diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-05-30 14:03:13 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-02 13:04:59 +0200 |
| commit | 93ad23912e3bb73fc3e54d2b6734748a55fc933a (patch) | |
| tree | 837d2dfa0865393a3835f18dcb37b7cad6d09f8c /install/updates/20-aci.update | |
| parent | 63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 (diff) | |
| download | freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.gz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.tar.xz freeipa-93ad23912e3bb73fc3e54d2b6734748a55fc933a.zip | |
Add read permissions for automember tasks
Permission to read all tasks is given to high-level admins.
Managed permission for automember tasks is given to automember task admins.
"targetattr=*" is used because tasks are extensibleObject with
attributes that aren't in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/20-aci.update')
| -rw-r--r-- | install/updates/20-aci.update | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 34cba4cc8..6af800111 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -47,6 +47,9 @@ add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLi # Read-only add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' +dn: cn=tasks,cn=config +add:aci:'(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' + # Removal of obsolete ACIs dn: cn=config # Replaced by 'System: Read Replication Agreements' |