Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 958133
Description of problem: Default set of permission comes with filter for admins. I can't create simillar group as that one from UI or api. Version-Release number of selected component (if applicable): ipa-server-3.0.0-25.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Open IPA Server > RBAC > Permissions > Modify Group membership 2. try to change back away from permission 3. you are asked to save changes Actual results: Modify Group membership has ACI: aci: (targetattr = "member")(targetfilter = "(!(cn=admins))")(target = "ldap:///cn=*,cn=groups,cn=accounts If I try to reproduce such setup creating different permission I get: ipa: ERROR: invalid 'target': type, filter, subtree and targetgroup are mutually exclusive I can only do ACI: aci: (targetattr = "member")(target = "ldap:///cn=deli,cn=groups,cn=accounts Expected results: * Ability to create permissions with filters on admins and so on such as the default permission "Modify Group membership". * No UI/api issues with default permissions, they should be valid Additional info:
These are actually two problems: 1. reproductions steps 1-3 describes #3527 2. unable to modify system ACI because of mutual exclusivity of target types
First is dupe. Second may open a discussion whether to remove the limitation.
Second is dupe as well - see #3028. Closing the ticket.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.