mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 16:16:31 -06:00
User life cycle: Add 'Stage User Provisioning' permission/priviledge
Add the ability for 'Stage user provisioning' priviledge to add stage users. Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Thierry Bordaz
Martin Kosek
parent
51937cc571
commit
273fd057a3
4
ACI.txt
4
ACI.txt
@ -213,7 +213,9 @@ aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprin
|
||||
dn: cn=services,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add delete modify Stage Users by administrators";allow (add,delete,write) groupdn = "ldap:///cn=System: Add delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage Users by Provisioning and Administrators";allow (add) groupdn = "ldap:///cn=System: Add Stage Users by Provisioning and Administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
|
||||
aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Delete modify Stage Users by administrators";allow (delete,write) groupdn = "ldap:///cn=System: Delete modify Stage Users by administrators,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve an active user to a delete Users";allow (moddn) groupdn = "ldap:///cn=System: Preserve an active user to a delete Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: dc=ipa,dc=example
|
||||
|
||||
@ -137,6 +137,14 @@ objectClass: nestedgroup
|
||||
cn: Stage User Administrators
|
||||
description: Stage User Administrators
|
||||
|
||||
dn: cn=Stage User Provisioning,cn=privileges,cn=pbac,$SUFFIX
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: groupofnames
|
||||
objectClass: nestedgroup
|
||||
cn: Stage User Provisioning
|
||||
description: Stage User Provisioning
|
||||
|
||||
############################################
|
||||
# Default permissions.
|
||||
############################################
|
||||
|
||||
@ -115,6 +115,17 @@ class stageuser(baseuser):
|
||||
#
|
||||
# Stage container
|
||||
#
|
||||
# Stage user provisioning and Stage user Administrators,
|
||||
# allowed to create stage users
|
||||
'System: Add Stage Users by Provisioning and Administrators': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=*)'},
|
||||
'ipapermright': {'add'},
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators', 'Stage User Provisioning'},
|
||||
},
|
||||
# Stage user administrators allowed to read kerberos/password
|
||||
# when the user is activated (to copy them in the active entry)
|
||||
'System: Read Stage User kerberos principal key and password': {
|
||||
@ -128,14 +139,14 @@ class stageuser(baseuser):
|
||||
},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
# Stage user administrator allowed to create/delete stage users and
|
||||
# Stage user administrator allowed to delete stage users and
|
||||
# to update them
|
||||
'System: Add delete modify Stage Users by administrators': {
|
||||
'System: Delete modify Stage Users by administrators': {
|
||||
'ipapermlocation': DN(baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermtarget': DN('uid=*', baseuser.stage_container_dn, api.env.basedn),
|
||||
'ipapermtargetfilter': {'(objectclass=*)'},
|
||||
'ipapermright': {'add','delete','write'},
|
||||
'ipapermright': {'delete','write'},
|
||||
'ipapermdefaultattr': {'*'},
|
||||
'default_privileges': {'Stage User Administrators'},
|
||||
},
|
||||
|
||||
Loading…
Reference in New Issue
Block a user