About Authorization326 Netscape Certificate Management System Administrator’s Guide • February 2003authorization check before allowing an operation to be performed in that area.Access Control Instructions (ACI s) in each of the ACLs are created that specificallyallow or deny one or more possible operations for that ACL to specified users,groups, or IP addresses.The ACLs contain a default set of ACIs for the default groups that are created. Youcan change those ACIs to change the privileges of those predefined groups, orcreate groups of your own assigning the new group privileges by adding ormodifying ACI’s for the new group in the ACLs.How Authorization WorksThe following is the process that defines authorization:1. Users authenticates to the interface they are trying to access either using theirCMS user ID and password or with a certificate.2. The server authenticates them either by matching their user ID and passwordwith the one stored in the database, or by checking their certificate against onestored in the database. With certificate-based authentication, the server alsochecks that the certificate is valid, and finds the group membership of the userby associating the DN of the certificate with a user and determining the user’sgroup membership. With password based authentication, the server checks thepassword against the user ID, and then finds the group membership of the userby associating that user ID with the user ID contained in the group.3. When the user tries to perform an operation, the authorization mechanismchecks that the user ID of the user, the group in which the user belongs, or theIP address of the user is allowed to perform that operation by checking theACLs for this process to determine if an ACI exists that allows this operation tobe performed by this user, group, or IP address.Default GroupsA user’s privileges are determined by the group membership of the user. Whenyou install the subsystem you are given the choice of whether to allow membershipof users in more than one group. The default setting allows users to belong to morethan one group. If you changed this setting in the install wizard, users are notallowed to belong to more than one group.The following groups are created by default:
