# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
# based replica is being installed from a Dogtag 9 based replica,
# the database will miss ACLs added in Dogtag 10 resulting in limited
# functionality.
#
# This update file can be removed when Dogtag database upgrades are done
# in PKI component. Upstream tickets:
#    * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
#    * https://fedorahosted.org/pki/ticket/906 (checking database version)

dn: cn=aclResources,o=ipaca
addifexist:resourceACLS:certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information