Manage Connector for AD template access control entries - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manage Connector for AD template access control entries

An access control entry grants controls which Active Directory groups can or cannot enroll certificates for a specific Connector for AD template. When you can create or manage groups and permissions in Connector for AD, you must provide the Security identifier (SID) of the group object from Active Directory. You can obtain the SID using the following PowerShell command. For information about SIDs, see How security identifiers work in the Microsoft Directory Domain Services documentation.

$ Get-ADGroup -Identity "my_active_directory_group_name"

The following procedures illustrate how to create and manage Connector for AD template access group entries.

Console

To manage template group permissions using the console

You can manage groups and permissions for an existing template can be managed from a template's details page. For more information, see View connector template details.

Set permissions on which groups can or cannot enroll certificates for the specific template. You provide the security identifier (SID) of the group. Then you set the enroll and auto-enroll permissions for the group. For auto-enrollment, both enroll and auto-enroll must be set to "Allow."

API

To manage template group permissions using the API

Create: CreateTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory API.

Update: UpdateTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory API.

Retrieve: GetTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory API.

List: ListTemplateGroupAccessControlEntries action in the Amazon Private CA Connector for Active Directory API.

Delete: DeleteTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory API.

CLI

To manage template group permissions using the CLI

Create: create-template-group-access-control-entry command in the Amazon Private CA Connector for Active Directory section of the Amazon CLI.

Update: update-template-group-access-control-entry command in the Amazon Private CA Connector for Active Directory section of the Amazon CLI.

Retrieve: get-template-group-access-control-entry command in the Amazon Private CA Connector for Active Directory section of the Amazon CLI.

List: list-template-group-access-control-entries command in the Amazon Private CA Connector for Active Directory section of the Amazon CLI.

Delete: delete-template-group-access-control-entries command in the Amazon Private CA Connector for Active Directory section of the Amazon CLI.