Advancedaccessrules
Advanced Access Rules
The meaning of each advanced access rule explained in the tables below
Each rule can be set to accept or deny with a recursive flag. The rule set should be viewed as a tree structure, similar to a filesystem, were the recursive flag indicates that the rule also applies for all subrules.
Role Based Access Rules:
| Access Rule | Resource |
| /public_web_user | Access to public web |
| /administrator | Access to administration pages |
| /super_administrator | Overall access, can edit CAs and Publishers |
Regular Access Rules:
| Access Rule | Resource |
| /ca_functionality | No Usage |
| /cafunctionality/approve_caaction | A rule that gives access to non end entity profile related actions like approving CA editing and creation (not implemented yet). An administrator must have either this rule or the ‘/rafunctionalty/approve_end_entity’ in order to access the ‘Approve Actions’ web pages. |
| /ca_functionality/basic_functions | Access to basic functions page |
| /ca_functionality/create_crl | Possible to create crl |
| /ca_functionality/edit_certificate_profiles | Access to edit certificate profile pages |
| /ca_functionality/create_certificate | User is authorized to create certificate |
| /ca_functionality/store_certificate | User is authorized to store certificate |
| /ca_functionality/view_certificate | Able to view certificates |
| /ra_functionality | No Usage |
| /rafunctionalty/approve_end_entity | A rule (along with the corresponding end entity profile rule) that gives access to end entity profile related access rules, like adding and editing end entities. The administrator must also have the ‘approve_end_entity rule’ for at least one of the ‘/endentityprofilerules/’ in order to approve any actions. |
| /ra_functionality/edit_end_entity_profiles | Access to edit end entity profile pages |
| /ra_functionality/create_end_entity | Access to add end entity page |
| /ra_functionality/delete_end_entity | Delete button appears in list end entity page |
| /ra_functionality/edit_end_entity | Access to edit end entity page |
| /ra_functionality/revoke_end_entity | Revoke button appears in list end entity page |
| /ra_functionality/view_end_entity | Access to view end entity page |
| /ra_functionality/view_end_entity_history | Access to view history page |
| /ra_functionality/keyrecovery | Access to keyrecovery functions |
| /log_functionality | No Usage |
| /log_functionality/edit_log_configuration | Access to log configuration pages |
| /log_functionality/view_log | Access view log pages |
| /log_functionality/view_log/adminweb_entries | Possible to view events sent from admin web module |
| /log_functionality/view_log/ca_entries | Possible to view events sent from ca module |
| /log_functionality/view_log/log_entries | Possible to view events sent from log module |
| /log_functionality/view_log/publicweb_entries | Possible to view events sent from publicweb module |
| /log_functionality/view_log/ra_entries | Possible to view events sent from ra module |
| /log_functionality/view_log/hardtoken_entries | Possible to view events sent from hard module |
| /log_functionality/view_log/keyrecovery_entries | Possible to view events sent from keyrecovery module |
| /log_functionality/view_log/authorization_entries (new) | Possible to view events sent from authorization module |
| /hardtoken_functionality | No Usage |
| /hardtoken_functionality/issue_hardtokens | Administrator has rights to issue hard tokens. |
| /hardtoken_functionality/issue_hardtokens_administrator | Administrator has rights to issue hard tokens with administrator privileges. (Old, not used anymore) |
| /hardtoken_functionality/edit_hardtoken_issuers | Access to edit Hard Token Issuers page. |
| /hardtoken_functionality/edit_hardtoken_profiles | Access to edit Hard Token Profiles page. |
| /system_functionality No Usage | |
| /system_functionality/edit_administrator_privileges | Access to the administrator privileges pages. |
End Entity Profile Access Rules:
| Access Rule | Resource |
| /endentityprofilerules | None |
| /endentityprofilerules//approve_end_entity | see rule /rafunctionalty/approve_end_entity |
| /endentityprofilerules/< End Entity Profile Name>/create_end_entity | Administrator has rights to create users with this profile |
| /endentityprofilerules/< End Entity Profile Name>/delete_end_entity | Administrator has rights to remove users with this profile |
| /endentityprofilerules/< End Entity Profile Name>/edit_end_entity | Administrator has rights to edit users with this profile |
| /endentityprofilerules/< End Entity Profile Name>/revoke_end_entity | Administrator has rights to revoke users with this profile |
| /endentityprofilerules/< End Entity Profile Name>/view_end_entity | Administrator has rights to view users with this profile |
| /endentityprofilerules/< End Entity Profile Name>/view_end_entity_history | Administrator has rights to view history of users with this profile |
CA Access Rules:
| Access Rule | Resource |
| /ca | No Usage |
| /ca/< CA Name> | The administrator has rights to administrate this CA |
page revision: 1, last edited: 20 Mar 2008 13:53
