Granular administration ACF2 digital certificates non-authorized user ADMIN rules
Article ID: 271422
Updated On:
Products
Issue/Introduction
setting up granular administration of digital certificates the CASECAUT class. The user is trying to change an expired certificate from TRUST to NOTRUST status.
What resource rules are required?
Environment
Release : 16.0
Resolution
The standard resource for digicert manipulation for non authjorized users is as follows
CLASS=casecaut and the resource name to update a certificate profile record is
ACFCMD.DIGTCERT.ALTER service(update)
If CERTCNTL is specified in the CONTROL(GSO) OPTS record
the resource is in the RDAtalib class - type RDA rules.
and for update of the digicert record the resource is
IRR.DIGTCERT.owner.ringname.UPD.ALTER
There is no granularity to the actual parameter being changed - e.g. TRUST/NOTRUST.
The rdatalib resources are validated via racroute request=fastauth.
to see violations in ACFRPTRV you will need trace on the user logonid
or make a change to the rdatalib clasmap record to specify LOG instead of NOLOG
An example of the violation in ACFRPTRV is as follows...
With CERTCNTL in GSO OPTS
RRDA-IRR TRC RRDA-IRR
XXXXXXXX USER02 AXXLO906 XX28 ACF9CFAT NO-RULE - DIRECTRY READ
23.221 08/09 09.50 USER02 USER02 TEST ID 0 0 20 0 16
SAF RESOURCE CLASS RDATALIB
RESOURCE NAME: IRR.DIGTCERT.USER01.USER01.CERT88.UPD.ALTER
LOG STRING: Certificate Object Security Service
Without CERTCNTL the validation would be as follows...
RAUT-ACFCMD.DIGTCERT.ALTER TRC RAUT-ACFCMD
XXXXXXX USER02 XXXLO906 XX28 ACF9CFAT NO-RULE - DIRECTRY UPDT
23.221 08/09 09.43 USER02 USER02 TEST ID 0 0 20 0 16
SAF RESOURCE CLASS CASECAUT
RESOURCE NAME: ACFCMD.DIGTCERT.ALTER
LOG STRING: Certificate Object Security Service
Feedback
