mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-30 10:47:08 -06:00
5783d0c832
CSV values are not supported in upgrade files anymore Instead of add:attribute: 'first, part', second please use add:attribute: firts, part add:attribute: second Required for ticket: https://fedorahosted.org/freeipa/ticket/4984 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
19 lines
2.3 KiB
Plaintext
19 lines
2.3 KiB
Plaintext
# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
|
|
# based replica is being installed from a Dogtag 9 based replica,
|
|
# the database will miss ACLs added in Dogtag 10 resulting in limited
|
|
# functionality.
|
|
#
|
|
# This update file can be removed when Dogtag database upgrades are done
|
|
# in PKI component. Upstream tickets:
|
|
# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
|
|
# * https://fedorahosted.org/pki/ticket/906 (checking database version)
|
|
|
|
dn: cn=aclResources,o=ipaca
|
|
addifexist:resourceACLS:certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
|
|
addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
|
|
addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
|
|
addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
|
|
addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
|
|
replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
|
|
replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
|