summaryrefslogtreecommitdiffstats
path: root/ACI.txt
Commit message (Collapse)AuthorAgeFilesLines
...
* Add managed read permissions for compat treePetr Viktorin2014-09-051-0/+8
| | | | | | https://fedorahosted.org/freeipa/ticket/4521 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add permissions for certificate store.Jan Cholasta2014-07-301-0/+10
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for CA certificate renewal.Jan Cholasta2014-07-301-0/+4
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* makeaci: Use the DN where the ACI is stored, not the permission's DNPetr Viktorin2014-07-071-131/+131
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add Modify Realm Domains permissionMartin Kosek2014-07-041-0/+2
| | | | | | | | | The permission is required for DNS Administrators as realm domains object is updated when a master zone is added. https://fedorahosted.org/freeipa/ticket/4423 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add NSEC3PARAM to zone settingsMartin Basti2014-07-021-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove NSEC3PARAM recordMartin Basti2014-07-021-2/+2
| | | | | | | Revert 5b95be802c6aa12b9464813441f85eaee3e3e82b Ticket: https://fedorahosted.org/freeipa/ticket/4413 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Fix ACI in DNSMartin Basti2014-07-011-2/+2
| | | | | | | Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord, tlsarecord Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* DNSSEC: add TLSA record typeMartin Basti2014-07-011-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* sudorule: Allow using external groups as groups of runAsUsersTomas Babej2014-06-251-2/+2
| | | | | | | | | Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* trusts: Allow reading system trust accounts by adtrust agentsTomas Babej2014-06-251-0/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* trusts: Add more read attributesTomas Babej2014-06-251-1/+1
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add several CRUD default permissionsPetr Viktorin2014-06-241-0/+12
| | | | | | | | | | | | Add missing Add, Modify, Removedefault permissions to: - automountlocation (Add/Remove only; locations have no data to modify) - privilege - sudocmdgroup (Modify only; the others were present) Related to: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command Group default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Sudo Command default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Service default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert SELinux User Map default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Role default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert the Modify privilege membership permission to managedPetr Viktorin2014-06-241-0/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Netgroup default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Hostgroup default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service Group default permissions to managedPetr Viktorin2014-06-241-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Service default permissions to managedPetr Viktorin2014-06-241-0/+4
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert HBAC Rule default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Group default permissions to managedPetr Viktorin2014-06-241-0/+8
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Automount default permissions to managedPetr Viktorin2014-06-241-0/+12
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* netgroup: Add objectclass attribute to read permissionsPetr Viktorin2014-06-231-2/+2
| | | | | | | | The entries were unreadable without this. Additional fix for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* trusts: Allow reading ipaNTSecurityIdentifier in user and group objectsTomas Babej2014-06-231-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4385 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* host permissions: Allow writing attributes needed for automatic enrollmentPetr Viktorin2014-06-231-1/+5
| | | | | | | | | | | - userclass added to existing Modify hosts permission - usercertificate, userpassword added to a new permissions https://fedorahosted.org/freeipa/ticket/4252 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert Host default permissions to managedPetr Viktorin2014-06-231-0/+14
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add posixgroup to groups' permission object filterPetr Viktorin2014-06-231-2/+2
| | | | | | | | | | Private groups don't have the 'ipausergroup' objectclass. Add posixgroup to the objectclass filters to make "--type group" permissions apply to all groups. https://fedorahosted.org/freeipa/ticket/4372 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* DNSSEC: DLVRecord type addedMartin Basti2014-06-201-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* DNSSEC: added NSEC3PARAM record typeMartin Basti2014-06-201-2/+2
| | | | | Ticket: https://fedorahosted.org/freeipa/ticket/4328 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Convert Password Policy default permissions to managedPetr Viktorin2014-06-181-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert COSTemplate default permissions to managedPetr Viktorin2014-06-181-0/+6
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Convert DNS default permissions to managedPetr Viktorin2014-06-181-0/+12
| | | | | | | | | | | Convert the existing default permissions. The Read permission is split between Read DNS Entries and Read DNS Configuration. Part of the work for: https://fedorahosted.org/freeipa/ticket/4346 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Make sure member* attrs are always granted together in read permissionsPetr Viktorin2014-06-111-11/+11
| | | | | | | | | | | | | | Memberofindirect processing of an entry doesn't work if the user doesn't have rights to any one of these attributes: - member - memberuser - memberhost Add all of these to any read permission that specifies any of them. Add a check to makeaci that will enforce this for any future permissions. Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add ACI.txtPetr Viktorin2014-06-111-0/+114
The ACI.txt file is a list all managed permissions in ACI form. Similarly to API.txt, it ensures that changes are not made lightly, since modifications must be reflected in ACI.txt and committed to Git. Add a script, makeaci, which parallels makeapi: it recreates or validates ACI.txt. Call makeaci --validate before the build, just after API.txt is validated. Reviewed-By: Martin Kosek <mkosek@redhat.com>