summaryrefslogtreecommitdiffstats
path: root/ACI.txt
Commit message (Collapse)AuthorAgeFilesLines
* WIP: support idviews in compat treeviewsAlexander Bokovoy2014-09-241-0/+6
|
* idviews: Add ipaOriginalUidTomas Babej2014-09-221-1/+1
|
* idviews: Split the idoverride commands into iduseroverride and idgroupoverrideTomas Babej2014-09-171-1/+3
|
* idvies: Add managed permissions for idview and idoverride objectsTomas Babej2014-09-171-0/+4
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* idviews: Add ipaAssignedIDVIew reference to the host objectTomas Babej2014-09-171-2/+2
| | | | Part of: https://fedorahosted.org/freeipa/ticket/3979
* Allow deleting obsolete permissions; remove operational attribute permissionsPetr Viktorin2014-09-121-4/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* permission plugin: Auto-add operational atttributes to read permissionsPetr Viktorin2014-09-121-42/+42
| | | | | | | | | | | The attributes entryusn, createtimestamp, and modifytimestamp should be readable whenever thir entry is, i.e. when we allow reading the objectclass. Automatically add them to every read permission that includes objectclass. https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix: Add managed read permissions for compat tree and operational attrsPetr Viktorin2014-09-051-4/+8
| | | | | | | | | | | This is a fix for an earlier version, which was committed by mistake as: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Thanks to Alexander Bokovoy for contributions https://fedorahosted.org/freeipa/ticket/4521
* Add managed read permissions for compat treePetr Viktorin2014-09-051-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4521 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permissions for certificate store.Jan Cholasta2014-07-301-0/+10
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for CA certificate renewal.Jan Cholasta2014-07-301-0/+4
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* makeaci: Use the DN where the ACI is stored, not the permission's DNPetr Viktorin2014-07-071-131/+131
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add Modify Realm Domains permissionMartin Kosek2014-07-041-0/+2
| | | | | | | | | The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add NSEC3PARAM to zone settingsMartin Basti2014-07-021-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove NSEC3PARAM recordMartin Basti2014-07-021-2/+2
| | | | | | | Revert 5b95be802c6aa12b9464813441f85eaee3e3e82b Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix ACI in DNSMartin Basti2014-07-011-2/+2
| | | | | | | Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord, tlsarecord Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSSEC: add TLSA record typeMartin Basti2014-07-011-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* sudorule: Allow using external groups as groups of runAsUsersTomas Babej2014-06-251-2/+2
| | | | | | | | | Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-251-0/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-251-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add several CRUD default permissionsPetr Viktorin2014-06-241-0/+12
| | | | | | | | | | | | Add missing Add, Modify, Removedefault permissions to: - automountlocation (Add/Remove only; locations have no data to modify) - privilege - sudocmdgroup (Modify only; the others were present) Related to: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command Group default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Service default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert SELinux User Map default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Role default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert the Modify privilege membership permission to managedPetr Viktorin2014-06-241-0/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Netgroup default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Hostgroup default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service Group default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service default permissions to managedPetr Viktorin2014-06-241-0/+4
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Rule default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Group default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Automount default permissions to managedPetr Viktorin2014-06-241-0/+12
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* netgroup: Add objectclass attribute to read permissionsPetr Viktorin2014-06-231-2/+2
| | | | | | | | The entries were unreadable without this. Additional fix for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trusts: Allow reading ipaNTSecurityIdentifier in user and group objectsTomas Babej2014-06-231-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4385 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* host permissions: Allow writing attributes needed for automatic enrollmentPetr Viktorin2014-06-231-1/+5
| | | | | | | | | | | - userclass added to existing Modify hosts permission - usercertificate, userpassword added to a new permissions https://fedorahosted.org/freeipa/ticket/4252 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Host default permissions to managedPetr Viktorin2014-06-231-0/+14
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add posixgroup to groups' permission object filterPetr Viktorin2014-06-231-2/+2
| | | | | | | | | | Private groups don't have the 'ipausergroup' objectclass. Add posixgroup to the objectclass filters to make "--type group" permissions apply to all groups. https://fedorahosted.org/freeipa/ticket/4372 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: DLVRecord type addedMartin Basti2014-06-201-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: added NSEC3PARAM record typeMartin Basti2014-06-201-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Convert Password Policy default permissions to managedPetr Viktorin2014-06-181-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert COSTemplate default permissions to managedPetr Viktorin2014-06-181-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert DNS default permissions to managedPetr Viktorin2014-06-181-0/+12
| | | | | | | | | | | Convert the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make sure member* attrs are always granted together in read permissionsPetr Viktorin2014-06-111-11/+11
| | | | | | | | | | | | | | Memberofindirect processing of an entry doesn't work if the user doesn't have rights to any one of these attributes: - member - memberuser - memberhost Add all of these to any read permission that specifies any of them. Add a check to makeaci that will enforce this for any future permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add ACI.txtPetr Viktorin2014-06-111-0/+114
The ACI.txt file is a list all managed permissions in ACI form. Similarly to API.txt, it ensures that changes are not made lightly, since modifications must be reflected in ACI.txt and committed to Git. Add a script, makeaci, which parallels makeapi: it recreates or validates ACI.txt. Call makeaci --validate before the build, just after API.txt is validated. Reviewed-By: Martin Kosek <mkosek@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-24 18:06:03 +0000