| blob | 0b3647f232d2af4d244bf961edb2fe987e7568b0 |
1 <acl>
2 <!-- Wildcard definition area -->
3 <!-- -->
4 <!-- First we define how wildcards has to be interpreted. -->
5 <!-- This is necessary to build a very fast ACL. -->
6 <!-- Internally we extend every wildcard to single entry -->
7 <!-- in the ACL. This allows us to implement the ACL as -->
8 <!-- a very fast three dimensional hash. -->
10 <!-- we map the server_id (dbi) to a human readable value -->
11 <server>
12 <!-- offline system if server 1 really exists -->
13 <id>0</id>
14 <name>CA</name>
15 </server>
17 <!-- FIXME: perhaps we should define roles somewhere else -->
18 <role>User</role>
19 <role>RA Operator</role>
20 <role>CA Operator</role>
21 <role>Web Server</role>
22 <role>Sub CA</role>
24 <!-- Permissions -->
25 <!-- -->
26 <!-- This is the real ACL area. Here we define the -->
27 <!-- permissions. A permission consists of four things: -->
28 <!-- 1. server -->
29 <!-- 2. activity -->
30 <!-- 3. affected_role -->
31 <!-- 4. auth_role -->
32 <!-- -->
33 <!-- The server is simply the human readable name of a -->
34 <!-- server or the wildcard '*'. The activity is the -->
35 <!-- correct name of the workflow activity. The -->
36 <!-- affected_role is like the name says the affected role. -->
37 <!-- If the CA itself is affected then the value is the -->
38 <!-- empty string. The auth_role is role of the logged in -->
39 <!-- user. This role is determinable from the session. -->
41 <!-- the CA and RA Operator are both allowed everything. There
42 permissions only differ on a workflow level and that the RA
43 Operator approvals are usually only taken in account for certificate
44 request -->
45 <permission>
46 <server>*</server>
47 <activity>*</activity>
48 <affected_role>*</affected_role>
49 <auth_role>CA Operator</auth_role>
50 </permission>
51 <permission>
52 <server>*</server>
53 <activity>*</activity>
54 <affected_role>*</affected_role>
55 <auth_role>RA Operator</auth_role>
56 </permission>
57 <!-- everybody can do all service calls -->
58 <permission>
59 <server>*</server>
60 <activity>Service::*</activity>
61 <affected_role>*</affected_role>
62 <auth_role>*</auth_role>
63 </permission>
64 <!-- same for the API -->
65 <permission>
66 <server>*</server>
67 <activity>API::*</activity>
68 <affected_role>*</affected_role>
69 <auth_role>*</auth_role>
70 </permission>
72 <!-- everybody may store, retrieve and change passwords, the workflow ACL
73 checks that only the owner can get to the workflow (except for
74 the CA Operator -->
75 <permission>
76 <server>*</server>
77 <activity>Workflow::store_password</activity>
78 <affected_role>*</affected_role>
79 <auth_role>*</auth_role>
80 </permission>
82 <permission>
83 <server>*</server>
84 <activity>Workflow::retrieve_password</activity>
85 <affected_role>*</affected_role>
86 <auth_role>*</auth_role>
87 </permission>
89 <permission>
90 <server>*</server>
91 <activity>Workflow::change_password</activity>
92 <affected_role>*</affected_role>
93 <auth_role>*</auth_role>
94 </permission>
96 <permission>
97 <server>*</server>
98 <activity>Workflow::persist_csr</activity>
99 <affected_role>*</affected_role>
100 <auth_role>*</auth_role>
101 </permission>
102 <!-- Workflow permissions: who can create and read which workflows? -->
103 <workflow_permissions role="Anonymous"> <!-- aka the empty ('') role -->
104 <server name="*">
105 <!-- the anonymous user can create and read CSR and CRR workflows
106 as well as SCEP on all servers -->
107 <create>
108 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
109 </create>
110 <create>
111 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
112 </create>
113 <create>
114 <type>I18N_OPENXPKI_WF_TYPE_SCEP_REQUEST</type>
115 </create>
116 <read> <!-- read also means list and execute activity (if the ACL condition holds) -->
117 <creator>$self</creator>
118 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
119 <context_filter>
120 <show>.*</show>
121 <hide>approvals</hide>
122 </context_filter>
123 </read>
124 <read>
125 <creator>$self</creator>
126 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
127 </read>
128 <read>
129 <creator>$self</creator>
130 <type>I18N_OPENXPKI_WF_TYPE_SCEP_REQUEST</type>
131 <context_filter>
132 <show>.*</show>
133 <hide>approvals</hide>
134 </context_filter>
135 </read>
136 <!-- needed for SCEP to lookup the profile of an existing
137 certificate which is to be renewed -->
138 <read>
139 <creator>.*</creator>
140 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_ISSUANCE</type>
141 <context_filter>
142 <show>cert_profile</show>
143 </context_filter>
144 </read>
145 </server>
146 </workflow_permissions>
147 <workflow_permissions role="User">
148 <!-- someone with a 'User' role can do everything the anonymous
149 user can + smartcard personalization -->
150 <server name="*">
151 <!-- the anonymous user can create and read CSR and CRR workflows
