Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Manage Connector for AD template access control entries
An access control entry grants controls which Active Directory groups can or cannot enroll certificates for a specific Connector for AD template. When you can create or manage groups and permissions in Connector for AD, you must provide the Security identifier (SID) of the group object from Active Directory. You can obtain the SID using the following PowerShell command. For information about SIDs, see How security identifiers work in the Microsoft Directory Domain Services documentation.
$
Get-ADGroup -Identity "my_active_directory_group_name
"
The following procedures illustrate how to create and manage Connector for AD template access group entries.
- Console
-
To manage template group permissions using the console
You can manage groups and permissions for an existing template can be managed from a template's details page. For more information, see View connector
template details.
Set permissions on which groups can or cannot enroll certificates for the specific
template. You provide the security identifier (SID) of the group. Then you set the enroll
and auto-enroll permissions for the group. For auto-enrollment, both enroll and auto-enroll
must be set to "Allow."
- API
-
To manage template group permissions using the API
Create: CreateTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory
API.
Update: UpdateTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory
API.
Retrieve: GetTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory
API.
List: ListTemplateGroupAccessControlEntries action in the Amazon Private CA Connector for Active Directory
API.
Delete: DeleteTemplateGroupAccessControlEntry action in the Amazon Private CA Connector for Active Directory
API.
- CLI
-
To manage template group permissions using the CLI
Create: create-template-group-access-control-entry command in the
Amazon Private CA Connector for Active Directory section of the Amazon CLI.
Update: update-template-group-access-control-entry command in the
Amazon Private CA Connector for Active Directory section of the Amazon CLI.
Retrieve: get-template-group-access-control-entry command in the Amazon Private CA Connector for Active Directory
section of the Amazon CLI.
List: list-template-group-access-control-entries command in the
Amazon Private CA Connector for Active Directory section of the Amazon CLI.
Delete: delete-template-group-access-control-entries command in the
Amazon Private CA Connector for Active Directory section of the Amazon CLI.