|
|
CSSM_CSP_ChangeLoginAcl(3)
Contents |
CSSM_CSP_ChangeLoginAcl - Edit a stored CSP ACL login session
(CDSA)
# include <cdsa/cssm.h>
CSSM_RETURN CSSMAPI CSSM_CSP_ChangeLoginAcl (CSSM_CSP_HANDLE
CSPHandle, const CSSM_ACCESS_CREDENTIALS *AccessCred,
const CSSM_ACL_EDIT *AclEdit)
Common Security Services Manager library (libcssm.so)
The module handle that identifies the cryptographic service
provider to perform this operation A pointer to the
set of one or more credentials used to authenticate and
validate the caller's authorization to modify the ACL controlling
login sessions with the CSP. Required credentials
can include zero or more certificates, zero or more caller
names, and one or more samples. Traditionally a caller
name has been used to establish the context of a login
session. Certificates can be used for the same purpose. If
certificates and/or caller names are provided as input,
these must be provided as immediate values in this structure.
The samples can be provided as immediate values or
can be obtained through a callback function included in
the AccessCred structure. A structure containing information
that defines the edit operation. Valid operations
include adding, replacing, and deleting entries in an ACL
managed by the service provider. The AclEdit parameter can
contain information for a new ACL entry and a handle
uniquely identifying an existing ACL entry. The information
controls the edit operation as follows:
-----------------------------------------------------------------
Value of AclEdit.EditMode Use of AclEdit.NewEntry and
AclEdit.OldEntryHandle
-----------------------------------------------------------------
CSSM_ACL_EDIT_MODE_ADD Adds a new ACL entry to the set of
ACL entries controlling login sessions
with the CSP. The new ACL
entry is created from the ACL entry
prototype contained in NewEntry.
OldEntryHandle is ignored for this
EditMode.
CSSM_ACL_EDIT_MODE_DELETE Deletes the ACL entry identified by
OldEntryHandle and associated with
login sessions with the CSP.
NewEntry is ignored for this EditMode.
CSSM_ACL_EDIT_MODE_REPLACE Replaces the ACL entry identified
by OldEntryHandle and controlling
login sessions with the CSP. The
existing ACL is replaced based on
the ACL entry prototype contained
in the NewEntry.
-----------------------------------------------------------------
When replacing an existing ACL entry, the caller
must replace all items in an ACL entry. The
replacement prototype includes: Subject type and
value - A CSSM_LIST structure containing a typed
subject. The subject identifies the entity authorized
by this ACL entry. Delegation flag - A
CSSM_BOOL value indicating whether the subject can
delegate the permissions recorded in the authorization
array. Authorization array - A CSSM_AUTHORIZATIONGROUP
structure defining the set of operations
for which permission is granted to the subject.
Validity period - A CSSM_ACL_VALIDITY_PERIOD
structure containing two elements, the start time
and the stop time for which the ACL entry is valid.
ACL entry tag - A CSSM_STRING containing a userdefined
value associated with the ACL entry.
This function edits the stored ACL controlling login sessions
for a cryptographic service provider (CSP). The ACL
is modified according to the edit mode and information
provided in AclEdit.
The caller must have a login session in process and must
be authorized to modify the target ACL. Caller authentication
and authorization to edit the ACL is determined based
on the caller-provided AccessCred.
The caller must be authorized to add, delete, or replace
the ACL entries controlling login to the CSP. When adding
or replacing an ACL entry, the service provider must
reject the creation of duplicate ACL entries.
When adding a new ACL entry to an ACL, the caller must
provide a complete ACL entry prototype. All ACL entry
items, except the ACL entry Subject, must be provided as
an immediate value in AclEdit.NewEntry. The ACL entry
Subject can be provided as an immediate value, from a verifier
with a protected data path, from an external authentication
or authorization service, or through a callback
function specified in AclEdit.NewEntry.Callback.
A CSSM_RETURN value indicating success or specifying a
particular error condition. The value CSSM_OK indicates
success. All other values represent an error condition.
Errors are described in the CDSA technical standard. See
CDSA_intro(3).
None specific to this call.
Books
Intel CDSA Application Developer's Guide (see
CDSA_intro(3))
Reference Pages [Toc] [Back]
Functions: CSSM_CSP_GetLoginACL(3) CSSM_CSP_Login(3),
CSSM_CSP_Logout(3)
CSSM_CSP_ChangeLoginAcl(3)
[ Back ] | 