Access Control Management

To access certain NPKD features, the user has to pass certificate based authentication and authorization check for that the particular feature.

Client authentication is achieved on JBoss application server level, while authorization is performed on NPKD application level.

The following user roles are available for managing authorization rights:

• Operator: An Operator can search, import, (un)publish, and edit statuses of certificates. The role can also create and edit home Master Lists and Deviation Lists, and configure and run the PKD Scheduler. An Operator can access his or her own Audit Log and the PKD Scheduler's.

• Administrator: In addition to all the Operator access rights, the Administrator role can edit NPKD configurations, including creating and removing other administrators with equal or less access rights. An Administrator can access only his or her own Audit Log and the PKD Scheduler's.

• Super Administrator: A Super Administrator has access to everything, including all Audit Logs.

• Auditor: An Auditor has the right to view everything, including all Audit Logs, but cannot edit anything. An Auditor role can only be added by a Super Administrator.

Warning: NPKD does not store administrators' certificate data beyond the serial number. This means that it is not possible to check whether an administrator's certificate is expired or revoked. An expired certificate, however, will not pass the TLS handshake

Access Control Initialization

NPKD is initially installed without any registered user. This access control state is considered non-initialized and NPKD application cannot be accessed.

To initialize the access control, access the NPKD application using a web browser with an authenticated client certificate. The access control initialization page will be displayed, asking for confirmation of registering the current authenticated client certificate for the first Super Administrator user.

A successful registration of the first Super Administrator user makes the access control initialized and the Super Administrator role can be used to add users.

Note that it is recommended to only use the Super Administrator user for adding the first Administrator and/or Auditor users since the non-super Administrator cannot add or manage Auditor users.

Expired Superadministrators

Please make sure that there is always an administrator in the SUPER_ADMINISTRATOR role. If all superadministrator's certificates are expired, the way to get the initialization page to display again is to manually remove the administrators in the SUPER_ADMINISTRATOR role from the database:

1. Get the new super administrator certificate ready and installed on the web browser
2. On the command line, log into MySQL command front
3. Get the ID of the SUPER_ADMINISTRATOR role
   

   select pK, adminGroupName from AdminGroupData where adminGroupName='SUPER_ADMINISTRATOR';

   SQL
   The ID is what is displayed in the 'pK' column
   
   
4. (Optional) List all the administrators in the SUPER_ADMINISTRATOR role (this is just to make sure that it worked)
   

   select pK, tokenType, AdminGroupData_adminEntities from AdminEntityData where AdminGroupData_adminEntities='<SUPER_ADMINISTRATOR Role ID>';

   SQL
5. Delete all administrator identified by their certificates from the SUPER_ADMINISTRATOR role
   

    delete from AdminEntityData where AdminGroupData_adminEntities ='<SUPER_ADMINISTRATOR Role ID>' and tokenType='CertificateAuthenticationToken';

   SQL
   Your should get a result saying that the query was OK and how many rows were effected (meaning how many rows/administrators were deleted)
   
   
6. (Optional) Check that all administrators are removed by executing the following command. The result should empty
   

   select pK, tokenType, AdminGroupData_adminEntities from AdminEntityData where AdminGroupData_adminEntities='<SUPER_ADMINISTRATOR Role ID>';

   SQL
7. Log out of MySQL command front
8. Go to NPKD GUI in the web browser where you had the new superadiministrator certificate installed and register the new superadmin

List Administrators

To list all registered administrators, click List Users on the left menu. The User List displays the following information:

• Match Value: The value in the administrator's certificate that will be looked up for authorization check. For all administrators, accept the Command Line Interface (functionality not available) administrator, this value is the administrator's certificate serial number.
• Token Type: The kind of token used to identify the administrator. For all administrators, accept the Command  Line Interface (functionality not available) administrator, the token type is CertificateAuthenticationToken.
• Role: The role the user belongs to
• Delete: Deletes the administrator.
• Change Role: Changes the role the user belongs to.

Add an Administrator

To add a new administrator, follow these steps:

1. Click Add User on the left menu.
2. Click Choose and upload the certificate that the Administrator will use to log into NPKD.
   The certificate's details are displayed in the New User's Certificate details section of the page.
3. Select the role that the new Administrator should belong to.
4. Click Add.