Protecting administrative functions

PKI Services administrators must have SAF user IDs on the host system. When PKI Services is called for administrative functions, the unit of work is tagged with the identity of the authenticated administrator.

At a minimum, all PKI Services administrators require READ or UPDATE access to the profile IRR.RPKISERV.PKIADMIN[.ca_domain] in the FACILITY class. Table 1 shows how the level of access to this profile controls authorization to general administrative functions.

Table 1. FACILITY class access needed for administrative functions
Resource	Access	Purpose
IRR.RPKISERV.PKIADMIN[.`ca_domain`]	READ	For list and query operations
	UPDATE	To act on certificate requests, preregistration requests, and issued certificates

In addition, you can use profiles in the PKISERV class to restrict PKI Services administrator access to specific operations. For information, see Using the PKISERV class to control access to administrative functions. By default this additional capability is not enabled. The AdminGranularControl keyword in the pkiserv.conf configuration file controls whether it is enabled.

Example: To grant user ID ADMID authority to administer the PKI Services CUSTOMER domain, and to grant that same user the ability to query information on PKI Services certificates issued using the '1-Year PKI SSL Browser Certificate' template, issue the following RACF® TSO commands:

RDEFINE  FACILITY (IRR.RPKISERV.PKIADMIN.CUSTOMER) UACC(NONE)
PERMIT   IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ACCESS(UPDATE) ID(ADMID)
RDEFINE  PKISERV CUSTOMER.QUERYCERTS.1YBSSL UACC(NONE)
PERMIT 	CUSTOMER.QUERYCERTS.1YBSSL ACCESS(READ) CLASS(PKISERV) ID(ADMID)
SETROPTS RACLIST (FACILITY) REFRESH
SETROPTS CLASSACT(PKISERV)  RACLIST(PKISERV)
SETROPTS RACLIST (PKISERV)  REFRESH