summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--API.txt9
-rw-r--r--install/share/delegation.ldif449
-rw-r--r--install/share/dns.ldif20
-rw-r--r--install/share/replica-acis.ldif8
-rw-r--r--ipalib/plugins/permission.py36
-rw-r--r--tests/test_xmlrpc/test_permission_plugin.py20
-rw-r--r--tests/test_xmlrpc/test_privilege_plugin.py4
7 files changed, 239 insertions, 307 deletions
diff --git a/API.txt b/API.txt
index ec4fb0488..f936c4fdb 100644
--- a/API.txt
+++ b/API.txt
@@ -1586,9 +1586,8 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
output: Output('result', <type 'bool'>, 'True means the operation was successful')
output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
command: permission_add
-args: 1,13,3
+args: 1,12,3
arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, required=True)
-option: Str('description', attribute=True, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, required=True)
option: List('permissions', attribute=True, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, required=True)
option: List('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', flags=('ask_create', 'ask_update'), label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=<lambda>, query=True, required=False)
option: StrEnum('type', alwaysask=True, attribute=True, autofill=False, cli_name='type', flags=('ask_create', 'ask_update'), label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns'))
@@ -1622,10 +1621,9 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
output: Output('result', <type 'dict'>, 'list of deletions that failed')
output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
command: permission_find
-args: 1,14,4
+args: 1,13,4
arg: Str('criteria?')
option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=False)
-option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
option: List('permissions', attribute=True, autofill=False, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, query=True, required=False)
option: List('attrs', attribute=True, autofill=False, cli_name='attrs', flags=('ask_create', 'ask_update'), label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=<lambda>, query=True, required=False)
option: StrEnum('type', attribute=True, autofill=False, cli_name='type', flags=('ask_create', 'ask_update'), label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns'))
@@ -1643,9 +1641,8 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('count', <type 'int'>, 'Number of entries returned')
output: Output('truncated', <type 'bool'>, 'True if not all results were returned')
command: permission_mod
-args: 1,15,3
+args: 1,14,3
arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Permission name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=True)
-option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, required=False)
option: List('permissions', attribute=True, autofill=False, cli_name='permissions', label=Gettext('Permissions', domain='ipa', localedir=None), multivalue=True, required=False)
option: List('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', flags=('ask_create', 'ask_update'), label=Gettext('Attributes', domain='ipa', localedir=None), multivalue=True, normalizer=<lambda>, query=True, required=False)
option: StrEnum('type', alwaysask=True, attribute=True, autofill=False, cli_name='type', flags=('ask_create', 'ask_update'), label=Gettext('Type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns'))
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index df8cb1072..e154f6b00 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -40,93 +40,93 @@ description: Helpdesk
############################################
# Add the default privileges
############################################
-dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: useradmin
+cn: User Administrators
description: User Administrators
-dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: groupadmin
+cn: Group Administrators
description: Group Administrators
-dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: hostadmin
+cn: Host Administrators
description: Host Administrators
-dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: hostgroupadmin
+cn: Host Group Administrators
description: Host Group Administrators
-dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: delegationadmin
+cn: Delegation Administrator
description: Role administration
-dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: serviceadmin
+cn: Service Administrators
description: Service Administrators
-dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: automountadmin
+cn: Automount Administrators
description: Automount Administrators
-dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: netgroupadmin
+cn: Netgroups Administrators
description: Netgroups Administrators
-dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: certadmin
+cn: Certificate Administrators
description: Certificate Administrators
-dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: replicaadmin
+cn: Replication Administrators
description: Replication Administrators
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: enrollhost
+cn: Host Enrollment
description: Host Enrollment
dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@@ -143,343 +143,304 @@ description: Entitlement Administrators
# User administration
-dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addusers
-description: Add Users
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Users
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: change_password
-description: Change a user password
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Change a user password
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: add_user_to_default_group
-description: Add user to default group
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add user to default group
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
-cn: unlock_user
-description: Unlock user accounts
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Unlock user accounts
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeusers
-description: Remove Users
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Users
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyusers
-description: Modify Users
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Users
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
# Group administration
-dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addgroups
-description: Add Groups
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Groups
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removegroups
-description: Remove Groups
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Groups
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifygroups
-description: Modify Groups
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Groups
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifygroupmembership
-description: Modify Group membership
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Group membership
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Host administration
-dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhosts
-description: Add Hosts
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Hosts
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removehosts
-description: Remove Hosts
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Hosts
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyhosts
-description: Modify Hosts
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Hosts
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
