Authorization for CMS Users346 Netscape Certificate Management System Administrator’s Guide • June 2003How ACIs are FormedYou change the access for a user, group, or IP address by editing the ACI entries inthe ACLs. You can change who is allowed or denied access by adding a user,group, or IP address to the ACIs in an ACL entry. In the ACL interface, each ACI isshown on a line of its own. In this interface window, the ACI has the followingsyntax:allow|deny (operator) user|group|IP=”name”For example, the following is an ACI that allows Administrators to perform theread operation for the tasks associated with this ACL:allow (read) group=”Administrators”An ACI can have more than one operator. The operators are separated with acomma with no space on either side. For example:allow (read,modify) group=”Administrators”An ACI can have more than one group, user, or IP address by separating them withtwo pipe symbols (||) with a space on either side. For example:allow (read) group=”Administrators” || group=”Auditors”In the CMS console interface, you create or modify ACIs in an editor that allowsyou to do this in a graphical environment. You choose from allow or deny in theAllow and Deny field, then you choose one of the operations that are possible forthis ACL in the Operations field, and then you list those groups, users, or IPaddresses that are being granted or denied this access in the Syntax field.Allow and DenyAn ACI can either allow an operation for the specified group, user ID, or IPaddress, or deny the operation for the specified group, user ID, or IP address.Generally, you do not have to create ACIs to deny access. If a group, user ID, or IPaddress is not allowed access to an operation—that is, there are no allow ACIs thatwhen evaluated, would include the user ID, group, or IP address—the group, userID, or IP address is denied access.If a user is not allowed access to any of the operations for a resource, then this useris considered denied; they do not specifically need to be denied access. Forexample, user JohnB is a member of the group Administrators. If an ACL has onlythe following ACI, JohnB would be denied any access since he does not match anyof the allow ACIs:Allow (read,modify) group=”Auditors” || user=”BrianC”