Authorization For Certificate System Users; Access Control Lists (Acls); Access Control Instructions (Acis); Changing Privileges - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Authorization for Certificate System Users

17.6. Authorization for Certificate System Users
Authorization is the mechanism that checks whether a user is allowed to perform an operation.
Authorization points are defined in certain groups of operations that require an authorization check.

17.6.1. Access Control Lists (ACLs)

Access control lists (ACLs) are the mechanisms that specify the authorization to server operations. An
ACL exists for each set of operations where an authorization check occurs. Additional operations can
be added to a ACL.

17.6.2. Access Control Instructions (ACIs)

The ACL contains access control instructions (ACIs) which specifically allow or deny operations, such
as read or modify. The ACI also contains an evaluator expression. The default implementation of ACLs
specifies users, groups, and IP addresses as possible evaluator types. Each ACI in an ACL specifies
whether access is allowed or denied, what the specific operator is being allowed or denied, and which
users, groups, or IP addresses is being allowed or denied to perform the operation.

17.6.3. Changing Privileges

The privileges of Certificate System users are changed by changing the access control lists (ACL)
that are associated with the group in which the user is a member, for the users themselves, or for
the IP address of the user. New groups are assigned access control by adding that group to the
access control lists. For example, a new group for administrators who are only authorized to view logs,
LogAdmins, can be added to the ACLs relevant to logs to allow read or modify access to this group. If
this group is not added to any other ACLs, members of this group only have access to the logs.

17.6.4. How ACIs Are Formed

The access for a user, group, or IP address is changed by editing the ACI entries in the ACLs. In
the ACL interface, each ACI is shown on a line of its own. In this interface window, the ACI has the
following syntax:
allow|deny (operator) user|group|IP="name"
For example, the following is an ACI that allows administrators to perform read operations:
allow (read) group="Administrators"
An ACI can have more than one operator. The operators are separated with a comma with no space
on either side. For example:
allow (read,modify) group="Administrators"
An ACI can have more than one group, user, or IP address by separating them with two pipe symbols
(||) with a space on either side. For example:
401