From 978af07dd51bad9c6da53a2a021c3b6d1d1d2008 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 4 Jun 2014 17:39:10 +0200 Subject: Convert Hostgroup default permissions to managed Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek --- ACI.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'ACI.txt') diff --git a/ACI.txt b/ACI.txt index 182c2e32a..6938a5044 100644 --- a/ACI.txt +++ b/ACI.txt @@ -98,10 +98,18 @@ dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "member || memberhost || memberof || memberuser")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";) +dn: cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "cn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example -- cgit