Add Modify Realm Domains permission

The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 Reviewed-By: Petr Spacek <pspacek@redhat.com>
author: Martin Kosek <mkosek@redhat.com> 2014-07-04 09:32:08 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-07-04 12:17:04 +0200
commit: ef83a0c67884274be000f3b4fcc8150e8910bcb7 (patch)
tree: d95fea530d786010ec2a2acc325c6ab568ebb4ee /ACI.txt
parent: 52bcf5345c9a920db513ed3fc8c2dc029661ecf2 (diff)
download: freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.tar.gz
freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.tar.xz
freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/ACI.txt b/ACI.txt
index 8e73c5c85..bc82d644e 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -154,6 +154,8 @@ dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=exa
 aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
author	Martin Kosek <mkosek@redhat.com>	2014-07-04 09:32:08 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-07-04 12:17:04 +0200
commit	ef83a0c67884274be000f3b4fcc8150e8910bcb7 (patch)
tree	d95fea530d786010ec2a2acc325c6ab568ebb4ee /ACI.txt
parent	52bcf5345c9a920db513ed3fc8c2dc029661ecf2 (diff)
download	freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.tar.gz freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.tar.xz freeipa-ef83a0c67884274be000f3b4fcc8150e8910bcb7.zip