2.2.1.11 Officer and Enrollment Agent Access Rights
Officer and Enrollment Agent access rights structures are used by the server to return the results of a client query; for example, the client's invocation of the GetOfficerRights method (section 3.1.4.2.12) of the ICertAdminD2 interface (sections 3.1.4.2 and 3.2.4.2).
Officer rights and Enrollment Agent rights are security descriptors. Security descriptor structures are defined in [MS-DTYP] section 2.4.6 and can contain SID structures ([MS-DTYP] section 2.4.2). Officer rights and Enrollment Agent rights security descriptors have the following properties:
Each access control entry (ACE) in the discretionary access control list (DACL) MUST have:
The ACE contains additional application data following the SID.
The format for the additional application data is as follows.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SIDCount |
|||||||||||||||||||||||||||||||
|
Array of SIDs (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
TemplateName (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
SIDCount (4 bytes): A little-endian encoded DWORD that contains the count of the SID structures following it.
Array of SIDs (variable): An array of SID structures marshaled in packet representation ([MS-DTYP] section 2.4.2.2) that identify either (i) principals for whom the officer can approve requests; or (ii) principals on whose behalf the enrollment agent can obtain certificates. For an Officer rights security descriptor, case (i) applies. For an Enrollment Agent rights security descriptor, case (ii) applies.
TemplateName (variable): A little-endian encoded Unicode and null-terminated string that identifies the common name (CN) of the template (as defined in [MS-CRTD]) for which the officer is authorized to approve requests.