summaryrefslogtreecommitdiffstats
path: root/base/ca
diff options
context:
space:
mode:
Diffstat (limited to 'base/ca')
-rw-r--r--base/ca/shared/conf/acl.ldif2
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/web.xml24
2 files changed, 25 insertions, 1 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif
index 732179216..d5385e8e2 100644
--- a/base/ca/shared/conf/acl.ldif
+++ b/base/ca/shared/conf/acl.ldif
@@ -6,7 +6,7 @@ resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) g
resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify
resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify
resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify
-resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml
+resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter
#resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter.
resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index b922b3d98..7528c310d 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -192,6 +192,25 @@
</servlet>
<servlet>
+ <servlet-name> caUpdateDomainXML-admin </servlet-name>
+ <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class>
+ <init-param><param-name> GetClientCert </param-name>
+ <param-value> false </param-value> </init-param>
+ <init-param><param-name> authority </param-name>
+ <param-value> ca </param-value> </init-param>
+ <init-param><param-name> ID </param-name>
+ <param-value> caUpdateDomainXML </param-value> </init-param>
+ <init-param><param-name> interface </param-name>
+ <param-value> admin </param-value> </init-param>
+ <init-param><param-name> AuthMgr </param-name>
+ <param-value> TokenAuth </param-value> </init-param>
+ <init-param><param-name> AuthzMgr </param-name>
+ <param-value> BasicAclAuthz </param-value> </init-param>
+ <init-param><param-name> resourceID </param-name>
+ <param-value> certServer.securitydomain.domainxml </param-value> </init-param>
+ </servlet>
+
+ <servlet>
<servlet-name> caUpdateNumberRange </servlet-name>
<servlet-class> com.netscape.cms.servlet.csadmin.UpdateNumberRange </servlet-class>
<init-param><param-name> GetClientCert </param-name>
@@ -1882,6 +1901,11 @@
<url-pattern> /agent/ca/updateDomainXML </url-pattern>
</servlet-mapping>
+ <servlet-mapping>
+ <servlet-name> caUpdateDomainXML-admin </servlet-name>
+ <url-pattern> /admin/ca/updateDomainXML </url-pattern>
+ </servlet-mapping>
+
<servlet-mapping>
<servlet-name> caUpdateNumberRange </servlet-name>
<url-pattern> /admin/ca/updateNumberRange </url-pattern>
generated by cgit (git 2.34.1) at 2024-05-05 08:21:38 +0000