On 04/22/2015 02:17 AM, Ali Khalidi wrote:

I've tried a simple example of using the ACL to block profile listing and it works. however, I want to disable a CA agent from submitting/approving or executing any enrollment requests. I've went through all the ACLs, and whenever I encountered a submit right, I flipped to deny. despite that the agent still is able to submit and enroll certificates.

information on access control can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Authorization_for_CRTS_Users.html

It would help if you give us an acl example that you tried that does not work?

another aspect, I was looking into the user_orgreq ACL plugin. can someone provide and an example on how this can be used in the context of ACLs?

The user_origreq is an access evaluator plugin for the UserOrigReqAccessEvaluator. Its primary purpose is for access control during renewal. It checks to see the the authenticated user and the original request ownership match.

Hope this helps.

thanks,

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users