Recent changes remove HBAC deny rules. A system with these rules on there requires a deliberate approach to make suer that policy intent is still met by HBAC.
As part of the ipa_init batch command, run a query to find hbac-deny rules and return them as part of the batch result
When initializing the webUI, if the user is an administrator, and there are Deny rules, provie a popup window with a warning message and a link to the HBAC rules. Include a message that states the administrator should refresh the browser to rerun the check for no deny rules.
Display the deny rules in red in the HBAC Rule table.
Fixed in e4a444b
Metadata Update from @admiyo: - Issue assigned to admiyo - Issue set to the milestone: FreeIPA 2.1 - 2011/07
Login to comment on this ticket.