1 files changed, 762 insertions, 44 deletions

diff --git a/install/static/sudorule.js b/install/static/sudorule.js
index 101f8c41..61eef6bf 100755
--- a/install/static/sudorule.js
+++ b/install/static/sudorule.js
@@ -110,20 +110,35 @@ function ipa_sudorule_details_facet(spec) {
 
     that.init = function() {
 
-        var section = ipa_details_list_section({
-            'name': 'general',
-            'label': 'General'
-        });
-        that.add_section(section);
-
-        section.create_field({'name': 'cn', 'read_only': true});
-        section.create_field({'name': 'description'});
-        section.create_field({'name': 'cmdcategory'});
+        var section;
+
+        if (IPA.layout) {
+            section = that.create_section({
+                'name': 'general',
+                'label': 'General',
+                'template': 'sudorule-details-general.html #contents'
+            });
+
+        } else {
+            section = ipa_sudorule_details_general_section({
+                'name': 'general',
+                'label': 'General'
+            });
+            that.add_section(section);
+        }
+
+        section.create_text({ 'name': 'cn', 'read_only': true });
+        section.create_textarea({ 'name': 'description' });
+        section.create_radio({ 'name': 'ipaenabledflag' });
 
         section = ipa_rule_details_section({
             'name': 'user',
             'label': 'Who',
-            'field_name': 'memberuser',
+            'field_name': 'usercategory',
+            'options': [
+                { 'value': 'all', 'label': 'Anyone' },
+                { 'value': '', 'label': 'Specified Users and Groups' }
+            ],
             'tables': [
                 { 'field_name': 'memberuser_user' },
                 { 'field_name': 'memberuser_group' }
@@ -131,21 +146,26 @@ function ipa_sudorule_details_facet(spec) {
         });
         that.add_section(section);
 
-        section.add_field(ipa_association_table_widget({
+        var category = section.create_radio({ name: 'usercategory', label: 'User category' });
+        section.add_field(ipa_sudorule_association_table_widget({
             'id': that.entity_name+'-memberuser_user',
-            'name': 'memberuser_user', 'label': 'Users',
+            'name': 'memberuser_user', 'label': 'Users', 'category': category,
             'other_entity': 'user', 'add_method': 'add_user', 'remove_method': 'remove_user'
         }));
-        section.add_field(ipa_association_table_widget({
+        section.add_field(ipa_sudorule_association_table_widget({
             'id': that.entity_name+'-memberuser_group',
-            'name': 'memberuser_group', 'label': 'Groups',
+            'name': 'memberuser_group', 'label': 'Groups', 'category': category,
             'other_entity': 'group', 'add_method': 'add_user', 'remove_method': 'remove_user'
         }));
 
         section = ipa_rule_details_section({
             'name': 'host',
-            'label': 'Where',
-            'field_name': 'memberhost',
+            'label': 'Access this host',
+            'field_name': 'hostcategory',
+            'options': [
+                { 'value': 'all', 'label': 'Any Host' },
+                { 'value': '', 'label': 'Specified Hosts and Groups' }
+            ],
             'tables': [
                 { 'field_name': 'memberhost_host' },
                 { 'field_name': 'memberhost_hostgroup' }
@@ -153,62 +173,760 @@ function ipa_sudorule_details_facet(spec) {
         });
         that.add_section(section);
 
-        section.add_field(ipa_association_table_widget({
+        category = section.create_radio({ 'name': 'hostcategory', 'label': 'Host category' });
+        section.add_field(ipa_sudorule_association_table_widget({
             'id': that.entity_name+'-memberhost_host',
-            'name': 'memberhost_host', 'label': 'Host',
+            'name': 'memberhost_host', 'label': 'Host', 'category': category,
             'other_entity': 'host', 'add_method': 'add_host', 'remove_method': 'remove_host'
         }));
-        section.add_field(ipa_association_table_widget({
+        section.add_field(ipa_sudorule_association_table_widget({
             'id': that.entity_name+'-memberhost_hostgroup',
