User life cycle: Add 'Stage User Provisioning' permission/priviledge

Add the ability for 'Stage user provisioning' priviledge to add stage users. Reviewed-By: David Kupka <dkupka@redhat.com>
author: Thierry Bordaz <tbordaz@redhat.com> 2015-04-23 18:43:48 +0200
committer: Martin Kosek <mkosek@redhat.com> 2015-05-18 09:37:21 +0200
commit: 273fd057a3be797a05d6c7f34fd619d3dfa09c37 (patch)
tree: e731f1e78d472348cdbfdac7c341503c0ba96ed2 /ACI.txt
parent: 51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b (diff)
download: freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.tar.gz
freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.tar.xz
freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/ACI.txt b/ACI.txt
index 534689c4b..bf5398929 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -213,7 +213,9 @@ aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprin
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
-aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add delete modify Stage Users by administrators";allow (add,delete,write) groupdn = "ldap:///cn=System: Add delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
author	Thierry Bordaz <tbordaz@redhat.com>	2015-04-23 18:43:48 +0200
committer	Martin Kosek <mkosek@redhat.com>	2015-05-18 09:37:21 +0200
commit	273fd057a3be797a05d6c7f34fd619d3dfa09c37 (patch)
tree	e731f1e78d472348cdbfdac7c341503c0ba96ed2 /ACI.txt
parent	51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b (diff)
download	freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.tar.gz freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.tar.xz freeipa-273fd057a3be797a05d6c7f34fd619d3dfa09c37.zip