# Hostgroup administration
-dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhostgroups
-description: Add Hostgroups
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Hostgroups
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removehostgroups
-description: Remove Hostgroups
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Hostgroups
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyhostgroups
-description: Modify Hostgroups
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Hostgroups
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyhostgroupmembership
-description: Modify Hostgroup membership
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Hostgroup membership
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Service administration
-dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addservices
-description: Add Services
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Services
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeservices
-description: Remove Services
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Services
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyservices
-description: Modify Services
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Services
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
# Delegation administration
-dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addroles
-description: Add Roles
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Roles
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeroles
-description: Remove Roles
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Roles
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyroles
-description: Modify Roles
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Roles
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyrolemembership
-description: Modify Role Group membership
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Role membership
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyprivilegemembership
-description: Modify privilege membership
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify privilege membership
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
# Automount administration
-dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomountmaps
-description: Add Automount maps
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Automount maps
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomountmaps
-description: Remove Automount maps
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Automount maps
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomountkeys
-description: Add Automount keys
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Automount keys
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomountkeys
-description: Remove Automount keys
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Automount keys
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
# Netgroup administration
-dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addnetgroups
-description: Add netgroups
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add netgroups
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removenetgroups
-description: Remove netgroups
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove netgroups
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifynetgroups
-description: Modify netgroups
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify netgroups
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifynetgroupmembership
-description: Modify netgroup membership
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify netgroup membership
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
# Keytab access
-dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_host_keytab
-description: Manage host keytab
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
+cn: Manage host keytab
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_service_keytab
-description: Manage service keytab
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=admins,cn=privileges,cn=pbac,$SUFFIX
+cn: Manage service keytab
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=admins,cn=groups,cn=accounts,$SUFFIX
# DNS administration
# The permission and aci for this is in install/updates/dns.ldif
-dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: enroll_host
-description: Enroll a host
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
+cn: Enroll a host
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
# Replica administration
-dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addreplica
-description: Add Replication Agreements
-member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Replication Agreements
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyreplica
-description: Modify Replication Agreements
-member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Replication Agreements
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removereplica
-description: Remove Replication Agreements
-member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Replication Agreements
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
# Entitlement management
@@ -516,52 +477,52 @@ member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addusers";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeusers";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyusers";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
# Group administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addgroups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroupmembership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removegroups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
-aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
# Host administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
# Hostgroup administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyhostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhostgroupmembership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Service administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addservices";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeservices";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyservices";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
# Delegation administration
@@ -573,45 +534,45 @@ aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(ve
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addroles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeroles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyroles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyrolemembership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:modifyprivilegemembership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
# Automount administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountmaps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountmaps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountkeys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountkeys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
# Netgroup administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:addnetgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:removenetgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:modifynetgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:modifynetgroupmembership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Host keytab admin
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_host_keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Service keytab admin
