Add managed read permission for the UPG Definition

Since user_add checks the UPG definition to see if UPG is enabled,
user admins need read access to add users correctly.

All attributes are allowed since UPG Definition is an extensibleObject;
the needed attributes are not in the schema.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>

ipalib/plugins/user.py

@@ -111,6 +111,12 @@ status_output_params = (
     ),
    )
 
+UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'),
+                       ('cn', 'Definitions'),
+                       ('cn', 'Managed Entries'),
+                       ('cn', 'etc'),
+                       api.env.basedn)
+
 # characters to be used for generating random user passwords
 user_pwdchars = string.digits + string.ascii_letters + '_,.@+-='
 
@@ -319,6 +325,17 @@ class user(LDAPObject):
                 'memberof',
             },
         },
+        'System: Read UPG Definition': {
+            # Required for adding users
+            'replaces_global_anonymous_aci': True,
+            'non_object': True,
+            'ipapermlocation': UPG_DEFINITION_DN,
+            'ipapermtarget': UPG_DEFINITION_DN,
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {'*'},
+            'default_privileges': {'User Administrators'},
+        },
     }
 
     label = _('Users')