Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Manage Connector for AD template access control entries

PDF
RSS
Focus mode
Manage Connector for AD template access control entries - AWS Private Certificate Authority

An access control entry grants controls which Active Directory groups can or cannot enroll certificates for a specific Connector for AD template. When you can create or manage groups and permissions in Connector for AD, you must provide the Security identifier (SID) of the group object from Active Directory. You can obtain the SID using the following PowerShell command. For information about SIDs, see How security identifiers work in the Microsoft Directory Domain Services documentation.


        $ Get-ADGroup -Identity "my_active_directory_group_name"

The following procedures illustrate how to create and manage Connector for AD template access group entries.

Console

To manage template group permissions using the console

You can manage groups and permissions for an existing template can be managed from a template's details page. For more information, see View connector template details.

Set permissions on which groups can or cannot enroll certificates for the specific template. You provide the security identifier (SID) of the group. Then you set the enroll and auto-enroll permissions for the group. For auto-enrollment, both enroll and auto-enroll must be set to "Allow."

API

To manage template group permissions using the API

Create: CreateTemplateGroupAccessControlEntry action in the AWS Private CA Connector for Active Directory API.

Update: UpdateTemplateGroupAccessControlEntry action in the AWS Private CA Connector for Active Directory API.

Retrieve: GetTemplateGroupAccessControlEntry action in the AWS Private CA Connector for Active Directory API.

List: ListTemplateGroupAccessControlEntries action in the AWS Private CA Connector for Active Directory API.

Delete: DeleteTemplateGroupAccessControlEntry action in the AWS Private CA Connector for Active Directory API.

CLI

To manage template group permissions using the CLI

Create: create-template-group-access-control-entry command in the AWS Private CA Connector for Active Directory section of the AWS CLI.

Update: update-template-group-access-control-entry command in the AWS Private CA Connector for Active Directory section of the AWS CLI.

Retrieve: get-template-group-access-control-entry command in the AWS Private CA Connector for Active Directory section of the AWS CLI.

List: list-template-group-access-control-entries command in the AWS Private CA Connector for Active Directory section of the AWS CLI.

Delete: delete-template-group-access-control-entries command in the AWS Private CA Connector for Active Directory section of the AWS CLI.

anchoranchoranchor

To manage template group permissions using the console

You can manage groups and permissions for an existing template can be managed from a template's details page. For more information, see View connector template details.

Set permissions on which groups can or cannot enroll certificates for the specific template. You provide the security identifier (SID) of the group. Then you set the enroll and auto-enroll permissions for the group. For auto-enrollment, both enroll and auto-enroll must be set to "Allow."

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.