Hi all, I have a question about the configuration setting *authz.acl* in certificate profiles. For example profile https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/c... contains: *authz.acl=group="Certificate Manager Agents"* The only documentation I can find on this is from the Red Hat Certificate System, where it says: Specifies the authorization constraint. Most commonly, this us used to set the group evaluation ACL. For example, this caCMCUserCert parameter requires that the signer of the CMC request belong to the Certificate Manager Agents group: authz.acl=group="Certificate Manager Agents" In directory-based user certificate renewal, this option is used to ensure that the original requester and the currently-authenticated user are the same. An entity must authenticate (bind or, essentially, log into the system) before authorization can be evaluated. The authorization method specified must be one of the registered authorization instances from CS.cfg. However, I've found that this setting doesn't actually seem to do anything. An agent belonging to any group that has the following permissions can submit a CMC request and it will get accepted and a certificate is issued: - "certServer.ee.profile" - "certServer.ca.certrequests", "execute" Is this a known issue? Or should it work and am I just using it wrong? Jasper Misset DevOps Engineer | +31 (0) 6 42 77 15 40 | jasper.misset(a)cleverbase.com <http://vidua.nl> Powered by Cleverbase <http://cleverbase.com> | Maanweg 174 | 2516 AB | Den Haag | +31 (0)70 820 96 80 Cleverbase sluit elke aansprakelijkheid uit in verband met het niet juist, onvolledig of niet tijdig overkomen van de informatie in deze e-mail. Aan dit bericht kunnen geen rechten worden ontleend. Dit bericht is alleen bestemd voor de geadresseerde. Indien dit bericht niet voor u bestemd is, verzoeken wij u dit onmiddellijk aan ons te melden en de inhoud van het bericht te vernietigen. Cleverbase ID B.V. staat ingeschreven bij de Kamer van Koophandel onder nummer 67419925 te 's-Gravenhage.