mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
idvies: Add managed permissions for idview and idoverride objects
Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
b65b74890b
commit
377ab0c4a6
4
ACI.txt
4
ACI.txt
@ -118,8 +118,12 @@ dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=views,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || homedirectory || ipaanchoruuid || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaOverrideAnchor)")(version 3.0;acl "permission:System: Read ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=ranges,cn=etc,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=views,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
|
||||
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
|
||||
aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=users,cn=accounts,dc=ipa,dc=example
|
||||
|
@ -64,6 +64,17 @@ class idview(LDAPObject):
|
||||
),
|
||||
)
|
||||
|
||||
permission_filter_objectclasses = ['nsContainer']
|
||||
managed_permissions = {
|
||||
'System: Read ID Views': {
|
||||
'ipapermbindruletype': 'all',
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'cn', 'description', 'objectClass',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@register()
|
||||
class idview_add(LDAPCreate):
|
||||
@ -160,6 +171,18 @@ class idoverride(LDAPObject):
|
||||
),
|
||||
)
|
||||
|
||||
permission_filter_objectclasses = ['ipaOverrideAnchor']
|
||||
managed_permissions = {
|
||||
'System: Read ID Overrides': {
|
||||
'ipapermbindruletype': 'all',
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'cn', 'objectClass', 'ipaAnchorUUID', 'uidNumber', 'gidNumber',
|
||||
'description', 'homeDirectory', 'uid',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@register()
|
||||
class idoverride_add(LDAPCreate):
|
||||
|
Loading…
Reference in New Issue
Block a user