[Freeipa-devel] ACI permissions UI up for review
Rob Crittenden
rcritten at redhat.com
Tue Dec 14 15:15:25 UTC 2010
Dmitri Pal wrote:
> Adam Young wrote:
>> On 12/13/2010 11:27 AM, Dmitri Pal wrote:
>>>>
>>>> Sorry this whole part just does not make sense to me. What is the target
>>>> group? Where it came from?
>>>>
>>>
>> One ACI that uses this is 'add_user_to_default_group. This is used in
>> the permission 'useradmin'.
>>
>>
>> The json response for permission-show looks like this:
>> |{
>> || "error": null,
>> || "id": 2,
>> || "result": {
>> || "result": {
>> || "attributelevelrights": {
>> || "aci": "rscwo",
>> || "businesscategory": "rscwo",
>> || "cn": "rscwo",
>> || "description": "rscwo",
>> || "member": "rscwo",
>> || "nsaccountlock": "rscwo",
>> || "o": "rscwo",
>> || "objectclass": "rscwo",
>> || "ou": "rscwo",
>> || "owner": "rscwo",
>> || "seealso": "rscwo"
>> || },
>> || "attrs": [
>> || "member"
>> || ],
>> || "cn": [
>> || "add_user_to_default_group"
>> || ],
>> || "description": [
>> || "Add user to default group"
>> || ],
>> || "dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel||,dc=redhat,dc=com",
>> || "member_privilege": [
>> || "useradmin"
>> || ],
>> || "objectclass": [
>> || "top",
>> || "groupofnames"
>> || ],
>> || "permissions": [
>> || "write"
>> || ],
>> || "targetgroup": "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc||=redhat,dc=com"
>> || },
>> || "summary": null,
>> || "value": "add_user_to_default_group"
>> || }
>> ||}|
>>
> IMO this is a special case and should end up in the generic LDAP filter.
> Rob it seems this case is unclear and we need to sort it out.
>
A targetgroup lets you manage a specific group. In this case it grants
permission to manage the membership of the ipausers group.
rob
More information about the Freeipa-devel
mailing list