Configuring a Registration ManagerChapter 4 Registration Manager 151Configuring AuthorizationEach subsystem has a set of predefined roles that are assigned a default set ofprivileges. You create users in the CMS database and then assign them to a groupto give them the privileges of that group. The privileges assigned to a group arecontrolled by Access Control Instructions (ACIs) placed in Access Control Lists(ACLs). ACLs define points that need specific authorization. Generally, eachdefines a distinct set of functionality for the server. ACIs define what operationscan or cannot be performed by a user, group, or IP address for that particular ACL.You can change the default ACIs set up in the ACLs to change the privileges of auser, group, or IP address. You can also create new groups and assign privileges tothose groups by adding ACI entries for that group in the ACLs. For completedetails about creating users, assigning users to groups, creating groups, andchanging ACIs and ACLs, see Chapter 8, “Authorization.”Default ACL ConfigurationThe configuration set up for the Certificate Manager gives the following privilegesto members of the following groups:• Members of the Administrator group can perform any operations in theadministrative interface including viewing configuration settings, changingconfiguration settings, adding or deleting plug-ins, creating or deletinginstances or plug-ins, and viewing all logs except for the signed audit log—ifyou have the signed audit feature set up. Administrators do not have access tothe agent services interface or any task performed there.• Members of the Auditor group can view the signed audit log, and can viewconfiguration settings, but cannot perform any other operations onconfiguration settings and do not have access to the agent services interface.• Members of the Registration Manager Agent group can view configurationsettings in the administrative interface, but cannot perform any otheroperations on the configuration settings. They can perform all operations forall tasks associated with the agent services interface. They are allowed tocommunicate with the RA via the agent services port.• Members of the Trusted Manager group are allowed to communicate with theCertificate Manager.