1.3.3.4 Permissions on Templates

A template object in Active Directory has an ACL, as does every object in Active Directory. A customer can set those ACLs so that users (or groups of users) have read permission only for templates for certificates (thus, for certificate requests) that are available to those users. In addition, the CA enforces a permission, enroll, which is associated with a template object, by honoring a certificate request from a given user only if that user has enroll permission for the template that corresponds to that request.

If a non-Microsoft implementation of the CA wants to avoid using templates but still wants this kind of access control, then it needs to implement that access control in some other manner.