3.1.1.7 Permissions
The CA SHOULD store the following sets of permissions. Certificate Services Remote Administration Protocol server implementations that also implement the Windows Client Certificate Enrollment Protocol or the ICertPassage Remote Protocol use the same configuration data element, defined here, for those implementations:
Config_Permissions_CA_Security: A list, shared from the Config_Permissions_CA_Security list defined in [MS-WCCE] section 3.2.1.1.4.
Config_Permissions_Officer_Rights: A list, shared from the Config_Permissions_Officer_Rights list defined in [MS-WCCE] section 3.2.1.1.4.
Config_Permissions_Enrollment_Agent_Rights: A list, shared from the Config_Permissions_Enrollment_Agent_Rights list defined in [MS-WCCE] section 3.2.1.1.4.
The permissions are used to enforce that the caller has particular permissions for any method specified in section 3.1.4.
On Windows, the CA defines six permissions: Enroll, Read, Officer, Administrator, Operator, and Auditor.<9>
For CA security (GetCASecurity, SetCASecurity, and GetMyRoles), the Microsoft CA assigns permissions to principals (identified by the access control entry (ACE)) in the following manner.
|
Permission |
Access Mask Bit value |
|---|---|
|
Read |
0x00000100 |
|
Enroll |
0x00000200 |
|
Officer |
0x00000002 |
|
Administrator |
0x00000001 |
|
Auditor |
0x00000004 |
|
Operator |
0x00000008 |
If a principal has Enroll, Officer, or Administrator permission, Read permission is implied and does not need to be explicitly set.
For the CA Operator role that is defined in [CIMC-PP], a principal must have Read permission (implicit or explicit) and must also have the SeBackupPrivilege, as specified in [MS-LSAD] section 3.1.1.2.1.
For the CA Auditor role that is defined in [CIMC-PP], a principal must have Read permission (implicit or explicit) and must also have the SeSecurityPrivilege, as specified in [MS-LSAD] section 3.1.1.2.1.
The following table specifies the method name and the list of permissions required by the caller. With the exception of where mentioned, the caller only needs to possess at least one of these access permissions for the call to be allowed by the CA.
|
Method name |
Permissions required |
|---|---|
|
ICertRequestD::Request |
Enroll |
|
ICertRequestD:GetCACert |
Enroll |
|
ICertRequestD2::Request2 |
Enroll |
|
ICertRequestD2::GetCAProperty |
Enroll |
|
ICertRequestD2::GetCAPropertyInfo |
Enroll |
|
ICertAdminD::GetCRL |
Administrator, Officer, Read |
|
ICertAdminD2::GetCAProperty |
Administrator, Officer, Read |
|
ICertAdminD2::GetCAPropertyInfo |
Administrator, Officer, Read |
|
ICertAdminD::GetViewDefaultColumnSet |
Administrator, Officer, Read |
|
ICertAdminD::EnumAttributesOrExtensions |
Administrator, Officer, Read |
|
ICertAdminD::OpenView |
Administrator, Officer, Read |
|
ICertAdminD::IsValidCertificate |
Administrator, Officer, Read |
|
ICertAdminD::GetServerState |
None required |
|
ICertAdminD2::GetCASecurity |
Administrator, Officer, Read |
|
ICertAdminD2::GetAuditFilter |
Administrator, Officer, Read |
|
ICertAdminD2::GetOfficerRights |
Administrator, Officer, Read |
|
ICertAdminD2::GetConfigEntry |
Administrator, Officer, Read |
|
ICertAdminD2::EnumViewColumnTable |
Administrator, Officer, Read |
|
ICertAdminD2::GetMyRoles |
Administrator, Officer, Read |
|
ICertAdminD2::GetArchivedKey |
Officer |
|
ICertAdminD::SetExtension |
Officer |
|
ICertAdminD::SetAttributes |
Officer |
|
ICertAdminD::DenyRequest |
Officer |
|
ICertAdminD::ReSubmitRequest |
Officer |
|
ICertAdminD::RevokeCertificate |
Officer |
|
ICertAdminD::ImportCertificate |
Officer |
|
ICertAdmin:D2:ImportKey |
Officer |
|
ICertAdminD2::PublishCRLs |
Administrator |
|
ICertAdminD::ServerControl |
Administrator, Operator |
|
ICertAdminD::Ping |
Administrator |
|
ICertAdminD::Ping2 |
Administrator |
|
ICertAdminD2::SetCASecurity |
Administrator |
|
ICertAdminD2::SetCAProperty |
Administrator |
|
ICertAdminD2::SetAuditFilter |
Administrator, Auditor (either of these is checked based on a CA setting that denotes the permissions to check for SetAuditFilter) |
|
ICertAdminD2::SetOfficerRights |
Administrator |
|
ICertAdminD2::SetConfigEntry |
Administrator |
|
ICertAdminD2::DeleteRow |
Both Administrator and Officer must be present. |
|
ICertAdminD::PublishCRL |
Administrator |
|
ICertAdminD::BackupPrepare |
Operator |
|
ICertAdminD::BackupEnd |
Operator |
|
ICertAdminD::RestoreGetDatabaseLocations |
Operator |
|
ICertAdminD::BackupGetAttachedInformation |
Operator |
|
ICertAdminD::BackupGetBackupLogs |
Operator |
|
ICertAdminD::BackupGetDynamicFiles |
Operator |
|
ICertAdminD::BackupOpenFile |
Operator |
|
ICertAdminD::BackupReadFile |
Operator |
|
ICertAdminD::BackupCloseFile |
Operator |
|
ICertAdminD::BackupTruncateLogs |
Operator |
The CA SHOULD enforce Officer rights for any of the following methods:
ICertAdminD2::GetArchivedKey
ICertAdminD::SetExtension
ICertAdminD::SetAttributes
ICertAdminD::DenyRequest
ICertAdminD::ReSubmitRequest
ICertAdminD::RevokeCertificate
The CA SHOULD enforce the Enrollment Agent rights for ICertRequestD::Request