-            'name': 'memberhost_hostgroup', 'label': 'Groups',
+            'name': 'memberhost_hostgroup', 'label': 'Groups', 'category': category,
             'other_entity': 'hostgroup', 'add_method': 'add_host', 'remove_method': 'remove_host'
         }));
 
-        section = ipa_rule_details_section({
-            'name': 'allow',
-            'label': 'Allow',
-            'field_name': 'memberallowcmd',
-            'tables': [
-                { 'field_name': 'memberallowcmd_sudocmd' },
-                { 'field_name': 'memberallowcmd_sudocmdgroup' }
-            ]
+        section = ipa_sudorule_details_command_section({
+            'name': 'command',
+            'label': 'Run Commands'
         });
         that.add_section(section);
 
-        section.add_field(ipa_association_table_widget({
+        section = ipa_sudorule_details_runas_section({
+            'name': 'runas',
+            'label': 'As Whom'
+        });
+        that.add_section(section);
+
+        that.details_facet_init();
+    };
+
+    that.load = function(record) {
+        var category = record['cmdcategory'];
+        if (category && category[0] == 'all') {
+            record['cmdcategory'] = ['allow'];
+
+        } else {
+            var memberallowcmd_sudocmd = record['memberallowcmd_sudocmd'];
+            var memberallowcmd_sudocmdgroup = record['memberallowcmd_sudocmdgroup'];
+            var memberdenycmd_sudocmd = record['memberdenycmd_sudocmd'];
+            var memberdenycmd_sudocmdgroup = record['memberdenycmd_sudocmdgroup'];
+
+            if (!memberallowcmd_sudocmd && !memberallowcmd_sudocmdgroup
+                && !memberdenycmd_sudocmd && !memberdenycmd_sudocmdgroup) {
+                record['cmdcategory'] = ['deny'];
+
+            } else {
+                record['cmdcategory'] = [''];
+            }
+        }
+
+        that.details_facet_load(record);
+    };
+
+    that.update = function() {
+
+        var pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
+
+        var modify_operation = {
+            'execute': false,
+            'command': ipa_command({
+                'method': that.entity_name+'_mod',
+                'args': [pkey],
+                'options': {'all': true, 'rights': true}
+            })
+        };
+
+        var categories = {
+            'usercategory': {
+                'remove_values': false
+            },
+            'hostcategory': {
+                'remove_values': false
+            },
+            'cmdcategory': {
+                'remove_values': false
+            },
+            'runasusercategory': {
+                'remove_values': false
+            },
+            'runasgroupcategory': {
+                'remove_values': false
+            }
+        };
+
+        var member_operations = {
+            'memberuser': {
+                'category': 'usercategory',
+                'has_values': false,
+                'command': ipa_command({
+                    'method': that.entity_name+'_remove_user',
+                    'args': [pkey],
+                    'options': {'all': true, 'rights': true}
+                })
+            },
+            'memberhost': {
+                'category': 'hostcategory',
+                'has_values': false,
+                'command': ipa_command({
+                    'method': that.entity_name+'_remove_host',
+                    'args': [pkey],
+                    'options': {'all': true, 'rights': true}
+                })
+            },
+            'memberallowcmd': {
+                'category': 'cmdcategory',
+                'has_values': false,
+                'command': ipa_command({
+                    'method': that.entity_name+'_remove_allow_command',
+                    'args': [pkey],
+                    'options': {'all': true, 'rights': true}
+                })
+            },
+            'memberdenycmd': {
+                'category': 'cmdcategory',
+                'has_values': false,
+                'command': ipa_command({
+                    'method': that.entity_name+'_remove_deny_command',
+                    'args': [pkey],
+                    'options': {'all': true, 'rights': true}
+                })
+            },
+            'runasuser': {
