https://bugzilla.redhat.com/show_bug.cgi?id=783536 (Red Hat Enterprise Linux 6)
Description of problem: A permission that specifies a filter, is disregarded, when a user is assigned that permission. 1> Add a permission: ipa permission-add "ManageGroup" --filter='(&(!(objectclass=posixgroup))(object class=ipausergroup))'--permissions=write 2> Add privilege with just this one permission. 3> Add role with just the above privilege 4> Add user and assigned the role above 5> Add a group and uncheck "Is this a POSIX group" 6> kinit as this user 7> Update the group's description, and an error is thrown about having insufficient access Expected this user to be able to update the above added group's description, or add other users as members of this group. Doc says: --filter uses an LDAP filter to identify which entries the permission applies to. All attributes within the matching entries can be modified. tried another filter - ipa permission-add "ManageGroup" --filter='(givenname=xyz)' --permissions=write and expected the kinit'd user with this permission to be able to change attributes for user with givenname=xyz, but this user is displayed (in UI) as readonly, and no attributes can be modified. Version-Release number of selected component (if applicable): ipa-server-2.2.0-101.20120117T0229zgit5febffb.el6.x86_64 How reproducible: always Steps to Reproduce: 1. as indicated above Actual results: an error is thrown about having insufficient access Expected results: Expected this user to be able to update the above added group's description, or add other users as members of this group. Additional info:
Title in bugzilla was updated to: [ipa webui] permission with filter or subtree does not allow attr to be specified
The ACI is missing the attribute. Attributes aren't currently allowed with filters in the UI but they are on the CLI.
In the end #2372 was really a duplicate of this ticket. #2372 is fixed so I'm closing this one too.
Metadata Update from @dpal: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.