Re: [Ejbca-develop] Delegation with Administrator Roles

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2014-11-11 09:52, Michael Ströder wrote:
> Michael Ströder wrote:
>> (using 6.2)
>>
>> I'd like to delegated control (approval, revocation, etc.) for some specific EE
>> profiles of sub CAs to groups of RA admins.
>
> I have it somewhat working with detailed access rights for EE profiles
> "EEP_Admin" and "EEP_Server" (see details below). Mainly
> "EEP_Admin/view_end_entity ACCEPT" is the solution.
>
> Is this the officially supported way to do it?
>
> BTW:
> Why does it take two minutes to list the access rights for a single role?

Hmm, not for me...goes in a jiffy...

>
> Ciao, Michael.
>
> # /opt/ejbca/bin/ejbca.sh roles listrules ROLE_ServerApprovers
> No database integrity protection available in this version of EJBCA.
> /administrator ACCEPT
> /ca/CA_Test-Server-CA-1-2014-10 ACCEPT
> /ca/CA_Test-Admin-CA-1-2014-10 ACCEPT
> /ca_functionality/create_certificate ACCEPT
> /ca_functionality/store_certificate ACCEPT
> /ca_functionality/view_certificate ACCEPT
> /endentityprofilesrules/EEP_Server/approve_end_entity ACCEPT
> /endentityprofilesrules/EEP_Server/create_end_entity ACCEPT
> /endentityprofilesrules/EEP_Server/delete_end_entity DECLINE
> /endentityprofilesrules/EEP_Server/edit_end_entity ACCEPT
> /endentityprofilesrules/EEP_Server/revoke_end_entity ACCEPT
> /endentityprofilesrules/EEP_Server/view_end_entity ACCEPT
> /endentityprofilesrules/EEP_Server/view_end_entity_history ACCEPT
> /endentityprofilesrules/EEP_Admin/approve_end_entity DECLINE
> /endentityprofilesrules/EEP_Admin/create_end_entity DECLINE
> /endentityprofilesrules/EEP_Admin/delete_end_entity DECLINE
> /endentityprofilesrules/EEP_Admin/edit_end_entity DECLINE
> /endentityprofilesrules/EEP_Admin/revoke_end_entity DECLINE
> /endentityprofilesrules/EEP_Admin/view_end_entity ACCEPT
> /endentityprofilesrules/EEP_Admin/view_end_entity_history DECLINE
> /ra_functionality/approve_end_entity ACCEPT
> /ra_functionality/create_end_entity ACCEPT
> /ra_functionality/edit_end_entity ACCEPT
> /ra_functionality/revoke_end_entity ACCEPT
> /ra_functionality/view_end_entity ACCEPT
> /ra_functionality/view_end_entity_history ACCEPT
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>