3 files changed, 25 insertions, 4 deletions

diff --git a/ACI.txt b/ACI.txt
index 534689c4b..bf5398929 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -213,7 +213,9 @@ aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprin
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add delete modify Stage Users by administrators";allow (add,delete,write) groupdn = "ldap:///cn=System: Add delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 76e726fb9..bacd9e68a 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -137,6 +137,14 @@ objectClass: nestedgroup
 cn: Stage User Administrators
 description: Stage User Administrators
 
+dn: cn=Stage User Provisioning,cn=privileges,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: Stage User Provisioning
+description: Stage User Provisioning
+
 ############################################
 # Default permissions.
 ############################################
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index c4d9bb687..c8c92f41b 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -115,6 +115,17 @@ class stageuser(baseuser):
           #
           # Stage container
           #
+          # Stage user provisioning and Stage user Administrators,
+          # allowed to create stage users
+        'System: Add Stage Users by Provisioning and Administrators': {
+            'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
+            'ipapermbindruletype': 'permission',
+            'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
+            'ipapermtargetfilter': {'(objectclass=*)'},
+            'ipapermright': {'add'},
+            'ipapermdefaultattr': {'*'},
+            'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'},
+        },
           # Stage user administrators allowed to read kerberos/password
           # when the user is activated (to copy them in the active entry)
          'System: Read Stage User kerberos principal key and password': {
@@ -128,14 +139,14 @@ class stageuser(baseuser):
             },
             'default_privileges': {'Stage User Administrators'},
         },
-        # Stage user administrator allowed to create/delete stage users and
+        # Stage user administrator allowed to delete stage users and
         # to update them
-        'System: Add delete modify Stage Users by administrators': {
+        'System: Delete modify Stage Users by administrators': {
             'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
             'ipapermbindruletype': 'permission',
             'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
             'ipapermtargetfilter': {'(objectclass=*)'},
-            'ipapermright': {'add','delete','write'},
+            'ipapermright': {'delete','write'},
             'ipapermdefaultattr': {'*'},
             'default_privileges': {'Stage User Administrators'},
         },