Re: [Ejbca-develop] Delegation with Administrator Roles

[Michael S. <mi...@st...>]

Michael Ströder wrote:
> (using 6.2)
> 
> I'd like to delegated control (approval, revocation, etc.) for some specific EE
> profiles of sub CAs to groups of RA admins.

I have it somewhat working with detailed access rights for EE profiles
"EEP_Admin" and "EEP_Server" (see details below). Mainly
"EEP_Admin/view_end_entity ACCEPT" is the solution.

Is this the officially supported way to do it?

BTW:
Why does it take two minutes to list the access rights for a single role?

Ciao, Michael.

# /opt/ejbca/bin/ejbca.sh roles listrules ROLE_ServerApprovers
No database integrity protection available in this version of EJBCA.
/administrator ACCEPT
/ca/CA_Test-Server-CA-1-2014-10 ACCEPT
/ca/CA_Test-Admin-CA-1-2014-10 ACCEPT
/ca_functionality/create_certificate ACCEPT
/ca_functionality/store_certificate ACCEPT
/ca_functionality/view_certificate ACCEPT
/endentityprofilesrules/EEP_Server/approve_end_entity ACCEPT
/endentityprofilesrules/EEP_Server/create_end_entity ACCEPT
/endentityprofilesrules/EEP_Server/delete_end_entity DECLINE
/endentityprofilesrules/EEP_Server/edit_end_entity ACCEPT
/endentityprofilesrules/EEP_Server/revoke_end_entity ACCEPT
/endentityprofilesrules/EEP_Server/view_end_entity ACCEPT
/endentityprofilesrules/EEP_Server/view_end_entity_history ACCEPT
/endentityprofilesrules/EEP_Admin/approve_end_entity DECLINE
/endentityprofilesrules/EEP_Admin/create_end_entity DECLINE
/endentityprofilesrules/EEP_Admin/delete_end_entity DECLINE
/endentityprofilesrules/EEP_Admin/edit_end_entity DECLINE
/endentityprofilesrules/EEP_Admin/revoke_end_entity DECLINE
/endentityprofilesrules/EEP_Admin/view_end_entity ACCEPT
/endentityprofilesrules/EEP_Admin/view_end_entity_history DECLINE
/ra_functionality/approve_end_entity ACCEPT
/ra_functionality/create_end_entity ACCEPT
/ra_functionality/edit_end_entity ACCEPT
/ra_functionality/revoke_end_entity ACCEPT
/ra_functionality/view_end_entity ACCEPT
/ra_functionality/view_end_entity_history ACCEPT