Configuring the Certificate Manager110 Netscape Certificate Management System Administrator’s Guide • February 2003Configuring the Certificate ManagerThis section lists the areas that you can configure for the Certificate Manager, givesa description of that area, and points you to specific information on configuringthat set of features.Adding UsersOnce the Certificate Manager is installed, you need to add users and assign them tothe administrator, agent, or auditor roles. If you selected the option to have theadministrator created during installation also act as an agent, then theadministrator is your first agent. If you did not, you need to create an agent userwho can access the agent services interface. See Chapter 8, “Authorization” fordetails on adding users and assigning them to groups.Configuring AuthorizationEach subsystem has a set of predefined roles that are assigned a default set ofprivileges. You create users in the CMS database and then assign them to a groupto give them the privileges of that group. The privileges assigned to a group arecontrolled by Access Control Instructions (ACIs) placed in Access Control Lists(ACLs). ACLs define points that need specific authorization. Generally, eachdefines a distinct set of functionality for the server. ACIs define what operationscan or cannot be performed by a user, group, or IP address for that particular ACL.You can change the default ACIs set up in the ACLs to change the privileges of auser, group, or IP address. You can also create new groups and assign privileges tothose groups by adding ACI entries for that group in the ACLs. For completedetails about creating users, assigning users to groups, creating groups, andchanging ACIs and ACLs, see Chapter 8, “Authorization.”Default ACL ConfigurationThe configuration set up for the Certificate Manager gives the following privilegesto members of the following groups:• Members of the Administrator group can perform any operations in theadministrative interface including viewing configuration settings, changingconfiguration settings, adding or deleting plug-ins, creating or deletinginstances or plug-ins, and viewing all logs except for the signed audit log—ifyou have the signed audit feature set up. Administrators do not have access tothe agent services interface or any task performed there.
