Issue

The automember plugin doesn't define typical system permissions for delegating the CRUD operations against automember rules.

A user asked about this and I came up with this pretty quickly. It is incomplete.

ipa permission-add 'Add Automember Rule' --right add --type automember
ipa permission-add 'Delete Automember Rule' --right delete --type automember
ipa permission-add 'Modify Automember Rule' --right write --type
automember --attrs automemberinclusiveregex --attrs
automemberexclusiveregex --attrs description

A rule is also needed so the default group can be set.

The modify rule doesn't allow cn to be changed so a rule can't be renamed.

There are probably other oversights as well.