A number of different permission options are mutually exclusive in an attempt to limit the scope of what types of permissions can be made.
Right now it is not possible to specify one with a subtree (target) and a filter (targetfilter). This is not necessary and I think too limiting.
It isn't possible, for example, to create an aci that lets you modify the user password of users (target) except for members of the admins group (targetfilter).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=788645
Might be a dup of #2281
Relevant Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=893850
This is blocking some of the useful permissions, like the ones defined in recent freeipa-users thread. I would like this small but useful fix to happen in the permission refactoring that is being done in scope of FreeIPA 3.4.
Done as a part (or, side effect) of #4034
Metadata Update from @rcritten: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 - 2013/12
Login to comment on this ticket.