Access Rules

EJBCA Access Rules inherit the state from their parent rule by default, unless individually specified. Each access rule consists of the states Allow, Deny and Inherit.

In the following example, the rules /ca_functionality/, /ca_functionality/approve_caaction/ and /ca_functionality/activate_ca/ are interpreted as Allow and /ca_functionality/create_crl/ as Deny (as individually specified):

/ca_functionality/                                ALLOW
/ca_functionality/approve_caaction/ INHERIT
/ca_functionality/activate_ca/ INHERIT
/ca_functionality/create_crl/ DENY

Note that in order to use add, edit, and delete operations, corresponding /view access is also required. Setting /view rules to Deny (or to inherit deny) will prevent the component from being displayed in the Admin GUI.

For information on all access rules required to call the Web Service API (EjbcaWS), refer to the Accessrules Required when Using the Web Service API section of Web Service Interface. For an overview of deprecated rules, see Deprecated Access Rules.

Internally, EJBCA stores rules related to specific objects using the object ID (and is thus unaffected by name changes of the objects).

The access rules are listed in the following tables using the name of the objects, as presented in the Admin GUI:

Role Based Access Rules

/

Root Access. All sub rules will inherit from root. Default set to Deny.

WARNING Setting root to Allow will allow all sub rules, unless specified individually. Except for creating new CAs. no individual operations require root access.

/administrator/

Requires Allow to access Admin Web functionality and resources in the Web Service API (EjbcaWS), except for isAuthorized, existsHardToken, isApproved which only need a valid, trusted certificate.

Regular Access Rules

/ ca_functionality/

Allows all sub rules of /ca_functionality/. No individual CA operations requires this set to Allow. Note that this does not include all items listed under CA Functions in the Admin GUI.

/ca_functionality/ approve_caaction/

Required to approve or reject requested approvals relating CA, such as CA Service activation.

/ca_functionality/ activate_ca/

Required to activate CA service. To activate the Crypto Token used by the CA, access to /cryptotoken/activate/%token name%/ is also required.

/ca_functionality/ create_certificate/

Required to issue certificates and approve certificate requests.

/ca_functionality/ create_crl/

Required to create a new Certificate Revocation List (CRL).

/ca_functionality/ edit_approval_profiles/

Required to add or edit Approval Profiles.

/ca_functionality/ edit_ca/

Sets access to edit CA from Admin GUI and CLI. Note that the CA Id, name and subject DN cannot be edited.

/ca_functionality/ edit_certificate_profiles/

Required to edit Certificate Profiles. Additionally, these operations require the CA to be set as available.

/ca_functionality/ edit_publisher/

Required to add or edit Publishers.

/ca_functionality/ edit_validator/

Required to add or edit Validators.

/ca_functionality/ renew_ca/

Required to allow renewal of the CA certificate. (This will not affect access to renew end entity certificates). Additional access to crypto tokens may also be required, depending on the configuration.

/ca_functionality/ view_approval_profiles/

Required to view and access existing Approval Profiles.

/ca_functionality/ view_ca/

Required to view and access CA Activation, CA Structure & CRL and Certificate Authorities. Access to this rule is required even if /ca/%ca name%/ is allowed.

/ca_functionality/ view_certificate/

Required to view end entity certificates.

/ca_functionality/ view_certificate_profiles/

Required to view and access Certificate Profiles.

/ca_functionality/ view_publisher/

Required to view and access Publishers.

/ca_functionality/ view_publisher/

Required to view and access Validators.

/ hardtoken_functionality/

Allows all sub rules of /hardtoken_functionality/

/hardtoken_functionality/ edit_hardtoken_issuers/

Required to view, add and edit Hard Token Issuers. Administrators with access to this rule should also be granted access to /hardtoken_functionality/ issue_hardtokens/ .

/hardtoken_functionality/ edit_hardtoken_profiles/

Required to view, add and edit Hard Token Profiles.

/hardtoken_functionality/ issue_hardtoken_administrators/

Required to issue administrator Hard Tokens.

/hardtoken_functionality/ issue_hardtokens/

Required to issue Hard Tokens.

