Hi,
I was looking for an exact aci syntax example you tried that failed so I could help you better with.
Did you do something like:
resourceACLS: certServer.ee.request.enrollment:submit:allow (submit) user!="someBody" && group="Agents":All Agents other than someBody may submit an enrollment request

I got the syntax info from the link I gave you.  Let me know if that's what you tried.

Christina

On 04/24/2015 11:14 AM, Ali Khalidi wrote:
In my test, I've added an user to CM and assigned him Agent group permissions.
now, I want to deny this user enrollment submission, so there are two default and pre-existing ACLs of relevance:
certServer.ca.request.enrollment and certServer.ee.request.enrollment
in both I tried the following to the submit right:
change the submit right from allow to deny -> the user can still submit and enroll a certificate
change back to allow, then added a deny rule with the username specified -> the user can still submit and enroll a certificate

these were just experiments to understand how ACLs work.

my end goal, if possible with dogtag, and I would appreciate if you point me to the right direction is:
restrict an agent to submit and execute and enrollment based on a specific certificate profile.

having said the latter, the user_origreq looked promising for that matter, but I have no clue how to create a new ACL with it. help is appreciated in the area as well.


Thanks,

Ali 







On Fri, Apr 24, 2015 at 7:31 PM, Christina Fu <cfu@redhat.com> wrote:

On 04/22/2015 02:17 AM, Ali Khalidi wrote:
I've tried a simple example of using the ACL to block profile listing and it works. however, I want to disable a CA agent from submitting/approving or executing any enrollment requests. I've went through all the ACLs, and whenever I encountered a submit right, I flipped to deny. despite that the agent still is able to submit and enroll certificates.

information on access control can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authorization_for_CRTS_Users.html

It would help if you give us an acl example that you tried that does not work?


another aspect, I was looking into the user_orgreq ACL plugin. can someone provide and an example on how this can be used in the context of ACLs?

 The user_origreq is an access evaluator plugin for the UserOrigReqAccessEvaluator.  Its primary purpose is for access control during renewal.  It checks to see the the authenticated user and the original request ownership match.

Hope this helps.


thanks,


_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users


_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users