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_service_keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
@@ -620,7 +581,7 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:enroll_host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
# Entitlement administration
@@ -654,18 +615,17 @@ objectClass: top
objectClass: nsContainer
cn: retrieve certificate
-dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: retrieve_certs
-description: Retrieve Certificates from the CA
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Retrieve Certificates from the CA
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:retrieve_certs" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
@@ -674,18 +634,17 @@ objectClass: top
objectClass: nsContainer
cn: request certificate
-dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: request_certs
-description: Request Certificates from the CA
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Request Certificate
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_certs" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate from different host virtual op
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
@@ -694,18 +653,17 @@ objectClass: top
objectClass: nsContainer
cn: request certificate different host
-dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: request_cert_different_host
-description: Request Certificates from a different host
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Request Certificates from a different host
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_cert_different_host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
@@ -714,18 +672,17 @@ objectClass: top
objectClass: nsContainer
cn: certificate status
-dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: certificate_status
-description: Get Certificates status from the CA
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Get Certificates status from the CA
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_status" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
# Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
@@ -734,18 +691,17 @@ objectClass: top
objectClass: nsContainer
cn: revoke certificate
-dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: revoke_certificate
-description: Revoke Certificate
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Revoke Certificate
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:revoke_certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
@@ -754,15 +710,14 @@ objectClass: top
objectClass: nsContainer
cn: certificate remove hold
-dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: certificate_remove_hold
-description: Certificate Remove Hold
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Certificate Remove Hold
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_remove_hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 2bebd8271..dc7922218 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -10,8 +10,8 @@ objectClass: groupofnames
objectClass: top
cn: add dns entries
description: Add DNS entries
-member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
@@ -19,8 +19,8 @@ objectClass: groupofnames
objectClass: top
cn: remove dns entries
description: Remove DNS entries
-member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
@@ -28,8 +28,8 @@ objectClass: groupofnames
objectClass: top
cn: update dns entries
description: Update DNS entries
-member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
@@ -38,18 +38,18 @@ aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS ent
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
-dn: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: dnsadmin
+cn: DNS Administrators
description: DNS Administrators
-dn: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: dnsserver
+cn: DNS Servers
description: DNS Servers
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 49d6b75c9..a2f4cc22b 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -3,19 +3,19 @@
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(version 3.0;acl "permission:addreplica";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:modifyreplica"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:removereplica";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=tasks,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 0c76ec5a9..b11efdab0 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -33,9 +33,8 @@ A permission may not be members of other permissions.
A permission is made up of a number of different parts:
1. The name of the permission.
-2. The description of the permission.
-3. The target of the permission.
-4. The permissions granted by the permission.
+2. The target of the permission.
+3. The permissions granted by the permission.
The permissions define what operations are allowed and are one or more of:
1. write - write one or more attributes
@@ -44,24 +43,29 @@ The permissions define what operations are allowed and are one or more of:
4. delete - delete an existing entry
5. all - all permissions are granted
+Read permission is granted for most attributes by default so the read
+permission is not expected to be used very often.
+
Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editabe.
There are a number of allowed targets:
1. type: a type of object (user, group, etc).
-2. memberof: a memberof a group or hostgroup
+2. memberof: a member of a group or hostgroup
3. filter: an LDAP filter
-4. subtree: an LDAP filter specifying part of the LDAP DIT
-5. targetgroup
+4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a
+ super-set of the type option.
+5. targetgroup: grant access to modify a specific group (such as granting
+ the rights to manage group membership)
EXAMPLES:
Add a permission that grants the creation of users:
- ipa permission-add --desc="Add a User" --type=user --permissions=add adduser
+ ipa permission-add --type=user --permissions=add "Add Users"
Add a permission that grants the ability to manage group membership:
- ipa permission-add --desc='Manage group members' --attrs=member --permissions=write --type=group manage_group_members
+ ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
"""
import copy
@@ -80,7 +84,7 @@ class permission(LDAPObject):
object_name = 'permission'
object_name_plural = 'permissions'
object_class = ['groupofnames']
- default_attributes = ['cn', 'description', 'member', 'memberof',
+ default_attributes = ['cn', 'member', 'memberof',
'memberindirect',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
@@ -88,7 +92,6 @@ class permission(LDAPObject):
]
attribute_members = {
'member': ['privilege'],
-# 'memberindirect': ['user', 'group', 'role'],
}
rdnattr='cn'
@@ -101,11 +104,6 @@ class permission(LDAPObject):
primary_key=True,
normalizer=lambda value: value.lower(),
),
- Str('description',
- cli_name='desc',
- label=_('Description'),
- doc=_('Permission description'),
- ),
List('permissions',
cli_name='permissions',
label=_('Permissions'),
@@ -165,7 +163,6 @@ class permission_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# Test the ACI before going any further
opts = copy.copy(options)
- del opts['description']
opts['test'] = True
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
@@ -177,7 +174,7 @@ class permission_add(LDAPCreate):
# Clear the aci attributes out of the permission entry
for o in options:
try:
- if o not in ['description', 'objectclass']:
+ if o not in ['objectclass']:
del entry_attrs[o]
except:
pass
@@ -186,7 +183,6 @@ class permission_add(LDAPCreate):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
