Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 424

Chapter 17. User and Group Authorization
allow (read) group="Administrators" || group="Auditors"
The administrative console can create or modify ACIs. The interface sets whether to allow or deny the
operation in the Allow and Deny field, sets which operations are possible in the Operations field, and
then lists the groups, users, or IP addresses being granted or denied access in the Syntax field.
17.6.4.1. Allow and Deny
An ACI can either allow or deny an operation for the specified group, user ID, or IP address. Generally,
ACIs do not need created to deny access. If there are no allow ACIs that include a user ID, group, or
IP address, the group, user ID, or IP address is denied access.
If a user is not allowed access to any of the operations for a resource, then this user is considered
denied; he does not specifically need to be denied access. For example, user JohnB is a member
of the Administrators group. If an ACL has only the following ACI, JohnB would be denied any
access since he does not match any of the allow ACIs:
Allow (read,modify) group="Auditors" || user="BrianC"
There usually is not a need to include a deny statement. Some situations can arise, however, when
it is useful to specify one. For example, JohnB, a member of the Administrators group, has just
been fired. It may be necessary to deny access specifically to JohnB if the user cannot be deleted
immediately. Another situation is that a user, BrianC, is an administrator, but he should not have
the ability to change some resource. Since the Administrators group must access this resource,
BrianC can be specifically denied access by creating an ACI that denies this user access.
17.6.4.2. Allowable Rights
The allowed rights are the operations which the ACI is controlling, either by allowing or denying
permission to perform the operation. The actions that can be set for an ACL vary depending on the
ACL and subsystem. Two common operations that can be defined are read and modify.
17.6.4.3. Syntax
The syntax field of the ACI editor sets the evaluator for the expression. The evaluator can specify
group, name, and IP address. These are specified along with the name of the entity set as equals (=)
or does not equal (!=).
17.6.4.3.1. Group Syntax
The syntax to include a group in the ACL is group="groupname". The syntax to exclude a group is
group!="groupname", which allows any group except for the group named. For example:
group="Administrators" group!="Auditors"
It is also possible to use regular expressions to specify the group, such as using wildcard characters
like an asterisk (*). For example:
group="* Managers"
402