User life cycle: Stage user Administrators permission/priviledge

Creation of stage user administrator

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>

2 files changed, 4 insertions, 0 deletions

diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update
index f1666ff3a..b8ec80e00 100644
--- a/install/updates/30-provisioning.update
+++ b/install/updates/30-provisioning.update
@@ -26,6 +26,7 @@ dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
 add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
 
 # This is used for the admin to reset the delete users credential
+# No one is allowed to add entry in Delete container
 dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
 add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
 add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";)
diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update
index 3442c7bf8..eb50e2b9c 100644
--- a/install/updates/45-roles.update
+++ b/install/updates/45-roles.update
@@ -28,6 +28,9 @@ add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
 dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
 add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
 
+dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX
+add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
+
 dn: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
 default:objectClass: groupofnames
 default:objectClass: nestedgroup