summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/30-provisioning.update1
-rw-r--r--install/updates/45-roles.update3
2 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/30-provisioning.update b/install/updates/30-provisioning.update
index f1666ff3a..b8ec80e00 100644
--- a/install/updates/30-provisioning.update
+++ b/install/updates/30-provisioning.update
@@ -26,6 +26,7 @@ dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
add:aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
# This is used for the admin to reset the delete users credential
+# No one is allowed to add entry in Delete container
dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
add:aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
add:aci: (targetattr = "*")(version 3.0; acl "No one can add entry in Delete container"; deny (add) userdn = "ldap:///all";)
diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update
index 3442c7bf8..eb50e2b9c 100644
--- a/install/updates/45-roles.update
+++ b/install/updates/45-roles.update
@@ -28,6 +28,9 @@ add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
dn: cn=Group Administrators,cn=privileges,cn=pbac,$SUFFIX
add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
+dn: cn=Stage User Administrators,cn=privileges,cn=pbac,$SUFFIX
+add: member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
+
dn: cn=IT Specialist,cn=roles,cn=accounts,$SUFFIX
default:objectClass: groupofnames
default:objectClass: nestedgroup
generated by cgit (git 2.34.1) at 2026-02-20 01:50:48 +0000