+                'category': 'runasusercategory',
+                'has_values': false,
+                'command': ipa_command({
+                    'method': that.entity_name+'_remove_runas_user',
+                    'args': [pkey],
+                    'options': {'all': true, 'rights': true}
+                })
+            },
+            'runasgroup': {
+                'category': 'runasgroupcategory',
+                'has_values': false,
+                'command': ipa_command({
+                    'method': that.entity_name+'_remove_runas_group',
+                    'args': [pkey],
+                    'options': {'all': true, 'rights': true}
+                })
+            }
+        };
+
+        var enable_operation = {
+            'execute': false,
+            'command': ipa_command({
+                'method': that.entity_name+'_enable',
+                'args': [pkey],
+                'options': {'all': true, 'rights': true}
+            })
+        };
+
+        for (var i=0; i<that.sections.length; i++) {
+            var section = that.sections[i];
+
+            var div = $('#'+that.entity_name+'-'+that.name+'-'+section.name, that.container);
+
+            for (var j=0; j<section.fields.length; j++) {
+                var field = section.fields[j];
+
+                var span = $('span[name='+field.name+']', div).first();
+                var values = field.save();
+                if (!values) continue;
+
+                var param_info = ipa_get_param_info(that.entity_name, field.name);
+
+                // skip primary key
+                if (param_info && param_info['primary_key']) continue;
+
+                var p = field.name.indexOf('_');
+                if (p >= 0) {
+                    // prepare command to remove members if needed
+                    var attribute = field.name.substring(0, p);
+                    var other_entity = field.name.substring(p+1);
+
+                    if (values.length) {
+                        member_operations[attribute].command.set_option(other_entity, values.join(','));
+                        member_operations[attribute].has_values = true;
+                    }
+                    continue;
+                }
+
+                // skip unchanged field
+                if (!field.is_dirty(span)) continue;
+
+                // check enable/disable
+                if (field.name == 'ipaenabledflag') {
+                    if (values[0] == 'FALSE') enable_operation.command.method = that.entity_name+'_disable';
+                    enable_operation.execute = true;
+                    continue;
+                }
+
+                if (field.name == 'cmdcategory') {
+                    var value = values[0];
+                    if (value == 'allow') {
+                        values = ['all'];
+                        categories[field.name].remove_values = true;
+                    } else if (value == 'deny') {
+                        values = [];
+                        categories[field.name].remove_values = true;
+                    } else {
+                        values = [];
+                    }
+
+                } else if (categories[field.name]) {
+                    if (values[0] == 'all') {
+                        categories[field.name].remove_values = true;
+                    }
+                }
+
+                // use setattr/addattr if param_info not available
+                if (!param_info) {
+                    for (var k=0; k<values.length; k++) {
+                        modify_operation.command.set_option(
+                            k == 0 ? 'setattr' : 'addattr',
+                            field.name+'='+values[k]
+                        );
+                        modify_operation.execute = true;
+                    }
+                    continue;
+                }
+
+                // set modify options
+                if (values.length == 1) {
+                    modify_operation.command.set_option(field.name, values[0]);
+                } else {
+                    modify_operation.command.set_option(field.name, values);
+                }
+                modify_operation.execute = true;
+            }
+        }
+
+        var batch = ipa_batch_command({
