Index Index for
Section 3
Index Alphabetical
listing for C
Bottom of page Bottom of
page		 

CSSM_CSP_ChangeLoginAcl(3)


NAME

  CSSM_CSP_ChangeLoginAcl - Edit a stored CSP ACL login session (CDSA)


SYNOPSIS

  # include <cdsa/cssm.h>

       CSSM_RETURN CSSMAPI CSSM_CSP_ChangeLoginAcl
       (CSSM_CSP_HANDLE CSPHandle,
       const CSSM_ACCESS_CREDENTIALS *AccessCred,
       const CSSM_ACL_EDIT *AclEdit)


LIBRARY

  Common Security Services Manager library (libcssm.so)


PARAMETERS

  CSPHandle (input)
	  The module handle that identifies the cryptographic service
	  provider to perform this operation

  AccessCred (input)
	  A pointer to the set of one or more credentials used to
	  authenticate and validate the caller's authorization to modify the
	  ACL controlling login sessions with the CSP. Required credentials
	  can include zero or more certificates, zero or more caller names,
	  and one or more samples. Traditionally a caller name has been used
	  to establish the context of a login session. Certificates can be
	  used for the same purpose. If certificates and/or caller names are
	  provided as input, these must be provided as immediate values in
	  this structure.  The samples can be provided as immediate values or
	  can be obtained through a callback function included in the
	  AccessCred structure.

  AclEdit (input)
	  A structure containing information that defines the edit operation.
	  Valid operations include adding, replacing, and deleting entries in
	  an ACL managed by the service provider. The AclEdit parameter can
	  contain information for a new ACL entry and a handle uniquely
	  identifying an existing ACL entry. The information controls the
	  edit operation as follows:

	  ________________________________________________________________
	  Value of AclEdit.EditMode

				       Use of AclEdit.NewEntry and
				       AclEdit.OldEntryHandle
	  ________________________________________________________________

	  CSSM_ACL_EDIT_MODE_ADD

				       Adds a new ACL entry to the set of
				       ACL entries controlling login
				       sessions with the CSP. The new ACL
				       entry is created from the ACL entry
				       prototype contained in NewEntry.
				       OldEntryHandle is ignored for this
				       EditMode.

	  CSSM_ACL_EDIT_MODE_DELETE

				       Deletes the ACL entry identified by
				       OldEntryHandle and associated with
				       login sessions with the CSP.
				       NewEntry is ignored for this
				       EditMode.

	  CSSM_ACL_EDIT_MODE_REPLACE

				       Replaces the ACL entry identified
				       by OldEntryHandle and controlling
				       login sessions with the CSP. The
				       existing ACL is replaced based on
				       the ACL entry prototype contained
				       in the NewEntry.
	  ________________________________________________________________

	  When replacing an existing ACL entry, the caller must replace all
	  items in an ACL entry. The replacement prototype includes:

	    ·  Subject type and value - A CSSM_LIST structure containing a
	       typed subject. The subject identifies the entity authorized by
	       this ACL entry.

	    ·  Delegation flag - A CSSM_BOOL value indicating whether the
	       subject can delegate the permissions recorded in the
	       authorization array.

	    ·  Authorization array - A CSSM_AUTHORIZATIONGROUP structure
	       defining the set of operations for which permission is granted
	       to the subject.

	    ·  Validity period - A CSSM_ACL_VALIDITY_PERIOD structure
	       containing two elements, the start time and the stop time for
	       which the ACL entry is valid.

	    ·  ACL entry tag - A CSSM_STRING containing a user-defined value
	       associated with the ACL entry.


DESCRIPTION

  This function edits the stored ACL controlling login sessions for a
  cryptographic service provider (CSP). The ACL is modified according to the
  edit mode and information provided in AclEdit.

  The caller must have a login session in process and must be authorized to
  modify the target ACL. Caller authentication and authorization to edit the
  ACL is determined based on the caller-provided AccessCred.

  The caller must be authorized to add, delete, or replace the ACL entries
  controlling login to the CSP. When adding or replacing an ACL entry, the
  service provider must reject the creation of duplicate ACL entries.

  When adding a new ACL entry to an ACL, the caller must provide a complete
  ACL entry prototype. All ACL entry items, except the ACL entry Subject,
  must be provided as an immediate value in AclEdit.NewEntry.  The ACL entry
  Subject can be provided as an immediate value, from a verifier with a
  protected data path, from an external authentication or authorization
  service, or through a callback function specified in
  AclEdit.NewEntry.Callback.


RETURN VALUE

  A CSSM_RETURN value indicating success or specifying a particular error
  condition. The value CSSM_OK indicates success. All other values represent
  an error condition.


ERRORS

  Errors are described in the CDSA technical standard.	See CDSA_intro(3).

  None specific to this call.


SEE ALSO

  Books

  Intel CDSA Application Developer's Guide (see CDSA_intro(3))

  Reference Pages

  Functions: CSSM_CSP_GetLoginACL(3) CSSM_CSP_Login(3), CSSM_CSP_Logout(3)

Index Index for
Section 3
Index Alphabetical
listing for C
Top of page Top of
page