summaryrefslogtreecommitdiffstats
path: root/install/share/vault.update
diff options
context:
space:
mode:
Diffstat (limited to 'install/share/vault.update')
-rw-r--r--install/share/vault.update15
1 files changed, 11 insertions, 4 deletions
diff --git a/install/share/vault.update b/install/share/vault.update
index dcd1e2a15..61a8940b5 100644
--- a/install/share/vault.update
+++ b/install/share/vault.update
@@ -5,20 +5,27 @@ default: cn: kra
dn: cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
-default: objectClass: nsContainer
+default: objectClass: ipaVaultContainer
default: cn: vaults
+default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
+default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
dn: cn=services,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
-default: objectClass: nsContainer
+default: objectClass: ipaVaultContainer
default: cn: services
dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
-default: objectClass: nsContainer
+default: objectClass: ipaVaultContainer
default: cn: shared
dn: cn=users,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
-default: objectClass: nsContainer
+default: objectClass: ipaVaultContainer
default: cn: users
generated by cgit (git 2.34.1) at 2024-05-27 22:27:50 +0000