit and enroll a certificate
these were just experiments to understand how ACLs work.
my end goal, if possible with dogtag, and I would appreciate if you
point me to the right direction is:
restrict an agent to submit and execute and enrollment based on a
specific certificate profile.
having said the latter, the user_origreq looked promising for that
matter, but I have no clue how to create a new ACL with it. help is
appreciated in the area as well.
Thanks,
Ali
On Fri, Apr 24, 2015 at 7:31 PM, Christina Fu <cfu(a)redhat.com
<mailto:cfu@redhat.com>> wrote:
On 04/22/2015 02:17 AM, Ali Khalidi wrote:
> I've tried a simple example of using the ACL to block profile
> listing and it works. however, I want to disable a CA agent from
> submitting/approving or executing any enrollment requests. I've
> went through all the ACLs, and whenever I encountered a submit
> right, I flipped to deny. despite that the agent still is able to
> submit and enroll certificates.
>
information on access control can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
It would help if you give us an acl example that you tried that
does not work?
>
> another aspect, I was looking into the user_orgreq ACL plugin.
> can someone provide and an example on how this can be used in the
> context of ACLs?
The user_origreq is an access evaluator plugin for the
UserOrigReqAccessEvaluator. Its primary purpose is for access
control during renewal. It checks to see the the authenticated
user and the original request ownership match.
Hope this helps.
>
> thanks,
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
Attachments:
- attachment.html (text/html — 6.7 KB)