[Freeipa-devel] [PATCH] 910 add permission: System: Manage User Certificates
Fraser Tweedale
ftweedal at redhat.com
Thu Aug 13 03:28:36 UTC 2015
On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
> usercertificate attr was moved from "System Modify Users" to this
> new permission.
>
> https://fedorahosted.org/freeipa/ticket/5177
>
> Note: hosts have permission "System: Manage Host Certificates", services
> don't have it but usercertificate is in "System: Modify Services". I would
> move it as well if usercertificate was not the only attr in "System: Modify
> Services".
>
New permission works as expected.
What are the implications of removing userCertificate attribute from
"Modify Users" ACI? Users could be relying on it given that there
is (until now) no more fine-grained permission.
Perhaps we should
a) use update script to add the new permission to any roles that
have the Modify Users permission, or
b) not remove the userCertificate attribute from the ACI, or
c) deem this change acceptable and leave the patch as-is, in which
case: ACK
Cheers,
Fraser
More information about the Freeipa-devel
mailing list