Give access rule create/edit ca to caadmin instead fo superadmin

atinza
2013-04-09
2013-04-09
  • atinza
    atinza
    2013-04-09

    Hi,

    I have problem in giving access rule to my ca admin. I have 2 rule to be set :
    1) CA Admin 1 - only can create csr/create ca . Cannot do anything else
    2) CA Admin 2 - only can load CA into the system and activate it.

    My problem is, when i use CA Administrator rule, it does not allow to create CA. I already edit it in advance mode but it seem like it does not give any reflect. Please, really need help in this.

    I change to use Super Administrator, but I cannot decline others rule in the access mode. It does not give any reflect.

    Please please

    Thanks and Regards,
    Nita

     
  • To create new CAs you need to be superadmin.

    Creating new CAs are usually done very few times, during key ceremony, where things (usage of superadmin) is under strcit control. CA Admin can then do daily operations on the already created CAs.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • atinza
    atinza
    2013-04-09

    Thank you so much for your answer

    Is there anyway i can restrict superadmin rule ... for example superadmin1 can do all...but superadmin2 cannot edit on ra function?

     
  • Nope, a superadmin is a superadmin.

     
  • atinza
    atinza
    2013-04-09

    ok...thank you so much for your reply...

    in my case, there will be several time when we create ca/intermediate root according to customer and project. Most of the time each project has their own ca/intermediate cert. It seem superadmin so powerfull and we try to segregate the tack according to SOD (segrerate of duty). That's why this happen.

    I just want to clarify again:
    1) CA Admin cannot create CA/Intermediate cert. Only Superadmin can.
    2) Superadmin cannot be restrict to certain access rule. It's always has all priviledge.

    Am i in the rigth understanding?

    Thansk and Regards,
    Nita

     
  • correct

     
  • atinza
    atinza
    2013-04-09

    Thank you so much for your reply ... :)