On 12/06/2013 03:28 PM, Simo Sorce wrote: > On Fri, 2013-12-06 at 14:14 +0100, Petr Viktorin wrote: >> On 12/02/2013 02:48 PM, Petr Viktorin wrote: >>> On 12/02/2013 02:29 PM, Simo Sorce wrote: > >>>> It would be very nice if you can add the resulting LDAP objects in the >>>> example, that will allow me to reason on the correctness of the >>>> translation. >>> >>> OK, I'll work on that. >> >> I've added the resulting LDAP objects to the tests here: >> http://www.freeipa.org/index.php?title=V3/Permissions_V2/tests > > Thank you Petr, > I was looking at them and I see we often use target=ldap://<dn> type for > selecting which objects this apply to. > > This was sort of necessary when the permissions were all in the base and > we wanted to limit to specific entries in subtrees. > > However I was wondering if we shouldn't transition/allow to user > targetfilter or targetattrfilter (this would be needed to have > add/delete permissions). > > For example, instead of: > (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") > We could have: > (targetfilter = "(objectclass=ipaUser)") > > It also occurs to me we could do very neat things like allowing manager > access with (targetfilter = "(managedby=<dn>)"), and similar. > > In general using targetfilter and targetattrfilter is more flexible and > allow for applying different permission depending exacly on the object > type or even specific sets of objects of a common type. Something the > simple target filter cannot do. > > What do you think ? > > Simo. > >
I am all in. I still remember what we had to do to update ACIs for SUDO commands just because the default RDN changed, e.g.: remove:aci: '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission: Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac, $SUFFIX";)' add:aci: '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo, $SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)' With this approach, no change would be needed at all - neat! Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel