how does one prevent certs from being shown to certain users?

[jeremyguarini]

Hi,

I have a fresh install with two users. One user has admin and operator roles while the second user has no roles. Now if I create a cert with the first user and assign admin role to it the second user can still see/view it. Is my understanding of roles incorrect? I thought that by assigning roles to certs it would show hide it to the logged in user.

thanks

[kevgliss]

Roles are membership based. For example you have two users: Alice and Bob.

Alice is an admin and has the admin role associated with her account. The admin role has special permissions that allow her to see and do just about anything within Lemur.

Bob is just an operator, by default he can't actually do anything. If we want Bob to be able to issue certificates from a given authority we assign the operator role to that authority. Now Bob can see and use that authority. Now any certificate he creates from that authority he can view the certificate and private key information as the creator of that certificate.

However if a third user Charlie; another operator; tries to view the private key of the certificate Bob just created we will not be allow. He will however be able to view the public key of the certificate Bob created. Public keys are not considered private as they have to be available for PKI to function.

[jeremyguarini]

So I understand that. Is there a way to not show certs to Charlie when he is not part of any roles assigned to them?

thanks

[kevgliss]

Charlie will not be able to view private key material but will still be able to view all public material. There is no current way to restrict Charlie of view the public parts of a certificate. There is however, #22 which would give you a view where a user would only see the certificates they own specifically.

[jeremyguarini]

#22 sounds like what I want. I will track that request.

thanks