+            'name': 'sudorule_details_update',
+            'on_success': function(data, text_status, xhr) {
+                that.refresh();
+            },
+            'on_error': function(xhr, text_status, error_thrown) {
+                that.refresh();
+            }
+        });
+
+        for (var member_attribute in member_operations) {
+            var member_operation = member_operations[member_attribute];
+            if (member_operation.has_values &&
+                categories[member_operation.category].remove_values) {
+                batch.add_command(member_operation.command);
+            }
+        }
+
+        if (modify_operation.execute) batch.add_command(modify_operation.command);
+        if (enable_operation.execute) batch.add_command(enable_operation.command);
+
+        if (!batch.commands.length) {
+            that.refresh();
+            return;
+        }
+
+        //alert(JSON.stringify(batch.to_json()));
+
+        batch.execute();
+    };
+
+    return that;
+}
+
+function ipa_sudorule_details_general_section(spec){
+
+    spec = spec || {};
+
+    var that = ipa_details_section(spec);
+
+    that.create = function(container) {
+
+        var table = $('<table/>', {
+            'style': 'width: 100%;'
+        }).appendTo(container);
+
+        var tr = $('<tr/>').appendTo(table);
+
+        var td = $('<td/>', {
+            'style': 'width: 100px; text-align: right;',
+            'html': 'Name:'
+        }).appendTo(tr);
+
+        td = $('<td/>').appendTo(tr);
+
+        var span = $('<span/>', { 'name': 'cn' }).appendTo(td);
+
+        $('<input/>', {
+            'type': 'text',
+            'name': 'cn',
+            'size': 30
+        }).appendTo(span);
+
+        span.append(' ');
+
+        $('<span/>', {
+            'name': 'undo',
+            'class': 'ui-state-highlight ui-corner-all',
+            'style': 'display: none;',
+            'html': 'undo'
+        }).appendTo(span);
+
+        tr = $('<tr/>').appendTo(table);
+
+        td = $('<td/>', {
+            'style': 'text-align: right; vertical-align: top;',
+            'html': 'Description:'
+        }).appendTo(tr);
+
+        td = $('<td/>').appendTo(tr);
+
+        span = $('<span/>', { 'name': 'description' }).appendTo(td);
+
+        $('<textarea/>', {
+            'name': 'description',
+            'rows': 5,
+            'style': 'width: 100%'
+        }).appendTo(span);
+
+        span.append(' ');
+
+        $('<span/>', {
+            'name': 'undo',
+            'class': 'ui-state-highlight ui-corner-all',
+            'style': 'display: none;',
+            'html': 'undo'
+        }).appendTo(span);
+
+        tr = $('<tr/>').appendTo(table);
+
+        td = $('<td/>', {
+            'style': 'text-align: right; vertical-align: top;',
+            'html': 'Rule status:'
+        }).appendTo(tr);
+
+        td = $('<td/>').appendTo(tr);
+
+        span = $('<span/>', { 'name': 'ipaenabledflag' }).appendTo(td);
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'ipaenabledflag',
+            'value': 'TRUE'
+        }).appendTo(span);
+
+        span.append('Active');
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'ipaenabledflag',
+            'value': 'FALSE'
+        }).appendTo(span);
+
+        span.append('Inactive');
+
+        span.append(' ');
+
+        $('<span/>', {
+            'name': 'undo',
+            'class': 'ui-state-highlight ui-corner-all',
+            'style': 'display: none;',
+            'html': 'undo'
+        }).appendTo(span);
+    };
+
+    return that;
+}
+
+function ipa_sudorule_details_command_section(spec){
+
+    spec = spec || {};
+
+    var that = ipa_details_section(spec);
+
+    that.init = function() {
+
+        var category = that.create_radio({'name': 'cmdcategory'});
+
+        that.add_field(ipa_sudorule_command_table_widget({
             'id': that.entity_name+'-memberallowcmd_sudocmd',
             'name': 'memberallowcmd_sudocmd', 'label': 'Command',
+            'category': category, 'section': that,
             'other_entity': 'sudocmd', 'add_method': 'add_allow_command', 'remove_method': 'remove_allow_command'
         }));
-        section.add_field(ipa_association_table_widget({