/ ra_functionality/

Allows access to all RA functions listed under /ra_functionality/. Note that no individual RA operations requires this to be set to Allow.

/ra_functionality/ approve_end_entity/

Required to search for, and approve end entity related requests, such as Add / Edit end entity and revoke / recover certificate.

/ra_functionality/ create_end_entity/

Required to create end entities. To enroll certificates via the RA GUI, access to /ra_functionality/ delete_end_entity/ is also required

/ra_functionality/ delete_end_entity/

Required to delete end entities.

/ra_functionality/ edit_end_entity/

Required to edit end entities.

/ra_functionality/ edit_end_entity_profiles/

Required to edit End Entity Profiles.

/ra_functionality/ edit_user_data_sources/

Required to view and edit User Data Sources.

/ra_functionality/ keyrecovery/

Required to perform a key recovery. Note that this rule does not regulate the possibility to activate key recovery for End Entity Profiles and end entities.

/ra_functionality/ revoke_end_entity/

Required to revoke end entities.

/ra_functionality/ view_approvals/

Required to view pending approvals. Note that this rule is not required for administrators that have created the approval request(s) in question.

/ra_functionality/ view_end_entity/

Required to view end entities.

/ra_functionality/ view_end_entity_history/

Required to view End Entity History.

/ra_functionality/ view_end_entity_profiles/

Required to view End Entity Profiles.

/ra_functionality/ view_hardtoken/

Required to view Hard Tokens. Note that this rule does not apply to Hard Token Issuers or Hard Token Profiles.

/ra_functionality/view_hardtoken/ puk_data/

Required to access PUK data from Hard Tokens, for example the smart card PUK code.

/services/ edit/

Required to add or edit System Services.

/services/ view/

Required to view System Services.

/ system_functionality/

Allows access to all sub rules of /system_functionality/. Note that this does not include all functions listed under System Functions in the Admin GUI.

/system_functionality/ edit_administrator_privileges/

Required to add or edit administrator Roles and their access rules (as described in this documentation). This function also allows adding or editing members of roles. To access these operations, access to /system_functionality/view_administrator_privileges/ is also required.

/system_functionality/ edit_available_custom_certificate_extensions/

Required to add or edit custom certificate extensions. In order to access these operations, access to / system_functionality /view_ available_custom_certificate_extensions/ , /system_ functionality / edit_systemconfiguration/ and /system_ functionality /view_systemconfiguration / is also required. Note that this rule is only related to the actual system setting of custom extensions, and does not regulate the possibility to view or edit extensions of actual certificates.

/system_functionality/ edit_available_extended_key_usages/

Required to add or edit extended key usages. In order to edit extended key usages, access to /system_ functionality / view_available_extended_key_usages/, /system_ functionality / edit_systemconfiguration/ and /system_ functionality /view_systemconfiguration / is also required.

/system_functionality/ edit_systemconfiguration/

Required to edit system configuration, including Basic configuration, CMP configuration, SCEP configuration, Administrator preferences, Extended key usage, Custom RA Styles, and Certificate transparency logs. Note that this does not include all settings listed under System Configuration in the Admin GUI.

/system_functionality/ view_administrator_privileges/

Required to view settings related to administrator privileges, such as administrator Roles, administrator Role Members and access rules.

/system_functionality/ view_available_custom_certificate_extensions/

Required to view custom certificate extensions. Note that this rule is only related to the actual system setting of custom extensions, and does not regulate the possibility to view extensions of actual certificates.

/system_functionality/ view_available_extended_key_usages/

Required to view extended key usages.

/system_functionality/ view_systemconfiguration/

Required to view system configuration, including CMP configuration, SCEP configuration, Administrator preferences, and Certificate transparency logs. Note that this does not include all settings listed under System Configuration in the Admin GUI.

CA Access Rules

/ca/

Regulates access to all Certificate Authorities. The state of this access rule determines visibility of, and ability to edit, any entities, certificates, profiles or settings belonging to the CA. In order to create a new CA, this rule is required to be set to Allow and access to / cryptotoken/ use/ is required.

