7.0 Entry Rights Needed to Perform Tasks

This list provides the specific entry rights an administrator needs to manage Novell® Certificate Server tasks within an eDirectory® tree. These rights are the minimum entry rights needed.

This list should also be helpful to the administrator who wants to grant rights to another user to manage part or all of company's certificate authority and certificate management needs.

Tasks

Entry Rights Needed

Install Novell Certificate Server

For the first installation to an eDirectory® tree:

  • Supervisor at the [Root] ofthe tree

For subsequent installations:

  • Supervisor to the W0 object
  • Rights needed to create a Server Certificate object

    If a user doesn't have the rights to create a Server Certificateobject, the installation finishes, but the Server Certificate objectswil need to be created manually by someone with the appropriaterights and applications that use these certificates will need tobe manually configured.

Creating an Organizational CA

  • Supervisor onthe Security container

Viewing the Organizational CA's propertiesand certificates

  • Browse on theOrganizational CA's object

Exporting the Organizational CA's certificate(s)

  • Browse on theOrganizational CA's object

Issuing a public key certificate

  • Read to the NDSPKI:PrivateKey on the Organizational CA's object

    Exception: If the object trying to issue the public key certificateis an NCP server, then the rights needed are:

  • Write to the NDSPKI:Private Key onthe Organizational CA’s object

Backing up and restoring an OrganizationalCA

  • Supervisor onthe Organizational CA's object

Moving the Organizational CA to a differentserver

  • Supervisor onthe Organizational CA's object

Validating the Organizational CA's Certificates

  • Browse on theOrganizational CA's object

Replacing the Organizational CA

  • Supervisor onthe Organizational CA's object

Deleting the Organizational CA

  • Delete on theOrganizational CA's object

Creating Server Certificate objects

  • Supervisor onthe server's container
  • Read to the attribute NDSPKI:PrivateKey on the Organizational CA's object (only if using theOrg. CA)

    Exception: If the object trying to issue the public key certificateis an NCP server then the rights needed are:

  • Supervisor on the server’s container
  • Write to the NDSPKI:Private Key onthe Organizational CA’s object

Importing a public key certificate intoa Server Certificate object

  • Write to theattribute NDSPKI:Public Key Certificate onthe Server Certificate object
  • Write to the attribute NDSPKI:Certificate Chain onthe Server Certificate Object

Deleting a Server Certificate object

  • Delete on theServer Certificate object

Exporting a Trusted Root or Public KeyCertificate from a Server Certificate object

  • Browse on theServer Certificate object

Viewing the Server Certificate object'sproperties and certificates

  • Browse on theServer Certificate object

Backing up and restoring a Server Certificate object

  • Supervisor onthe server object that owns the Server Certificate object to back-up
  • Create on the server object's container to restore.

Validating Server Certificates

  • Browse on theServer Certificate object

Revoking Server Certificates

  • Read to the CAPrivate Key or Delete on the Server Certificate object or Supervisoron the Host Server (i.e. NCP Server object)

Replacing a server certificate's keyingmaterial

  • Write to theattribute NDSPKI:PrivateKey on the server certificateobject

Creating user certificates

  • Read to the attribute NDSPKI:PrivateKey on the Organizational CA object
  • Read and Write to the attribute NDSPKI:userCertificateInfo onthe User object
  • Read and Write to the attribute SAS:SecretStore onthe User object
  • Read and Write to the attribute userCertificate onthe User object

    Exception: If the object trying to issue the public key certificateis an NCP server then the rights needed are:

  • Write to the NDSPKI:Private Key onthe Organizational CA’s object
  • Read and Write to the attribute NDSPKI:userCertificateInfo onthe User object
  • Read and Write to the attribute SAS:SecretStore onthe User object
  • Read and Write to the attribute userCertificate onthe User object

Importing a public key certificate intoa User object

  • Read and Writeon the attribute NDSPKI:userCertificateInfo onthe User object
  • Read and Write to the attribute NDSPKI:userCertificate onthe User object

Viewing a user certificate's properties

  • Browse on theUser object

Exporting a user certificate

  • Browse on theUser object

Exporting a user's private key and certificate

  • You must be loggedin as the user.

Deleting a user certificate and privatekey

  • Read and Writeto NDSPKI:userCertificateInfo
  • Read and Write to userCertificate

Validating User Certificates

  • Browse on theUser object

Revoking User Certificates

  • Read to the CAPrivate Key or Delete on the User Object or be logged-in as theUser and Write to the userCertificate attribute

Creating a Trusted Root Container

  • Create on theSecurity container

Creating a Trusted Root object

  • Create on theTrusted Root Container in which the Trusted Root object will reside

Viewing a Trusted Root object's properties

  • Browse on theTrusted Root object

Replacing a trusted root certificate

  • Read and Writeto NDSPKI:Not After on the Trusted Root object
  • Read and Write to NDSPKI:NotBefore on the Trusted Root object
  • Read and Write to NDSPKI:Subject Name on theTrusted Root object
  • Read and Write to NDSPKI:Trusted Root Certificate onthe Trusted Root object

Validating a trusted root certificate

  • Browse on theTrusted Root object

Revoking a trusted root certificate

  • Read to the CAPrivate Key or Delete on the Trusted Root Object

Deleting a Trusted Root object

  • Delete on theTrusted Root object

Creating a CRL Container

  • Supervisor onthe Security container
  • Write to the attribute ndspkiCRLContainerDN onthe Organizational CA’s object

Deleting a CRL Container

  • Delete on theCRL container

Creating a CRL Configuration object

  • Supervisor onthe CRL container

Activating a CRL Configuration object

  • Write to theattribute ndspkiCRLConfigurationDNList on the OrganizationalCA’s object

Viewing and/or Modifying a CRLConfiguration object's Properties

Modifying

  • Supervisor on the CRL Configurationobject or

    or

  • Write to the attribute being modified on the CRLConfiguration object

Viewing

  • Browse on the CRL Configuration object

Deleting a CRL Configuration object

  • Delete on theCRL Configuration object

Creating a CRL object

  • Supervisor ofthe CRL Configuration object

Exporting a CRL file

  • Read from theattribute certificateRevocationList

Replacing a CRL file

  • Browse on theCRL object

Viewing a CRL object's properties

  • Browse to theattribute certificateRevocationList

Deleting a CRL object

  • Delete on theCRL Distribution Point

Creating a Security container

  • Create at theroot of the eDirectory tree

Creating a SAS service object

  • Supervisor onthe object's container
  • Write to the attribue SAS:Service DN onthe server that the object is being created