+        that.add_field(ipa_sudorule_command_table_widget({
             'id': that.entity_name+'-memberallowcmd_sudocmdgroup',
             'name': 'memberallowcmd_sudocmdgroup', 'label': 'Groups',
+            'category': category, 'section': that,
             'other_entity': 'sudocmdgroup', 'add_method': 'add_allow_command', 'remove_method': 'remove_allow_command'
         }));
 
-        section = ipa_rule_details_section({
-            'name': 'deny',
-            'label': 'Deny',
-            'field_name': 'memberdenycmd',
-            'tables': [
-                { 'field_name': 'memberdenycmd_sudocmd' },
-                { 'field_name': 'memberdenycmd_sudocmdgroup' }
-            ]
-        });
-        that.add_section(section);
-
-        section.add_field(ipa_association_table_widget({
+        that.add_field(ipa_sudorule_command_table_widget({
             'id': that.entity_name+'-memberdenycmd_sudocmd',
             'name': 'memberdenycmd_sudocmd', 'label': 'Command',
+            'category': category, 'section': that,
             'other_entity': 'sudocmd', 'add_method': 'add_deny_command', 'remove_method': 'remove_deny_command'
         }));
-        section.add_field(ipa_association_table_widget({
+        that.add_field(ipa_sudorule_command_table_widget({
             'id': that.entity_name+'-memberdenycmd_sudocmdgroup',
             'name': 'memberdenycmd_sudocmdgroup', 'label': 'Groups',
+            'category': category, 'section': that,
             'other_entity': 'sudocmdgroup', 'add_method': 'add_deny_command', 'remove_method': 'remove_deny_command'
         }));
 
-        that.details_facet_init();
+        that.section_init();
+    };
+
+    that.create = function(container) {
+
+        if (that.template) return;
+
+        var span = $('<span/>', { 'name': 'cmdcategory' }).appendTo(container);
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'cmdcategory',
+            'value': 'allow'
+        }).appendTo(span);
+
+        span.append('Allow Any Command / Group');
+
+        span.append(' ');
+
+        $('<span/>', {
+            'name': 'undo',
+            'class': 'ui-state-highlight ui-corner-all',
+            'style': 'display: none;',
+            'html': 'undo'
+        }).appendTo(span);
+
+        span.append('<br/>');
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'cmdcategory',
+            'value': 'deny'
+        }).appendTo(span);
+
+        span.append('Deny Any Command / Group');
+
+        span.append('<br/>');
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'cmdcategory',
+            'value': ''
+        }).appendTo(span);
+
+        span.append('Specific Command / Group');
+
+        $('<h3/>', { text: 'Allow' }).appendTo(span);
+
+        var table_span = $('<span/>', { 'name': 'memberallowcmd_sudocmd' }).appendTo(span);
+        var field = that.get_field('memberallowcmd_sudocmd');
+        field.create(table_span);
+
+        table_span = $('<span/>', { 'name': 'memberallowcmd_sudocmdgroup' }).appendTo(span);
+        field = that.get_field('memberallowcmd_sudocmdgroup');
+        field.create(table_span);
+
+        $('<h3/>', { text: 'Deny' }).appendTo(span);
+
+        table_span = $('<span/>', { 'name': 'memberdenycmd_sudocmd' }).appendTo(span);
+        field = that.get_field('memberdenycmd_sudocmd');
+        field.create(table_span);
+
+        table_span = $('<span/>', { 'name': 'memberdenycmd_sudocmdgroup' }).appendTo(span);
+        field = that.get_field('memberdenycmd_sudocmdgroup');
+        field.create(table_span);
+    };
+
+    return that;
+}
+
+function ipa_sudorule_details_runas_section(spec){
+
+    spec = spec || {};
+
+    var that = ipa_details_section(spec);
+
+    that.init = function() {
+
+        var category = that.create_radio({ name: 'runasusercategory', label: 'Run as User category' });
+        that.add_field(ipa_sudorule_association_table_widget({
+            'id': that.entity_name+'-runasruser_user',
+            'name': 'runasuser_user', 'label': 'Users', 'category': category,
+            'other_entity': 'user', 'add_method': 'add_runasuser', 'remove_method': 'remove_runasuser'
+        }));
+        that.add_field(ipa_sudorule_association_table_widget({
+            'id': that.entity_name+'-runasuser_group',
