Skip to content

System Configuration groups

Configuration groups can be modified/created by making a config groups request to the system. Persons in the groups defined in the system bootstrap group initialWriterGroups can make such a request.

Different groups in the system configuration

Access to different functionality of the system is controlled with groups. CA(PKI), Product, clients, and escrows are the four categories.

Config item Description
productReaderGroups Azure AD group IDs of groups authorized for reading operations for product endpoints. See API specification for product.
productWriterGroups Azure AD group IDs of groups authorized for write operations for product endpoints. See API specification for product.
productListReaderGroups Azure AD group IDs of groups authorized for reading operations for product list endpoint. See API specification for product.
productApprovalGroups Azure AD group IDs of groups authorized for approving operations for products. See API specification for product.
caReaderGroups Azure AD group IDs of groups authorized for reading operations for CA endpoints. See API specification for PKI.
caWriterGroups Azure AD group IDs of groups authorized for write operations for CA endpoints. See API specification for PKI.
caApprovalGroups Not used currently.
revocationWriterGroups Azure AD group IDs of groups authorized for operations for write operations for CA endpoints related to revocation. See API specification for PKI.
revocationApprovalGroups Azure AD group IDs of groups authorized for operations for approving revocations. See API specification for PKI.
registerClientGroups Azure AD group IDs of groups authorized for operations for registering clients. See API specification for registrations.clients.
registerClientApprovalGroups Azure AD group IDs of groups authorized for operations for approving client approvals. See API specification for registrations.clients.
registerEscrowGroups Azure AD group IDs of groups authorized for operations for registering escrow endpoints. See API specification for registrations.escrows.
registerEscrowApprovalGroups Azure AD group IDs of groups authorized for operations for approving escrow approvals. See API specification for registrations.escrows.

Once the request has been made, it needs to be approved by the relevant approver.

Persons in the groups defined in the system bootstrap group initialApproverGroups can approve these requests.

Example usage with reference client package: Initialize Group configuration

Please note that the configuration set in here is purely for demonstrational purposes.

Adding a request for group configuration:

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 group add
Creating Product Writer group
Add group id which is allowed to create products: b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): n
Creating Product reader group
Add group id which is allowed to read product details: b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): y
Add group id which is allowed to read product details: f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating Productlist reader group
Add group id which is allowed to read products: b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): n
Creating Product approver group
Add group id which is allowed to approve products: f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating CA Reader Group
Add group id which is allowed to read CA data (leave empty for no group): b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): y
Add group id which is allowed to read CA data (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating CA Writer Group
Add group id which is allowed to write CA data (leave empty for no group): b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): n
Creating CA Approver Group
Add group id which is allowed to approve CA items (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating Register Client Group
Add group id which is allowed to Register clients (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): y
Add group id which is allowed to Register clients (leave empty for no group): b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): n
Creating Register Client Approver Group
Add group id which is allowed to Approve Client Registrations (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating Register Escrow Group
Add group id which is allowed to Register Escrows (leave empty for no group): b716abb1-2e3b-47a9-bca5-a3669faa50a6
Do you want add another group(Y/N): y
Add group id which is allowed to Register Escrows (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating Register Escrow Approver Group
Add group id which is allowed to Approve Registered Escrows (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating Revocation Group
Add group id which is allowed to create revocation requests (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Creating Revocation Approver Group
Add group id which is allowed to Approve Revocation requests (leave empty for no group): f65a3ea9-60db-47a4-9ad8-c6915735ec5f
Do you want add another group(Y/N): n
Groups:
{
    "ca_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "ca_reader_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6",
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "ca_writer_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "id": null,
    "product_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "product_list_reader_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "product_reader_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6",
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "product_writer_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "register_client_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "register_client_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f",
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "register_escrow_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "register_escrow_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6",
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "revocation_writer_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "revocation_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "state": null
}
Is groups ok(Y/N): y
{
    "ca_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "ca_reader_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6",
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "ca_writer_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "id": "f83866e6-e882-438c-be9a-ecbbb9088423",
    "product_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "product_list_reader_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "product_reader_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6",
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "product_writer_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "register_client_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "register_client_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f",
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6"
    ],
    "register_escrow_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "register_escrow_groups": [
        "b716abb1-2e3b-47a9-bca5-a3669faa50a6",
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "revocation_writer_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "revocation_approval_groups": [
        "f65a3ea9-60db-47a4-9ad8-c6915735ec5f"
    ],
    "state": 2
}
Group add request sent. Request ID: f83866e6-e882-438c-be9a-ecbbb9088423, state: ApprovalRequired

Approving the request:

(venv) $ ./signing-tool.py -c -t $APPTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 group approve -I f83866e6-e882-438c-be9a-ecbbb9088423
{'ca_approval_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'ca_reader_groups': ['b716abb1-2e3b-47a9-bca5-a3669faa50a6',
                      'f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'ca_writer_groups': ['b716abb1-2e3b-47a9-bca5-a3669faa50a6'],
 'id': 'f83866e6-e882-438c-be9a-ecbbb9088423',
 'product_approval_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'product_list_reader_groups': ['b716abb1-2e3b-47a9-bca5-a3669faa50a6'],
 'product_reader_groups': ['b716abb1-2e3b-47a9-bca5-a3669faa50a6',
                           'f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'product_writer_groups': ['b716abb1-2e3b-47a9-bca5-a3669faa50a6'],
 'register_client_approval_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'register_client_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f',
                            'b716abb1-2e3b-47a9-bca5-a3669faa50a6'],
 'register_escrow_approval_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'register_escrow_groups': ['b716abb1-2e3b-47a9-bca5-a3669faa50a6',
                            'f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'revocation_writer_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'revocation_approval_groups': ['f65a3ea9-60db-47a4-9ad8-c6915735ec5f'],
 'state': 2}
Do you want approve this (Y/N): y
(venv) $