Thanks Oliver,
I have adjusted the 'certificate_signing_request_v2' workflow like so:
/CHECK_POLICY_VIOLATION://
// autorun: 1//
// action://
// #- global_noop > PENDING ? !has_policy_violation//
// - global_noop > APPROVED ? !has_policy_violation//
// - global_noop2 > PENDING_POLICY_VIOLATION ? has_policy_violation/
Certificates are now being generated without the approval stage, and
this configuration should still send the signing request for approval if
there is policy violation and an exemption is requested if I am reading
it correctly?
It is OK in this particular trust chain for authenticated users to be
able to generate certificates without approval, and anonymous user
logins have been disabled to support that.
best regards,
Pekka
On 15/11/2023 21:24, Oliver Welter wrote:
Hello Pekka,
as the referenced post is really old it is no longer applicable, there
is no approval count setting in the current CSR workflow.
I hope you are aware what it means that a user can approve its own
stuff - if you really think it is a good idea you can just remove the
"acl_can_approve" condition at the end of the respective lines in the
workflow config file
(worfflow/def/certificate_signing_request_v2.yaml) so the steps become
available to ANY user that can access the workflow (check the ACL
section at the end and remove the Anonymous user!).
If you also want to get rid of the extra approval step, you can change
the workflow graph to directly go into "APPROVED" instead of PENDING
by replacing the respective target definitions.
HTH
Oliver
On 14.11.23 13:17, Pekka Länsiaho wrote:
Hello,
I'm trying to configure automatic approvals for webui signing
requests. I understand there are two ways to accomplish this: either
set approval count requirement to zero or skip pending state in
workflow (https://sourceforge.net/p/openxpki/mailman/message/25878730/).
However I have not found how to set the policy for webui requests and
the referenced message is from 2010, workflows are no longer XML and
I'd wager the v2 structure is also overhauled compared to time of
writing so I am at a loss of how to go about this besides making
users RA Operators and allowing them to approve their own requests.
Any help would be appreciated.
Best regards,
Pekka
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
