User And Group Authorization; About Authorization; How Authorization Works; Default Groups - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 17.

User and Group Authorization

This chapter explains how to set up authorization for access to the administrative, agent services, and
end-entities pages.

17.1. About Authorization

Authorization is the process of allowing access to certain tasks associated with the Certificate System.
Access can be limited to allow certain tasks to certain areas of the subsystem for certain users or
groups and different tasks to different users and groups.
Users are specific to the subsystem in which they are created. Each subsystem has its own set of
users independent of any other subsystem installed. The users are placed in groups, which can be
predefined or user-created. Privileges are assigned to a group through access control lists (ACLs).
There are ACLs associated with areas in the administrative console, agent services interface, and
end-entities page that perform an authorization check before allowing an operation to proceed. Access
control instructions (ACIs) in each of the ACLs are created that specifically allow or deny possible
operations for that ACL to specified users, groups, or IP addresses.
The ACLs contain a default set of ACIs for the default groups that are created. These ACIs can be
modified to change the privileges of predefined groups or to assign privileges to newly-created groups.

17.1.1. How Authorization Works

Authorization goes through the following process:
1. The users authenticate to the interface using either the Certificate System user ID and password
or a certificate.
2. The server authenticates the user either by matching the user ID and password with the one
stored in the database or by checking the certificate against one stored in the database. With
certificate-based authentication, the server also checks that the certificate is valid and finds the
group membership of the user by associating the DN of the certificate with a user and checking
the user entry. With password-based authentication, the server checks the password against the
user ID and then finds the group membership of the user by associating that user ID with the user
ID contained in the group.
3. When the user tries to perform an operation, the authorization mechanism compares the user ID
of the user, the group in which the user belongs, or the IP address of the user to the ACLs set
for that user, group or IP address. If an ACL exists that allows that operation, then the operation
proceeds.

17.1.2. Default Groups

A user's privileges are determined by the group membership of the user. The default subsystem
setting allows users to belong to more than one group. The following groups are created by default:
• Administrators. This group is given full access to all of the tasks available in the administrative
interface.
• Agents. This group is given full access to all of the tasks available in the agent services interface.
391