The managed permission feature makes it really easy to create or update permissions in a plugin. Without managed permissions every change to a permission requires a carefully written remove:aci: and add:aci: line in ldap update file.
remove:aci:
add:aci:
In IPA 4.8.6 and earlier managed permissions are restricted. Managed permision's ipapermbindruletype only allows all, anonymous, or permission. There is no way to create a managed permission that allows self-service permission with userdn = ldap:///self. The feature is easy to implement and would simplify external plugin code like https://github.com/fedora-infra/freeipa-fas/pull/107/files.
ipapermbindruletype
all
anonymous
permission
userdn = ldap:///self
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4726
In particular it so a plugin can provide its own self-service ACIs without providing aci's via an update file:
"System: Self-Modify FAS user attributes": { "replaces_global_anonymous_aci": True, "ipapermright": {"write"}, "ipapermtargetfilter": ["(objectclass=fasuser)"], "ipapermbindruletype": "self", "ipapermdefaultattr": fas_user_attributes.copy(), },
master:
ipa-4-8:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions. - Issue assigned to cheimes
Log in to comment on this ticket.