summaryrefslogtreecommitdiffstats
path: root/install/share
diff options
context:
space:
mode:
Diffstat (limited to 'install/share')
-rw-r--r--install/share/delegation.ldif449
-rw-r--r--install/share/dns.ldif20
-rw-r--r--install/share/replica-acis.ldif8
3 files changed, 216 insertions, 261 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index df8cb1072..e154f6b00 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -40,93 +40,93 @@ description: Helpdesk
############################################
# Add the default privileges
############################################
-dn: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: useradmin
+cn: User Administrators
description: User Administrators
-dn: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: groupadmin
+cn: Group Administrators
description: Group Administrators
-dn: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: hostadmin
+cn: Host Administrators
description: Host Administrators
-dn: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: hostgroupadmin
+cn: Host Group Administrators
description: Host Group Administrators
-dn: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: delegationadmin
+cn: Delegation Administrator
description: Role administration
-dn: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: serviceadmin
+cn: Service Administrators
description: Service Administrators
-dn: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: automountadmin
+cn: Automount Administrators
description: Automount Administrators
-dn: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: netgroupadmin
+cn: Netgroups Administrators
description: Netgroups Administrators
-dn: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: certadmin
+cn: Certificate Administrators
description: Certificate Administrators
-dn: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: replicaadmin
+cn: Replication Administrators
description: Replication Administrators
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-dn: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: enrollhost
+cn: Host Enrollment
description: Host Enrollment
dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
@@ -143,343 +143,304 @@ description: Entitlement Administrators
# User administration
-dn: cn=addusers,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addusers
-description: Add Users
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Users
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=change_password,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: change_password
-description: Change a user password
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Change a user password
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: add_user_to_default_group
-description: Add user to default group
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add user to default group
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectclass: top
objectclass: groupofnames
-cn: unlock_user
-description: Unlock user accounts
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Unlock user accounts
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
member: cn=admins,cn=groups,cn=accounts,$SUFFIX
-dn: cn=removeusers,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeusers
-description: Remove Users
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Users
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyusers
-description: Modify Users
-member: cn=useradmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Users
+member: cn=User Administrators,cn=privileges,cn=pbac,$SUFFIX
# Group administration
-dn: cn=addgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addgroups
-description: Add Groups
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Groups
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removegroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removegroups
-description: Remove Groups
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Groups
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifygroups
-description: Modify Groups
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Groups
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifygroupmembership
-description: Modify Group membership
-member: cn=groupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Group membership
+member: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Host administration
-dn: cn=addhosts,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhosts
-description: Add Hosts
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Hosts
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removehosts,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removehosts
-description: Remove Hosts
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Hosts
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyhosts
-description: Modify Hosts
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Hosts
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
# Hostgroup administration
-dn: cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addhostgroups
-description: Add Hostgroups
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Hostgroups
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removehostgroups
-description: Remove Hostgroups
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Hostgroups
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyhostgroups
-description: Modify Hostgroups
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Hostgroups
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyhostgroupmembership
-description: Modify Hostgroup membership
-member: cn=hostgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Hostgroup membership
+member: cn=Host Group Administrators,cn=privileges,cn=pbac,$SUFFIX
# Service administration
-dn: cn=addservices,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addservices
-description: Add Services
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Services
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeservices,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeservices
-description: Remove Services
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Services
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyservices
-description: Modify Services
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Services
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
# Delegation administration
-dn: cn=addroles,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addroles
-description: Add Roles
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Roles
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeroles,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeroles
-description: Remove Roles
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Roles
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyroles
-description: Modify Roles
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Roles
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyrolemembership
-description: Modify Role Group membership
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Role membership
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyprivilegemembership
-description: Modify privilege membership
-member: cn=delegationadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify privilege membership
+member: cn=Delegation Administrator,cn=privileges,cn=pbac,$SUFFIX
# Automount administration
-dn: cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomountmaps
-description: Add Automount maps