/ca/ %ca name%/

Regulates access to a specific CA where %ca name% is the name. All available CAs should be listed as sub rules to /ca/.

Validator Access Rules

/validator/

Regulates access to all Validators. The state of this access rule will determine visibility of, and ability to edit, these Validators.

/validator/ %validator name%/

Regulates access to a specific Validator where %validator name% is the name. All available Validators should be listed as sub rules to /ca/.

End Entity Profile Access Rules

The End Entity Profile access rules works in conjunction with rules under /ra_functionality/.

For example, to view an end entity belonging to a specific End Entity Profile "SomeProfile", access to both '/ra_functionality/view_end_entity/' and '/endentityprofilerules/SomeProfile/view_end_entity/' is required.

/ endentityprofilesrules/

Allows access to all sub rules of / endentityprofilesrules / for all available End Entity Profiles.

/endentityprofilesrules / %profile name% /

Allows access to all sub rules of a specific End Entity Profile.

/endentityprofilesrules/ %profile name% / approve_end_entity/

Required to search for, and approve, end entity requests belonging to the End Entity Profile.

/endentityprofilesrules/ %profile name% / create_end_entity/

Required to create end entities belonging to the End Entity Profile. Note that /endentityprofilesrules/%profile name%/edit_end_entity/ is not required for this operation.

/endentityprofilesrules/ %profile name% / delete_end_entity/

Required to delete end entities belonging to the End Entity Profile. Note that access to /endentityprofilesrules/%profile name%/view_end_entity/ is also required.

/endentityprofilesrules/ %profile name% / edit_end_entity/

Required to edit end entities belonging to the End Entity Profile. Note that access to /endentityprofilesrules/%profile name%/view_end_entity/ is also required.

/endentityprofilesrules/ %profile name% / keyrecovery/

Required to perform a key recovery on edit end entities belonging to the End Entity Profile. Note that this rule does not regulate the possibility to activate key recovery for End Entity Profiles or end entities, or the possibility to create a new key store.

/endentityprofilesrules/ %profile name% / revoke_end_entity/

Required to revoke end entities belonging to the End Entity Profile. Note that access to /endentityprofilesrules/%profile name%/view_end_entity/ is also required.

/endentityprofilesrules/ %profile name% / view_end_entity/

Required to view an end entity belonging to the End Entity Profile.

/endentityprofilesrules/ %profile name% / view_end_entity_history/

Required to view history of an end entity belonging to the End Entity Profile.

/endentityprofilesrules/ %profile name% / view_hardtoken/

Required to view Hard Tokens of an end entity belonging to the End Entity Profile. Note that this does not apply to Hard Token Issuers or Hard Token Profiles.

/endentityprofilesrules/ %profile name% /view_hardtoken/ puk_data/

Required to access PUK data from Hard Tokens, for example the smart card PUK code.

Crypto Token Access Rules

/ cryptotoken/

Allows all sub rules of /cryptotoken/. Applies to all tokens.

/cryptotoken/ activate/

Required to activate any deactivated Crypto Token.

/cryptotoken/activate/ %token name%/

Required to activate a specific Crypto Token.

/cryptotoken/ deactivate/

Required to deactivate any activated Crypto Token.

/cryptotoken/ deactivate / %token name%/

Required to deactivate a specific Crypto Token.

/cryptotoken/ delete/

Required to delete Crypto Tokens.

/cryptotoken/keys/ generate/

Required to generate a key pair in any Crypto Token.

/cryptotoken/keys/generate/ %token name/

Required to generate a key pair in a specific Crypto Token.

/cryptotoken/keys/ remove/

Required to remove key pairs from a Crypto Token.

/cryptotoken/keys/remove/ %token name%/

Required to remove key pairs from a specific Crypto Token.

/cryptotoken/keys/ test/

Required to use the test action for any key pair, belonging to any Crypto Token.

/cryptotoken/keys/test/ %token name%/

Required to use the test action for any key pair, belonging to a specific Crypto Token.

/cryptotoken/ modify/

Required to create and edit Crypto Tokens. This includes generating key pairs.

/cryptotoken/ use/

Allows usage of all Crypto Tokens, for example, when creating a new CA. Denying this rule will prohibit the role from creating new Certificate Authorities.

