CSSM_CSP_ChangeLoginAcl(3)CSSM_CSP_ChangeLoginAcl(3)NAMECSSM_CSP_ChangeLoginAcl - Edit a stored CSP ACL login session (CDSA)
SYNOPSIS
# include <cdsa/cssm.h>
CSSM_RETURN CSSMAPI CSSM_CSP_ChangeLoginAcl (CSSM_CSP_HANDLE CSPHandle,
const CSSM_ACCESS_CREDENTIALS *AccessCred, const CSSM_ACL_EDIT
*AclEdit)
LIBRARY
Common Security Services Manager library (libcssm.so)
PARAMETERS
The module handle that identifies the cryptographic service provider to
perform this operation A pointer to the set of one or more credentials
used to authenticate and validate the caller's authorization to modify
the ACL controlling login sessions with the CSP. Required credentials
can include zero or more certificates, zero or more caller names, and
one or more samples. Traditionally a caller name has been used to
establish the context of a login session. Certificates can be used for
the same purpose. If certificates and/or caller names are provided as
input, these must be provided as immediate values in this structure.
The samples can be provided as immediate values or can be obtained
through a callback function included in the AccessCred structure. A
structure containing information that defines the edit operation.
Valid operations include adding, replacing, and deleting entries in an
ACL managed by the service provider. The AclEdit parameter can contain
information for a new ACL entry and a handle uniquely identifying an
existing ACL entry. The information controls the edit operation as fol‐
lows:
─────────────────────────────────────────────────────────────────
Value of AclEdit.EditMode Use of AclEdit.NewEntry and
AclEdit.OldEntryHandle
─────────────────────────────────────────────────────────────────
CSSM_ACL_EDIT_MODE_ADD Adds a new ACL entry to the set of
ACL entries controlling login ses‐
sions with the CSP. The new ACL
entry is created from the ACL entry
prototype contained in NewEntry.
OldEntryHandle is ignored for this
EditMode.
CSSM_ACL_EDIT_MODE_DELETE Deletes the ACL entry identified by
OldEntryHandle and associated with
login sessions with the CSP.
NewEntry is ignored for this Edit‐
Mode.
CSSM_ACL_EDIT_MODE_REPLACE Replaces the ACL entry identified
by OldEntryHandle and controlling
login sessions with the CSP. The
existing ACL is replaced based on
the ACL entry prototype contained
in the NewEntry.
─────────────────────────────────────────────────────────────────
When replacing an existing ACL entry, the caller must replace
all items in an ACL entry. The replacement prototype includes:
Subject type and value - A CSSM_LIST structure containing a
typed subject. The subject identifies the entity authorized by
this ACL entry. Delegation flag - A CSSM_BOOL value indicating
whether the subject can delegate the permissions recorded in the
authorization array. Authorization array - A CSSM_AUTHORIZA‐
TIONGROUP structure defining the set of operations for which
permission is granted to the subject. Validity period - A
CSSM_ACL_VALIDITY_PERIOD structure containing two elements, the
start time and the stop time for which the ACL entry is valid.
ACL entry tag - A CSSM_STRING containing a user-defined value
associated with the ACL entry.
DESCRIPTION
This function edits the stored ACL controlling login sessions for a
cryptographic service provider (CSP). The ACL is modified according to
the edit mode and information provided in AclEdit.
The caller must have a login session in process and must be authorized
to modify the target ACL. Caller authentication and authorization to
edit the ACL is determined based on the caller-provided AccessCred.
The caller must be authorized to add, delete, or replace the ACL
entries controlling login to the CSP. When adding or replacing an ACL
entry, the service provider must reject the creation of duplicate ACL
entries.
When adding a new ACL entry to an ACL, the caller must provide a com‐
plete ACL entry prototype. All ACL entry items, except the ACL entry
Subject, must be provided as an immediate value in AclEdit.NewEntry.
The ACL entry Subject can be provided as an immediate value, from a
verifier with a protected data path, from an external authentication or
authorization service, or through a callback function specified in
AclEdit.NewEntry.Callback.
RETURN VALUE
A CSSM_RETURN value indicating success or specifying a particular error
condition. The value CSSM_OK indicates success. All other values repre‐
sent an error condition.
ERRORS
Errors are described in the CDSA technical standard. See
CDSA_intro(3).
None specific to this call.
SEE ALSO
Books
Intel CDSA Application Developer's Guide (see CDSA_intro(3))
Reference Pages
Functions: CSSM_CSP_GetLoginACL(3)CSSM_CSP_Login(3),
CSSM_CSP_Logout(3)CSSM_CSP_ChangeLoginAcl(3)