diff options
4 files changed, 6 insertions, 6 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java index 34004767e..e1e24d0e8 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java @@ -242,7 +242,7 @@ public class GenerateKeyPairServlet extends CMSServlet { try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "read"); + mAuthzResourceName, "execute"); } catch (Exception e) { } diff --git a/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java b/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java index 1a3c2ed1c..504972d95 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java @@ -284,7 +284,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { try { authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "read"); + mAuthzResourceName, "submit"); } catch (Exception e) { } diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetTransportCert.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetTransportCert.java index 841d777fd..21e64086e 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetTransportCert.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/GetTransportCert.java @@ -108,7 +108,7 @@ public class GetTransportCert extends CMSServlet { AuthzToken authzToken = null; try { authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, - "modify"); + "read"); CMS.debug("GetTransportCert authorization successful."); } catch (EAuthzAccessDenied e) { log(ILogger.LL_FAILURE, diff --git a/pki/base/kra/shared/conf/acl.ldif b/pki/base/kra/shared/conf/acl.ldif index 5ff1c6598..861381330 100644 --- a/pki/base/kra/shared/conf/acl.ldif +++ b/pki/base/kra/shared/conf/acl.ldif @@ -26,8 +26,8 @@ resourceACLS: certServer.kra.systemstatus:read:allow (read) group="Data Recovery resourceACLS: certServer.kra.certificate.transport:read:allow (read) user="anybody":Anybody is allowed to read transport certificate resourceACLS: certServer.kra.request.status:read:allow (read) group="Data Recovery Manager Agents":Only data recovery manager agents retrieve the remote key recovery approval status resourceACLS: certServer.kra.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify groups -resourceACLS: certServer.kra.GenerateKeyPair:submit,read:allow (read,submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests -resourceACLS: certServer.kra.TokenKeyRecovery:submit,read:allow (read,submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests +resourceACLS: certServer.kra.GenerateKeyPair:execute:allow (execute) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to execute requests +resourceACLS: certServer.kra.TokenKeyRecovery:submit:allow (submit) group="Data Recovery Manager Agents":Only Data Recovery Manager Agents are allowed to submit requests resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent -resourceACLS: certServer.kra.getTransportCert:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert +resourceACLS: certServer.kra.getTransportCert:read:allow (read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. |