152 as well as SCEP on all servers -->
153 <create>
154 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
155 </create>
156 <create>
157 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
158 </create>
159 <create>
160 <type>I18N_OPENXPKI_WF_TYPE_SCEP_REQUEST</type>
161 </create>
162 <create>
163 <type>I18N_OPENXPKI_WF_TYPE_SMARTCARD_PERSONALIZATION</type>
164 </create>
165 <create>
166 <type>I18N_OPENXPKI_WF_TYPE_PASSWORD_SAFE</type>
167 </create>
168 <read> <!-- read also means list and execute activity (if the ACL condition holds) -->
169 <creator>$self</creator>
170 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
171 <context_filter>
172 <show>.*</show>
173 <hide>approvals</hide>
174 </context_filter>
175 </read>
176 <read>
177 <creator>$self</creator>
178 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
179 </read>
180 <read>
181 <creator>$self</creator>
182 <type>I18N_OPENXPKI_WF_TYPE_PASSWORD_SAFE</type>
183 <context_filter>
184 <show>.*</show>
185 <hide>encrypted_.*</hide>
186 </context_filter>
187 </read>
188 <read>
189 <creator>$self</creator>
190 <type>I18N_OPENXPKI_WF_TYPE_SCEP_REQUEST</type>
191 <context_filter>
192 <show>.*</show>
193 <hide>approvals</hide>
194 </context_filter>
195 </read>
196 <read>
197 <creator>$self</creator>
198 <type>I18N_OPENXPKI_WF_TYPE_SMARTCARD_PERSONALIZATION</type>
199 <context_filter>
200 <show>.*</show>
201 <hide>approvals</hide>
202 </context_filter>
203 </read>
204 <read>
205 <creator>$self</creator>
206 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_ISSUANCE</type>
207 </read>
208 </server>
209 </workflow_permissions>
210 <workflow_permissions role="RA Operator">
211 <server name="*">
212 <create>
213 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
214 </create>
215 <create>
216 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
217 </create>
218 <create>
219 <type>I18N_OPENXPKI_WF_TYPE_PASSWORD_SAFE</type>
220 </create>
221 <read>
222 <creator>.*</creator>
223 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
224 <context_filter>
225 <show>.*</show>
226 <!-- this is a policy decision, you may want to show the
227 reg officers who else has approved - or not, so as to not
228 impair his or her judgement -->
229 <hide>approvals</hide>
230 </context_filter>
231 </read>
232 <read>
233 <creator>.*</creator>
234 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
235 </read>
236 <read>
237 <creator>.*</creator>
238 <type>I18N_OPENXPKI_WF_TYPE_SCEP_REQUEST</type>
239 <context_filter>
240 <show>.*</show>
241 <hide>approvals</hide>
242 </context_filter>
243 </read>
244 <read>
245 <creator>.*</creator>
246 <type>I18N_OPENXPKI_WF_TYPE_SMARTCARD_PERSONALIZATION</type>
247 </read>
248 <read>
249 <creator>.*</creator>
250 <type>I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE</type>
251 </read>
252 <read>
253 <creator>.*</creator>
254 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_ISSUANCE</type>
255 </read>
256 <read>
257 <creator>.*</creator>
258 <type>I18N_OPENXPKI_WF_TYPE_PASSWORD_SAFE</type>
259 <context_filter>
260 <show>.*</show>
261 <hide>encrypted_.*</hide>
262 </context_filter>
263 </read>
264 </server>
265 </workflow_permissions>
266 <workflow_permissions role="CA Operator">
267 <!-- the CA operator can do everything the RA Operator can, plus
268 creating CRL and certificate issuance workflows -->
269 <server name="*">
270 <create>
271 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
272 </create>
273 <create>
274 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
275 </create>
276 <create>
277 <type>I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE</type>
278 </create>
279 <create>
280 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_ISSUANCE</type>
281 </create>
282 <create>
283 <type>I18N_OPENXPKI_WF_TYPE_PASSWORD_SAFE</type>
284 </create>
285 <read>
286 <creator>.*</creator>
287 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_SIGNING_REQUEST</type>
288 </read>
289 <read>
290 <creator>.*</creator>
291 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_REVOCATION_REQUEST</type>
292 </read>
293 <read>
294 <creator>.*</creator>
295 <type>I18N_OPENXPKI_WF_TYPE_SCEP_REQUEST</type>
296 </read>
297 <read>
298 <creator>.*</creator>
299 <type>I18N_OPENXPKI_WF_TYPE_SMARTCARD_PERSONALIZATION</type>
300 </read>
301 <read>
302 <creator>.*</creator>
303 <type>I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE</type>
304 </read>
305 <read>
306 <creator>.*</creator>
307 <type>I18N_OPENXPKI_WF_TYPE_CERTIFICATE_ISSUANCE</type>
308 </read>
309 <read>
310 <creator>.*</creator>
311 <type>I18N_OPENXPKI_WF_TYPE_PASSWORD_SAFE</type>
312 </read>
313 </server>
314 </workflow_permissions>
315 <!-- TODO - create role that can only create cert issuance workflow and
316 has the necessary ACL rights to do the issuance and escalate to that
317 role in the CSR workflow forking step. Similarly for LDAP publication
318 -->
319 </acl>