# ipa permission-mod --permissions="add" "remove automount keys" ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive
The Web UI also had both the values set for the permission "remove automount keys"
We manually create some permissions that are not allowed by the average user.
The reasoning is that it is very easy to create an ACI that does nothing useful so we constrained the combinations allowed to try to point people in the right direction. It may be necessary to relax that restriction.
The downside of bad permissions is a performance impact and potentially allowing people to do things you do not expect, or want.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=854335
This is already being fixed in scope of 3.4 ACI refactoring.
Should be fixed in master. I'll test this explicitly after the current ACI work is done, then I'll close the ticket.
I tested and it was fixed in scope of #3566:
# ipa permission-mod --permissions={delete,add} "remove automount keys"------------------------------------------- Modified permission "remove automount keys" ------------------------------------------- Permission name: Remove Automount keys Permissions: add, delete Bind rule type: permission Subtree: dc=example,dc=com ACI target filter: (objectclass=automount) ACI target DN: automountmapname=*,cn=automount,dc=example,dc=com Granted to Privilege: Automount Administrators
Metadata Update from @rpattath: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0 - 2014/02
Login to comment on this ticket.