Partager via


3.1.1.7 Permissions

The CA SHOULD store the following sets of permissions. Certificate Services Remote Administration Protocol server implementations that also implement the Windows Client Certificate Enrollment Protocol or the ICertPassage Remote Protocol use the same configuration data element, defined here, for those implementations:

Config_Permissions_CA_Security: A list, shared from the Config_Permissions_CA_Security list defined in [MS-WCCE] section 3.2.1.1.4.

Config_Permissions_Officer_Rights: A list, shared from the Config_Permissions_Officer_Rights list defined in [MS-WCCE] section 3.2.1.1.4.

Config_Permissions_Enrollment_Agent_Rights: A list, shared from the Config_Permissions_Enrollment_Agent_Rights list defined in [MS-WCCE] section 3.2.1.1.4.

The permissions are used to enforce that the caller has particular permissions for any method specified in section 3.1.4.

On Windows, the CA defines six permissions: Enroll, Read, Officer, Administrator, Operator, and Auditor.<9>

For CA security (GetCASecurity, SetCASecurity, and GetMyRoles), the Microsoft CA assigns permissions to principals (identified by the access control entry (ACE)) in the following manner.

Permission

Access Mask Bit value

Read

0x00000100

Enroll

0x00000200

Officer

0x00000002

Administrator

0x00000001

Auditor

0x00000004

Operator

0x00000008

If a principal has Enroll, Officer, or Administrator permission, Read permission is implied and does not need to be explicitly set.

For the CA Operator role that is defined in [CIMC-PP], a principal must have Read permission (implicit or explicit) and must also have the SeBackupPrivilege, as specified in [MS-LSAD] section 3.1.1.2.1.

For the CA Auditor role that is defined in [CIMC-PP], a principal must have Read permission (implicit or explicit) and must also have the SeSecurityPrivilege, as specified in [MS-LSAD] section 3.1.1.2.1.

The following table specifies the method name and the list of permissions required by the caller. With the exception of where mentioned, the caller only needs to possess at least one of these access permissions for the call to be allowed by the CA.

Method name

Permissions required

ICertRequestD::Request

Enroll

ICertRequestD:GetCACert

Enroll

ICertRequestD2::Request2

Enroll

ICertRequestD2::GetCAProperty

Enroll

ICertRequestD2::GetCAPropertyInfo

Enroll

ICertAdminD::GetCRL

Administrator, Officer, Read

ICertAdminD2::GetCAProperty

Administrator, Officer, Read

ICertAdminD2::GetCAPropertyInfo

Administrator, Officer, Read

ICertAdminD::GetViewDefaultColumnSet

Administrator, Officer, Read

ICertAdminD::EnumAttributesOrExtensions

Administrator, Officer, Read

ICertAdminD::OpenView

Administrator, Officer, Read

ICertAdminD::IsValidCertificate

Administrator, Officer, Read

ICertAdminD::GetServerState

None required

ICertAdminD2::GetCASecurity

Administrator, Officer, Read

ICertAdminD2::GetAuditFilter

Administrator, Officer, Read

ICertAdminD2::GetOfficerRights

Administrator, Officer, Read

ICertAdminD2::GetConfigEntry

Administrator, Officer, Read

ICertAdminD2::EnumViewColumnTable

Administrator, Officer, Read

ICertAdminD2::GetMyRoles

Administrator, Officer, Read

ICertAdminD2::GetArchivedKey

Officer

ICertAdminD::SetExtension

Officer

ICertAdminD::SetAttributes

Officer

ICertAdminD::DenyRequest

Officer

ICertAdminD::ReSubmitRequest

Officer

ICertAdminD::RevokeCertificate

Officer

ICertAdminD::ImportCertificate

Officer

ICertAdmin:D2:ImportKey

Officer

ICertAdminD2::PublishCRLs

Administrator

ICertAdminD::ServerControl

Administrator, Operator

ICertAdminD::Ping

Administrator

ICertAdminD::Ping2

Administrator

ICertAdminD2::SetCASecurity

Administrator

ICertAdminD2::SetCAProperty

Administrator

ICertAdminD2::SetAuditFilter

Administrator, Auditor (either of these is checked based on a CA setting that denotes the permissions to check for SetAuditFilter)

ICertAdminD2::SetOfficerRights

Administrator

ICertAdminD2::SetConfigEntry

Administrator

ICertAdminD2::DeleteRow

Both Administrator and Officer must be present.

ICertAdminD::PublishCRL

Administrator

ICertAdminD::BackupPrepare

Operator

ICertAdminD::BackupEnd

Operator

ICertAdminD::RestoreGetDatabaseLocations

Operator

ICertAdminD::BackupGetAttachedInformation

Operator

ICertAdminD::BackupGetBackupLogs

Operator

ICertAdminD::BackupGetDynamicFiles

Operator

ICertAdminD::BackupOpenFile

Operator

ICertAdminD::BackupReadFile

Operator

ICertAdminD::BackupCloseFile

Operator

ICertAdminD::BackupTruncateLogs

Operator

The CA SHOULD enforce Officer rights for any of the following methods:

  • ICertAdminD2::GetArchivedKey

  • ICertAdminD::SetExtension

  • ICertAdminD::SetAttributes

  • ICertAdminD::DenyRequest

  • ICertAdminD::ReSubmitRequest

  • ICertAdminD::RevokeCertificate

The CA SHOULD enforce the Enrollment Agent rights for ICertRequestD::Request