B.0 Entry Rights Needed to Perform Tasks

The following list provides the specific entry rights an administrator needs to manage Novell Certificate Server tasks within an eDirectory tree. These rights are the minimum entry rights needed.

This list should also be helpful to the administrator who wants to grant rights to another user to manage part or all of company's certificate authority and certificate management needs.

Table B-1 Administrator Entry Rights

Tasks

Entry Rights Needed

Install Novell Certificate Server

For the first installation to an eDirectory tree:

  • Supervisor at the [Root] of the tree

For subsequent installations:

  • Supervisor to the W0 object

  • Rights needed to create a Server Certificate object

    If a user doesn't have the rights to create a Server Certificate object, the installation finishes, but the Server Certificate objects need to be created manually by someone with the appropriate rights and applications that use these certificates need to be manually configured.

Creating an Organizational CA

  • Supervisor on the Security container

Viewing the Organizational CA's properties and certificates

  • Browse on the Organizational CA's object

Exporting the Organizational CA's certificate(s)

  • Browse on the Organizational CA's object

Issuing a public key certificate

  • Read to the NDSPKI:Private Key on the Organizational CA's object

    However, if the object trying to issue the public key certificate is an NCP server, then the rights needed are:

  • Write to the NDSPKI:Private Key on the Organizational CA’s object

Backing up and restoring an Organizational CA

  • Supervisor on the Organizational CA's object

Moving the Organizational CA to a different server

  • Supervisor on the Organizational CA's object

Validating the Organizational CA's Certificates

  • Browse on the Organizational CA's object

Replacing the Organizational CA

  • Supervisor on the Organizational CA's object

Deleting the Organizational CA

  • Delete on the Organizational CA's object

Creating Server Certificate objects

  • Supervisor on the server's container

  • Read to the attribute NDSPKI:Private Key on the Organizational CA's object (only if using the Organizational CA)

    However, if the object trying to issue the public key certificate is an NCP server, then the rights needed are:

  • Supervisor on the server’s container

  • Write to the NDSPKI:Private Key on the Organizational CA’s object

Importing a public key certificate into a Server Certificate object

  • Write to the attribute NDSPKI:Public Key Certificate on the Server Certificate object

  • Write to the attribute NDSPKI:Certificate Chain on the Server Certificate Object

Deleting a Server Certificate object

  • Delete on the Server Certificate object

Exporting a Trusted Root or Public Key Certificate from a Server Certificate object

  • Browse on the Server Certificate object

Viewing the Server Certificate object's properties and certificates

  • Browse on the Server Certificate object

Backing up and restoring a Server Certificate object

  • Supervisor on the server object that owns the Server Certificate object to back-up

  • Create on the Server object's container to restore.

Validating Server Certificates

  • Browse on the Server Certificate object

Revoking Server Certificates

  • Read to the CA Private Key or Delete on the Server Certificate object or Supervisor on the Host Server (that is, the NCP™ Server object)

Replacing a server certificate's keying material

  • Write to the attribute NDSPKI:PrivateKey on the Server Certificate object

Creating user certificates

  • Read to the attribute NDSPKI:Private Key on the Organizational CA object

  • Read and Write to the attribute NDSPKI:userCertificateInfo on the User object

  • Read and Write to the attribute SAS:SecretStore on the User object

  • Read and Write to the attribute userCertificate on the User object

    However, if the object trying to issue the public key certificate is an NCP server, then the rights needed are:

  • Write to the NDSPKI:Private Key on the Organizational CA’s object

  • Read and Write to the attribute NDSPKI:userCertificateInfo on the User object

  • Read and Write to the attribute SAS:SecretStore on the User object

  • Read and Write to the attribute userCertificate on the User object

Importing a public key certificate into a User object

  • Read and Write on the attribute NDSPKI:userCertificateInfo on the User object

  • Read and Write to the attribute NDSPKI:userCertificate on the User object

Viewing a user certificate's properties

  • Browse on the User object

Exporting a user certificate

  • Browse on the User object

Exporting a user's private key and certificate

  • You must be logged in as the user

Deleting a user certificate and private key

  • Read and Write to NDSPKI:userCertificateInfo

  • Read and Write to userCertificate

Validating User Certificates

  • Browse on the User object

Revoking User Certificates

  • Read to the CA Private Key or Delete on the User Object or be logged-in as the User and Write to the userCertificate attribute

Creating a Trusted Root Container

  • Create on the Security container

Creating a Trusted Root object

  • Create on the Trusted Root Container in which the Trusted Root object will reside

Viewing a Trusted Root object's properties

  • Browse on the Trusted Root object

Replacing a trusted root certificate

  • Read and Write to NDSPKI:Not After on the Trusted Root object

  • Read and Write to NDSPKI:Not Before on the Trusted Root object

  • Read and Write to NDSPKI:Subject Name on the Trusted Root object

  • Read and Write to NDSPKI:Trusted Root Certificate on the Trusted Root object

Validating a trusted root certificate

  • Browse on the Trusted Root object

Revoking a trusted root certificate

  • Read to the CA Private Key or Delete on the Trusted Root object

Deleting a Trusted Root object

  • Delete on the Trusted Root object

Creating a CRL Container

  • Supervisor on the Security container

  • Write to the attribute ndspkiCRLContainerDN on the Organizational CA’s object

Deleting a CRL Container

  • Delete on the CRL container

Creating a CRL Configuration object

  • Supervisor on the CRL container

Activating a CRL Configuration object

  • Write to the attribute ndspkiCRLConfigurationDNList on the Organizational CA’s object

Viewing and/or Modifying a CRL Configuration object's Properties

Modifying:

  • Supervisor on the CRL Configuration object

    or

  • Write to the attribute being modified on the CRL Configuration object

Viewing:

  • Browse on the CRL Configuration object

Deleting a CRL Configuration object

  • Delete on the CRL Configuration object

Creating a CRL object

  • Supervisor of the CRL Configuration object

Exporting a CRL file

  • Read from the attribute certificateRevocationList

Replacing a CRL file

  • Browse on the CRL object

Viewing a CRL object's properties

  • Browse to the attribute certificateRevocationList

Deleting a CRL object

  • Delete on the CRL Distribution Point

Creating a Security container

  • Create at the root of the eDirectory tree

Creating a SAS service object

  • Supervisor on the object's container

  • Write to the attribute SAS:Service DN on the server that the object is being created for.