The following figure shows an overview of the process of creating a new Privileged User by the SAM service.
Figure 16: Overview of the Create_New_Privleged_User operation flow
When retrieving the request, the SAM service checks if the requester is authenticated and identified (based on the processes and configuration presented earlier).
If the authenticity and identity check is successful, the SAM service creates a new Privileged User based on the data it received with the request. More precisely, the SAM service stores the given user information in the form of a user entry in the SAM DB. Otherwise, an error is returned.
A user entry has the following structure: {UserID, Role, Certificates}. The 'UserID' is a UUID. For a privileged user, 'Role' has the value 'PrivilegedUser'. 'Certificates' can contain one or more certificates.
|
Purpose |
This operation is invoked by the requestor to create a new privileged user. |
||
|
Interface |
SAM Peer Interface (see [IF_SPI]) |
||
|
Method of use |
The operation is called by client software according to the SAM peer interface specification (see [IF_SPI]). |
||
|
Inputs |
Parameter |
Type |
Description |
|
userid |
String |
UserID of the user to be created |
|
|
Output |
Parameter |
Type |
Description |
|
|
void |
A result without error indicates a positive operation |
|
|
Error Messages |
Type |
Reason |
|
|
ContainerParseError |
If the input cannot be parsed into a message container |
||
|
MessageParseError |
If the input data cannot be parsed into the specified message type |
||
|
UnknownMessageType |
The contained message type was not known to the processor |
||
|
UnknownCredentialType |
The credential type included was not known to the processor |
||
|
AuthenticationError |
The credential could not be validated |
||
|
UnknownUser |
The credential could not be associated with a user |
||
|
NotAuthorized |
If the acting user is not authorized to perform the current operation |
||
|
|
|||
|
|
NotOperational |
A component (e.g. , HSM) is not available or not in an operational state |
|
|
UnexpectedError |
When an error condition occurs that was not anticipated |
|
|
|
InvalidInput |
When the set of certificates is empty |
|
|
|
Security Audit Log Entry |
In case of success An audit record is created that contains at least the following information: |
|
|
|
|
|
|
|
|
|
In case of an error |
|
|
|
|
The following errors emit regular log messages, but no audit log entries (since no acting user could be inferred): |
|
|
|
|
|
|
|
|
|
Otherwise |
|
|
|
|
An audit record is created containing at least the following information: |
|
|
|
|
|
|
|
Table 17: Description of the Create_New_Privileged_User operation