- This line was added.
- This line was removed.
- Formatting was changed.
Access control mechanisms in the QR-CERT system are responsible for the identification (recognition) and confirmation of the user identity (in case if it is an authorized user – if the user has an account on the system), and determining the role within which the user will interact with the system. Identification and authentication of the user is carried out using the mechanisms, by which a user directly or indirectly proves that he/she is who he/she claims to be. The access control system determines the user role based on group membership or based on explicitly specified attributes describing the role. The following roles are implemented in the QR-CERT system:
Initiating Administrator (InitAdmin) – The role allows to create the Administrator account which is used for further system configuration. The main window of the operator application for the Initiating Administrator role enables only the management of the accounts of the Administrators.
Main Auditor (MainAuditor) – The role allows to export security records, activity records and network activity logs to files. In also enables viewing the contents of the VSPACE (virtual space) objects, system user accounts and HSM module objects.
Administrator – The role has permissions to:
Auditor – The role allows to export security records, activity records and network activity logs to files. It also enables displaying the contents of the VSPACE virtual space objects, system operator accounts and HSM modules objects.
Administrator VSPACE – The role can install, configure and manage the system executing the certification centre functionality, create and manage user accounts, configure profiles and audit parameters and generate modules keys.
Audytor VSPACE – The role can browse and manage event logs (including security events log).
VSPACE Operator – The role can approve requests for certificates and requests for revocation or suspension of the certificate.
The QR-CERT system distinguishes 4 levels of permissions. At each level, you can create accounts with permissions to the lower-level accounts. Apart from accounts, users from different levels can also create other objects in the system.
At the first level of permissions there may be only two accounts:
Both accounts are created during the system instance creation (they cannot be created from the operator’s application).
Initiating Administrator allows to create the Administrator account, which is used for further configuration of the system. Main Auditor can view security events and objects from the entire QR-CERT system installation.
At the second level of permissions using the created Administrators accounts the structures of the operating system are created: the creation of virtual spaces, creation of administrator accounts of these spaces, assigning HSMs to individual spaces. Administrator can create the Auditor account, who has access to the system operation and security reports and objects accounts, and HSMs.
The third level of permissions occurs at the level of virtual spaces. Within these spaces VSPACE Administrators can configure target CA systems: create CAs, configure certificates and CRLs issuing policies, define X.509 profiles, create accounts for VSPACE Operators and VSPACE auditors.
The fourth level permissions are for VSPACE Operators, who carry out standard works related with the operation of the system: handling of requests for certification, issuing certificates to subscribers, manually generating CRLs, editing tokens, etc.
Figure Hierarchy of permission levels
List of specific permissions
All the permissions used in the system are listed below.
Permissions for the Subscriber
Creating accounts for new customers
Permissions for the registration of the CA/RA requests
Registration of the request for a certificate
Permissions for handling requests
Handling requests for issuing subscriber’s certificate
Permissions regarding subscriber’s certificates
Revoking subscribers’ certificates
Permissions regarding CA certificates
Searching and browsing data on CA certificates
Permissions regarding tokens
Personalization of tokens
Permissions for CRL
Searching and browsing CRLs data
Permissions for documents
Registration of documents
Searching for and exporting subscribers’ private keys
Permissions for cards warehouse
Importing data to tokens warehouse
Downloading customer data from external systems
Views in CAO
View – registration of requests
Token issue requests
Registration of requests for central issuing of a card by an operator
Issuing a certificate based on PKCS#10 request