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Automount maps
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomountmaps
-description: Remove Automount maps
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Automount maps
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addautomountkeys
-description: Add Automount keys
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Automount keys
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removeautomountkeys
-description: Remove Automount keys
-member: cn=automountadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Automount keys
+member: cn=Automount Administrators,cn=privileges,cn=pbac,$SUFFIX
# Netgroup administration
-dn: cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addnetgroups
-description: Add netgroups
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add netgroups
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removenetgroups
-description: Remove netgroups
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove netgroups
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifynetgroups
-description: Modify netgroups
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify netgroups
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifynetgroupmembership
-description: Modify netgroup membership
-member: cn=netgroupadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify netgroup membership
+member: cn=Netgroups Administrators,cn=privileges,cn=pbac,$SUFFIX
# Keytab access
-dn: cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_host_keytab
-description: Manage host keytab
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
+cn: Manage host keytab
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: manage_service_keytab
-description: Manage service keytab
-member: cn=serviceadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=admins,cn=privileges,cn=pbac,$SUFFIX
+cn: Manage service keytab
+member: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=admins,cn=groups,cn=accounts,$SUFFIX
# DNS administration
# The permission and aci for this is in install/updates/dns.ldif
-dn: cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: enroll_host
-description: Enroll a host
-member: cn=hostadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=enrollhost,cn=privileges,cn=pbac,$SUFFIX
+cn: Enroll a host
+member: cn=Host Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
# Replica administration
-dn: cn=addreplica,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: addreplica
-description: Add Replication Agreements
-member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Add Replication Agreements
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: modifyreplica
-description: Modify Replication Agreements
-member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Modify Replication Agreements
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: cn=removereplica,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: removereplica
-description: Remove Replication Agreements
-member: cn=replicaadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Remove Replication Agreements
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
# Entitlement management
@@ -516,52 +477,52 @@ member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addusers";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=unlock_user,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeusers";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyusers";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Users";allow (add) groupdn = "ldap:///cn=Add Users,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "krbLastAdminUnlock || krbLoginFailedCount")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Unlock user accounts";allow (write) groupdn = "ldap:///cn=Unlock user accounts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add user to default group";allow (write) groupdn = "ldap:///cn=Add user to default group,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Users";allow (delete) groupdn = "ldap:///cn=Remove Users,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)
# Group administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addgroups";allow (add) groupdn = "ldap:///cn=addgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroupmembership";allow (write) groupdn = "ldap:///cn=modifygroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removegroups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";)
# We need objectclass and gidnumber in modify so a non-posix group can be
# promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
-aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifygroups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipauniqueid")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Groups";allow (write) groupdn = "ldap:///cn=Modify Groups,cn=permissions,cn=pbac,$SUFFIX";)
# Host administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhosts";allow (write) groupdn = "ldap:///cn=modifyhosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)
# Hostgroup administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addhostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removehostgroups";allow (delete) groupdn = "ldap:///cn=removehostgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyhostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyhostgroupmembership";allow (write) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hostgroups";allow (add) groupdn = "ldap:///cn=Add Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=Remove Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Hostgroups";allow (write) groupdn = "ldap:///cn=Modify Hostgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Service administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addservices";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeservices";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyservices";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Services";allow (add) groupdn = "ldap:///cn=Add Services,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)
# Delegation administration
@@ -573,45 +534,45 @@ aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(ve
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:addroles";allow (add) groupdn = "ldap:///cn=addroles,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:removeroles";allow (delete) groupdn = "ldap:///cn=removeroles,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:modifyroles";allow (write) groupdn = "ldap:///cn=modifyroles,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:modifyrolemembership";allow (write) groupdn = "ldap:///cn=modifyrolemembership,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:modifyprivilegemembership";allow (write) groupdn = "ldap:///cn=modifyprivilegemembership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Role membership";allow (write) groupdn = "ldap:///cn=Modify Role membership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "member")(target = "ldap:///cn=*,cn=permissions,cn=pbac,$SUFFIX")(version 3.0;acl "permission:Modify privilege membership";allow (write) groupdn = "ldap:///cn=Modify privilege membership,cn=permissions,cn=pbac,$SUFFIX";)
