[Ejbca-develop] delegated approval with different sub CAs

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

HI!

What access rules do I have to define to allow an admin with cert issued by
Sub-CA-1 with EE profile#1 to approve requests sent in for Sub-CA-2 with EE
profile#2 (acting as RA admin)?

It seems I have correctly created the right admin role RA admin.
But allowing only access to Sub-CA-2 and EE profile#2 does not work:

12:21:40,077 INFO  [org.ejbca.core.ejb.approval.ApprovalSessionBean]
(http--0.0.0.0-8443-2) Error sending approval notification with id 1319887432.:
org.cesecore.authorization.AuthorizationDeniedException: Administrator not
authorized to CA -312685585 that existing user mstroeder was created with.
Admin: UID=mstroeder,SN=1234567,OU=PKI RA Admin,O=OrgName.

If I allow access to Sub-CA-1 *and* EE profile#1 (the admin account was created
with) everything works.

But that's *not* what I want!

Fiddling with view rights on Sub-CA-1 in the advanced access rules did not work
either.

BTW: Tested with 6.2.0 and SVN revision 20006

Ciao, Michael.