CA Group Management

This section describes the management of CA Groups, which provide a mechanism for organizing users and assigning specific permissions related to a particular Certificate Authority.

Key Functionalities

Listing CA Groups

  • Endpoint: /ca/{ca}/groups
  • Description: Displays a paginated list of groups associated with a given Certificate Authority.
  • Details: Each group listing includes information about the users assigned to it.

Creating CA Groups

  • Endpoints:
    • GET /ca/{ca}/groups/create: Displays the form for creating a new CA group.
    • POST /ca/{ca}/groups: Submits data to create a new group.
  • Requirements:
    • name: A unique name for the group within the context of the specific CA.
    • description: An optional description for the group.
    • permissions: An array of strings representing the permissions granted to members of this group.
  • Available Permissions: The system defines a set of available permissions (e.g., issue_certificate, revoke_certificate), which can be retrieved via the CAGroup model's getAvailablePermissions() method.
  • Audit Logging: Records the creation of new CA groups.

Viewing CA Group Details

  • Endpoint: /ca/{ca}/groups/{group}
  • Description: Displays detailed information about a specific CA group, including its assigned users and the associated Certificate Authority.

Updating CA Groups

  • Endpoints:
    • GET /ca/{ca}/groups/{group}/edit: Displays the form for editing an existing CA group.
    • PUT/PATCH /ca/{ca}/groups/{group}: Submits data to update a group.
  • Updatable Fields:
    • name: The group's name (must remain unique within the CA).
    • description
    • permissions
    • is_active: A boolean flag to activate or deactivate the group.
  • Audit Logging: Records updates made to CA groups.

Deleting CA Groups

  • Endpoint: DELETE /ca/{ca}/groups/{group}
  • Description: Permanently deletes a CA group.
  • Precondition: All users must be detached from the group before it can be deleted.
  • Audit Logging: Records the deletion of CA groups.

Assigning Users to CA Groups

  • Endpoint: POST /ca/{ca}/groups/{group}/assign-user
  • Description: Assigns an existing user to a specific CA group.
  • Requirements:
    • user_id: The ID of the user to assign.
  • Validation: Prevents assigning a user who is already a member of the group.
  • Metadata: Records assigned_by (the user who performed the assignment) and assigned_at timestamps.
  • Audit Logging: Records user assignment events.

Removing Users from CA Groups

  • Endpoint: DELETE /ca/{ca}/groups/{group}/remove-user/{user}
  • Description: Removes a user from a specific CA group.
  • Audit Logging: Records user removal events.

Inferred Specifications

  • Group Scope: CA groups are tightly coupled to a single Certificate Authority, meaning a group belongs to one and only one CA.
  • Unique Naming: Group names must be unique within the scope of a parent CA to avoid conflicts.
  • Permission Model: Permissions are defined as a set of strings, allowing for granular control over actions users can perform within the context of a CA.
  • User-Group Relationship: A many-to-many relationship exists between users and CA groups, enabling a user to be part of multiple groups across different CAs, and a group to contain multiple users.
  • Auditability: All significant actions related to CA group management and user assignments are logged, providing a clear audit trail for security and compliance.
  • Group Status: Groups can be activated or deactivated, allowing for temporary suspension of group permissions without deletion.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service