Hi all, I have a question about the configuration setting authz.acl in certificate profiles. For example profile https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/c... contains: authz.acl=group="Certificate Manager Agents" The only documentation I can find on this is from the Red Hat Certificate System, where it says: Specifies the authorization constraint. Most commonly, this us used to set the group evaluation ACL. For example, this caCMCUserCert parameter requires that the signer of the CMC request belong to the Certificate Manager Agents group: authz.acl=group="Certificate Manager Agents" In directory-based user certificate renewal, this option is used to ensure that the original requester and the currently-authenticated user are the same. An entity must authenticate (bind or, essentially, log into the system) before authorization can be evaluated. The authorization method specified must be one of the registered authorization instances from CS.cfg. However, I've found that this setting doesn't actually seem to do anything. An agent belonging to any group that has the following permissions can submit a CMC request and it will get accepted and a certificate is issued: "certServer.ee.profile" "certServer.ca.certrequests", "execute" Is this a known issue? Or should it work and am I just using it wrong?