/cryptotoken/use/ %token name%/

Required to use a specific Crypto Token, for example while creating a new CA.

/cryptotoken/ view/

Required to view any Crypto Token.

/cryptotoken/view/ %token name/

Required to view a specific Crypto Token.

User Data Source Access Rules

/ userdatasourcesrules/

Allows all sub rules of / userdatasourcesrules/.

/userdatasourcesrules/%data source name%/ fetch_userdata/

Required to fetch data from connected User Data Source.

/userdatasourcesrules/ %data source name% / remove_userdata/

Required to remove data from connected User Data Source.

Internal Keybinding Rules

/ internalkeybinding/

Allows full access to internal key bindings.

/internalkeybinding/ delete/

Required to delete internal key bindings.

/internalkeybinding/ modify/

Required to edit and/or modify internal key bindings.

/internalkeybinding/ view/

Required to view internal key bindings.

Peer Management Rules

/ peer/

Allows all sub rules of /peer/.

/peer/ manage/

Required to manage and initialize peer sync tasks as well as sending peer messages.

/peer/ modify/

Required to modify peer systems. This includes adding, editing and allowing incoming connections. Outgoing connections are allowed by default but can be denied.

/peer/ view/

Required to view peer systems.

/ peerincoming/

Required to allow incoming peer connections. For example, publishing from a connecting CA or API invocations from a connecting RA.

Peer RA Protocol Rules

The following access rules are used to restrict access to certain protocols for an external EJBCA instance (using Peer connectors). The rules are intended and will only apply to Peer connector roles (i.e. roles also allowing /ra_master/ invoke_api/ ). The rules cannot be used to control access for individual users or user groups.

/protocol/

Allows all protocols for the Peer Connector certificate being member of the administrator group.

/ protocol/ acme/

Required to allow ACME protocol for the external instance.

/ protocol/ cmp/

Required to allow CMP protocol for the external instance.

/ protocol/ est/

Required to allow EST protocol for the external instance.

/ protocol/ rest/

Required to allow RESTFul Certificate Management protocol for the external instance.

/ protocol/ scep/

Required to allow SCEP protocol for the external instance.

/ protocol/ web_services/

Required to allow SOAP Web Services for the external instance.

Audit Log Rules

/ secureaudit/

Allows all sub rules of /secureaudit/.

/secureaudit/auditor/ select/

Required to view Security Event Audit Log.

Peer RA Rules

/ra_master/ invoke_api/

Required by the RA system in order to invoke the RA API. Configured on the CA instance.

/ra_slave/ manage/

Required by a remote host to manage the local EJBCA instance as an RA. Configured on the RA instance.

Peer Publisher Rules

/ peerpublish/

Allows all sub rules of /peerpublish/. To publish CRL and certificates through peer connectors, access to depending CA, /ca/ %ca name% and /peerincoming/ is also required (from the connecting system). The same requirements apply to certificate data synchronization.

/peerpublish/ readcert/

Required to read published certificates.

/peerpublish/ writecert/

Required to publish certificates.

/peerpublish/ writecrl/

Required to publish Certificate Revocation Lists (CRL).

Deprecated Access Rules

The following access rules have been removed from EJBCA as they were either redundant or no longer had any effect due to system changes.

/ public_web_user/

Removed in EJBCA 6.8.0. Access rules for Public Web users can be set through Administrator Roles using match value PublicAccessAuthenticationToken.

/ca_functionality/ basic_functions/

Removed in EJBCA 6.8.0.

/ca_functionality/basic_functions/ activate_ca/

Mi grated to ' /ca_functionality / activate_ca/' in EJBCA 6.8.0.

/secureaudit/auditor/ export/

No longer visible as of EJBCA 6.8.0.

/secureaudit/auditor/ verify/

No longer visible as of EJBCA 6.8.0.

/secureaudit/ log/

No longer visible as of EJBCA 6.8.0.

/secureaudit/ log_custom_events/

No longer visible as of EJBCA 6.8.0.

/secureaudit/management/ manage/

No longer visible as of EJBCA 6.8.0.