000019728 - How to forbid administrators from deleting certificates

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019728
Applies ToKeon Certificate Authority 6.0
IssueHow to forbid administrators from deleting certificates
How to control which administrators can delete a certificate
Forbidding administrators from executing certain operations
ResolutionOne or more ACLs can be created in order to limit the operations an administrator can execute. The following procedure is for advanced users and demonstrates how to forbid an administrator from deleting certificates:

1. In the KCA Administration Console, click on ?System Configuration?
2. In the left pane click on ?Create ACL?
3. In the Description enter the name of the page you want to protect. In our example, this is /ca/cert-ops/cert-delete.xuda.
4. Select a ?Virtual Host? (for example, <hostname>:444 would be the KCA Administration server) or ANY ?Virtual Host?
5. Click the ?Save ACL? button
6. For our example, create the following rule:
        a) In the rules pane (bottom part of the window), select "None" for "Access Granted by this Rule"
        b) "Source" must be "Client"
        c) Select an appropriate "Attribute", for example, "Common Name"
        d) For "Comparison" select "is"
        e) In the "Value" field, enter the name of the administrator that should not be allowed to access the page (i.e. the delete certificate page)
7. Click "Commit Rule Changes" to save the rule"

When the administrator listed in the rule tries to delete a certificate, they will receive the following error message:

"You don't have permission to access /ca/cert-ops/cert-delete.xuda on this server."
Legacy Article IDa11703