# Automount administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountmaps";allow (add) groupdn = "ldap:///cn=addautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountmaps";allow (delete) groupdn = "ldap:///cn=removeautomountmaps,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:addautomountkeys";allow (add) groupdn = "ldap:///cn=addautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:removeautomountkeys";allow (delete) groupdn = "ldap:///cn=removeautomountkeys,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount maps";allow (add) groupdn = "ldap:///cn=Add Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount maps";allow (delete) groupdn = "ldap:///cn=Remove Automount maps,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Add Automount keys";allow (add) groupdn = "ldap:///cn=Add Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///automountkey=*,automountmapname=*,cn=automount,$SUFFIX")(version 3.0;acl "permission:Remove Automount keys";allow (delete) groupdn = "ldap:///cn=Remove Automount keys,cn=permissions,cn=pbac,$SUFFIX";)
# Netgroup administration
dn: $SUFFIX
changetype: modify
add: aci
-aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:addnetgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:removenetgroups";allow (delete) groupdn = "ldap:///cn=removenetgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:modifynetgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=permissions,cn=pbac,$SUFFIX";)
-aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:modifynetgroupmembership";allow (write) groupdn = "ldap:///cn=modifynetgroupmembership,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Add netgroups";allow (add) groupdn = "ldap:///cn=Add netgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Remove netgroups";allow (delete) groupdn = "ldap:///cn=Remove netgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0; acl "permission:Modify netgroups";allow (write) groupdn = "ldap:///cn=Modify netgroups,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "memberhost || externalhost || memberuser || member")(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "permission:Modify netgroup membership";allow (write) groupdn = "ldap:///cn=Modify netgroup membership,cn=permissions,cn=pbac,$SUFFIX";)
# Host keytab admin
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_host_keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Service keytab admin
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:manage_service_keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)
# Add the ACI needed to do host enrollment. When this occurs we
# set the krbPrincipalName, add krbPrincipalAux to objectClass and
@@ -620,7 +581,7 @@ aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbp
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:enroll_host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)
# Entitlement administration
@@ -654,18 +615,17 @@ objectClass: top
objectClass: nsContainer
cn: retrieve certificate
-dn: cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: retrieve_certs
-description: Retrieve Certificates from the CA
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Retrieve Certificates from the CA
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:retrieve_certs" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate virtual op
dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
@@ -674,18 +634,17 @@ objectClass: top
objectClass: nsContainer
cn: request certificate
-dn: cn=request_certs,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: request_certs
-description: Request Certificates from the CA
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Request Certificate
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_certs" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Request Certificate from different host virtual op
dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
@@ -694,18 +653,17 @@ objectClass: top
objectClass: nsContainer
cn: request certificate different host
-dn: cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: request_cert_different_host
-description: Request Certificates from a different host
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Request Certificates from a different host
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:request_cert_different_host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
@@ -714,18 +672,17 @@ objectClass: top
objectClass: nsContainer
cn: certificate status
-dn: cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: certificate_status
-description: Get Certificates status from the CA
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Get Certificates status from the CA
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_status" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
# Revoke Certificate virtual op
dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
@@ -734,18 +691,17 @@ objectClass: top
objectClass: nsContainer
cn: revoke certificate
-dn: cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: revoke_certificate
-description: Revoke Certificate
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Revoke Certificate
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:revoke_certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
# Certificate Remove Hold virtual op
dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
@@ -754,15 +710,14 @@ objectClass: top
objectClass: nsContainer
cn: certificate remove hold
-dn: cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
-cn: certificate_remove_hold
-description: Certificate Remove Hold
-member: cn=certadmin,cn=privileges,cn=pbac,$SUFFIX
+cn: Certificate Remove Hold
+member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:certificate_remove_hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index 2bebd8271..dc7922218 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -10,8 +10,8 @@ objectClass: groupofnames
objectClass: top
cn: add dns entries
description: Add DNS entries
-member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
@@ -19,8 +19,8 @@ objectClass: groupofnames
objectClass: top
cn: remove dns entries
description: Remove DNS entries
-member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
changetype: add
@@ -28,8 +28,8 @@ objectClass: groupofnames
objectClass: top
cn: update dns entries
description: Update DNS entries
-member: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
-member: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
dn: $SUFFIX
changetype: modify
@@ -38,18 +38,18 @@ aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS ent
aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries";allow (delete) groupdn = "ldap:///cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)
-dn: cn=dnsadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: dnsadmin
+cn: DNS Administrators
description: DNS Administrators
-dn: cn=dnsserver,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
-cn: dnsserver
+cn: DNS Servers
description: DNS Servers
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 49d6b75c9..a2f4cc22b 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -3,19 +3,19 @@
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(version 3.0;acl "permission:addreplica";allow (add) groupdn = "ldap:///cn=addreplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:modifyreplica"; allow (read, write, search) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:removereplica";allow (delete) groupdn = "ldap:///cn=removereplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
dn: cn=tasks,cn=config
changetype: modify
add: aci
-aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=modifyreplica,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr=*)(version 3.0; acl "Run tasks after replica re-initialization"; allow (add) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)