+            'name': 'runasuser_group', 'label': 'Groups', 'category': category,
+            'other_entity': 'group', 'add_method': 'add_runasuser', 'remove_method': 'remove_runasuser'
+        }));
+
+        category = that.create_radio({ name: 'runasgroupcategory', label: 'Run as Group category' });
+        that.add_field(ipa_sudorule_association_table_widget({
+            'id': that.entity_name+'-runasgroup_group',
+            'name': 'runasgroup_group', 'label': 'Groups', 'category': category,
+            'other_entity': 'group', 'add_method': 'add_runasgroup', 'remove_method': 'remove_runasgroup'
+        }));
+
+        that.section_init();
+    };
+
+    that.create = function(container) {
+
+        if (that.template) return;
+
+        var span = $('<span/>', { 'name': 'runasusercategory' }).appendTo(container);
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'runasusercategory',
+            'value': 'all'
+        }).appendTo(span);
+
+        span.append('Anyone');
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'runasusercategory',
+            'value': ''
+        }).appendTo(span);
+
+        span.append('Specified Users and Groups');
+
+        span.append(' ');
+
+        $('<span/>', {
+            'name': 'undo',
+            'class': 'ui-state-highlight ui-corner-all',
+            'style': 'display: none;',
+            'html': 'undo'
+        }).appendTo(span);
+
+        span.append('<br/>');
+
+        var table_span = $('<span/>', { 'name': 'runasuser_user' }).appendTo(span);
+        var field = that.get_field('runasuser_user');
+        field.create(table_span);
+
+        table_span = $('<span/>', { 'name': 'runasuser_group' }).appendTo(span);
+        field = that.get_field('runasuser_group');
+        field.create(table_span);
+
+        span = $('<span/>', { 'name': 'runasgroupcategory' }).appendTo(container);
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'runasgroupcategory',
+            'value': 'all'
+        }).appendTo(span);
+
+        span.append('Any Group');
+
+        $('<input/>', {
+            'type': 'radio',
+            'name': 'runasgroupcategory',
+            'value': ''
+        }).appendTo(span);
+
+        span.append('Specified Groups');
+
+        span.append(' ');
+
+        $('<span/>', {
+            'name': 'undo',
+            'class': 'ui-state-highlight ui-corner-all',
+            'style': 'display: none;',
+            'html': 'undo'
+        }).appendTo(span);
+
+        span.append('<br/>');
+
+        table_span = $('<span/>', { 'name': 'runasgroup_group' }).appendTo(span);
+        field = that.get_field('runasgroup_group');
+        field.create(table_span);
+    };
+
+    return that;
+}
+
+function ipa_sudorule_association_table_widget(spec) {
+
+    spec = spec || {};
+
+    var that = ipa_rule_association_table_widget(spec);
+
+    that.create_add_dialog = function() {
+        var pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
+        var label = IPA.metadata[that.other_entity].label;
+        var title = 'Add '+label+' to '+that.entity_name+' '+pkey;
+
+        return ipa_sudorule_association_adder_dialog({
+            'title': title,
+            'entity_name': that.entity_name,
+            'pkey': pkey,
+            'other_entity': that.other_entity,
+            'template': 'sudorule-'+that.other_entity+'-dialog.html #contents'
+        });
+    };
+
+    return that;
+}
+
+function ipa_sudorule_association_adder_dialog(spec) {
+
+    spec = spec || {};
+
+    var that = ipa_association_adder_dialog(spec);
+
+    that.init = function() {
+
+        if (!that.columns.length) {
+            var pkey_name = IPA.metadata[that.other_entity].primary_key;
+            that.create_column({
+                name: pkey_name,
+                label: IPA.metadata[that.other_entity].label,
+                primary_key: true
+            });
+        }
+
+        that.available_table = ipa_table_widget({
+            name: 'available'
+        });
+
+        that.available_table.set_columns(that.columns);
+
+        that.available_table.init();
+
+        that.selected_table = ipa_table_widget({
+            name: 'selected'
+        });
+
+        that.selected_table.set_columns(that.columns);
