blob: d718923544f0cb00f61b7b56940695e3891c4780 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
# based replica is being installed from a Dogtag 9 based replica,
# the database will miss ACLs added in Dogtag 10 resulting in limited
# functionality.
#
# This update file can be removed when Dogtag database upgrades are done
# in PKI component. Upstream tickets:
# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
# * https://fedorahosted.org/pki/ticket/906 (checking database version)
dn: cn=aclResources,o=ipaca
addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout'
addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations'
addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations'
addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations'
addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations'
replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml'
replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information'
|