# Now actually add the aci.
opts = copy.copy(options)
- del opts['description']
opts['test'] = False
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
@@ -263,7 +259,7 @@ class permission_mod(LDAPUpdate):
pass # permission may be renamed, continue
opts = copy.copy(options)
- for o in ['all', 'raw', 'rights', 'description', 'rename']:
+ for o in ['all', 'raw', 'rights', 'rename']:
if o in opts:
del opts[o]
setattr(context, 'aciupdate', False)
@@ -389,7 +385,7 @@ class permission_show(LDAPRetrieve):
if attr in aci:
entry_attrs[attr] = aci[attr]
except errors.NotFound:
- self.debug('ACI not found for %s' % entry_attrs['description'][0])
+ self.debug('ACI not found for %s' % entry_attrs['cn'][0])
return dn
api.register(permission_show)
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 15f9c2708..be5d2befb 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -68,7 +68,7 @@ class test_permission(Declarative):
dict(
desc='Try to update non-existent %r' % permission1,
- command=('permission_mod', [permission1], dict(description=u'Foo')),
+ command=('permission_mod', [permission1], dict(permissions=u'all')),
expected=errors.NotFound(reason='no such entry'),
),
@@ -96,7 +96,6 @@ class test_permission(Declarative):
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
- description=u'Test desc 1',
type=u'user',
permissions=u'write',
)
@@ -107,7 +106,6 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
- description=[u'Test desc 1'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
@@ -120,7 +118,6 @@ class test_permission(Declarative):
desc='Try to create duplicate %r' % permission1,
command=(
'permission_add', [permission1], dict(
- description=u'Test desc 1',
type=u'user',
permissions=u'write',
),
@@ -178,7 +175,6 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
- 'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -198,7 +194,6 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
- 'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -219,7 +214,6 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
- 'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -233,7 +227,6 @@ class test_permission(Declarative):
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
- description=u'Test desc 2',
type=u'user',
permissions=u'write',
)
@@ -244,7 +237,6 @@ class test_permission(Declarative):
result=dict(
dn=permission2_dn,
cn=[permission2],
- description=[u'Test desc 2'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
@@ -264,7 +256,6 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
- 'description': [u'Test desc 1'],
'member_privilege': [privilege1],
'type': u'user',
'permissions': [u'write'],
@@ -272,7 +263,6 @@ class test_permission(Declarative):
{
'dn': permission2_dn,
'cn': [permission2],
- 'description': [u'Test desc 2'],
'type': u'user',
'permissions': [u'write'],
},
@@ -303,7 +293,7 @@ class test_permission(Declarative):
dict(
desc='Update %r' % permission1,
command=(
- 'permission_mod', [permission1], dict(description=u'New desc 1')
+ 'permission_mod', [permission1], dict(permissions=u'read')
),
expected=dict(
value=permission1,
@@ -311,10 +301,9 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
- description=[u'New desc 1'],
member_privilege=[privilege1],
type=u'user',
- permissions=[u'write'],
+ permissions=[u'read'],
),
),
),
@@ -329,10 +318,9 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
- 'description': [u'New desc 1'],
'member_privilege': [privilege1],
'type': u'user',
- 'permissions': [u'write'],
+ 'permissions': [u'read'],
},
),
),
diff --git a/tests/test_xmlrpc/test_privilege_plugin.py b/tests/test_xmlrpc/test_privilege_plugin.py
index 5b0bcc618..4c7556b8f 100644
--- a/tests/test_xmlrpc/test_privilege_plugin.py
+++ b/tests/test_xmlrpc/test_privilege_plugin.py
@@ -89,7 +89,6 @@ class test_privilege(Declarative):
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
- description=u'Test desc 1',
type=u'user',
permissions=u'add, delete',
)
@@ -100,7 +99,6 @@ class test_privilege(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
- description=[u'Test desc 1'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'add', u'delete'],
@@ -207,7 +205,6 @@ class test_privilege(Declarative):
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
- description=u'Test desc 2',
type=u'user',
permissions=u'write',
)
@@ -218,7 +215,6 @@ class test_privilege(Declarative):
result=dict(
dn=permission2_dn,
cn=[permission2],
- description=[u'Test desc 2'],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
generated by cgit (git 2.34.1) at 2024-11-12 05:28:42 +0000