+
+        that.selected_table.init();
+
+        that.association_adder_dialog_init();
+    };
+
+    that.setup = function() {
+        that.association_adder_dialog_setup();
+        that.external_field = $('input[name=external]', that.container);
+    };
+
+    that.add = function() {
+        var rows = that.available_table.remove_selected_rows();
+        that.selected_table.add_rows(rows);
+
+        var pkey_name = IPA.metadata[that.other_entity].primary_key;
+        var value = that.external_field.val();
+        if (!value) return;
+
+        var record = {};
+        record[pkey_name] = value;
+        that.selected_table.add_record(record);
+        that.external_field.val('');
+    };
+
+    return that;
+}
+
+function ipa_sudorule_command_table_widget(spec) {
+
+    spec = spec || {};
+
+    var that = ipa_association_table_widget(spec);
+
+    that.category = spec.category;
+    that.section = spec.section;
+
+    that.add = function(values, on_success, on_error) {
+
+        var pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
+
+        var batch = ipa_batch_command({
+            'on_success': on_success,
+            'on_error': on_error
+        });
+
+        var command;
+
+        if (that.category.save() == 'all') {
+            command = ipa_command({
+                'method': that.entity_name+'_mod',
+                'args': [pkey],
+                'options': {'all': true, 'rights': true}
+            });
+            command.set_option(that.category.name, '');
+            batch.add_command(command);
+        }
+
+        command = ipa_command({
+            'method': that.entity_name+'_'+that.add_method,
+            'args': [pkey],
+            'on_success': function() {
+                var record = {};
+                record[that.category.name] = [''];
+                that.category.load(['']);
+            }
+        });
+        command.set_option(that.other_entity, values.join(','));
+        batch.add_command(command);
+
+        batch.execute();
+    };
+
+    that.remove = function(values, on_success, on_error) {
+
+        var pkey = $.bbq.getState(that.entity_name + '-pkey', true) || '';
+
+        var command = ipa_command({
+            'method': that.entity_name+'_'+that.remove_method,
+            'args': [pkey],
+            'on_success': function(data, text_status, xhr) {
+
+                // if all values in this field are removed
+                // and other fields are already empty,
+                // change category to 'deny'
+
+                var update_category = values.length == that.values.length;
+
+                if (update_category && that.name != 'memberallowcmd_sudocmd') {
+                    var memberallowcmd_sudocmd = that.section.get_field('memberallowcmd_sudocmd').save();
+                    if (memberallowcmd_sudocmd.length) update_category = false;
+                }
+
+                if (update_category && that.name != 'memberallowcmd_sudocmdgroup') {
+                    var memberallowcmd_sudocmdgroup = that.section.get_field('memberallowcmd_sudocmdgroup').save();
+                    if (memberallowcmd_sudocmdgroup.length) update_category = false;
+                }
+
+                if (update_category && that.name != 'memberdenycmd_sudocmd') {
+                    var memberdenycmd_sudocmd = that.section.get_field('memberdenycmd_sudocmd').save();
+                    if (memberdenycmd_sudocmd.length) update_category = false;
+                }
+
+                if (update_category && that.name != 'memberdenycmd_sudocmdgroup') {
+                    var memberdenycmd_sudocmdgroup = that.section.get_field('memberdenycmd_sudocmdgroup').save();
+                    if (memberdenycmd_sudocmdgroup.length) update_category = false;
+                }
+
+                if (update_category) {
+                    var record = {};
+                    record[that.category.name] = ['deny'];
+                    that.category.load(record);
+                }
+
+                if (on_success) on_success(data, text_status, xhr);
+            },
+            'on_error': on_error
+        });
+
+        command.set_option(that.other_entity, values.join(','));
+
+        command.execute();
     };
 
     return that;