On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
> usercertificate attr was moved from "System Modify Users" to this
> new permission.
> https://fedorahosted.org/freeipa/ticket/5177
> Note: hosts have permission "System: Manage Host Certificates", services
> don't have it but usercertificate is in "System: Modify Services". I would
> move it as well if usercertificate was not the only attr in "System: Modify
> Services".
New permission works as expected.

What are the implications of removing userCertificate attribute from
"Modify Users" ACI?  Users could be relying on it given that there
is (until now) no more fine-grained permission.

Perhaps we should

a) use update script to add the new permission to any roles that
   have the Modify Users permission, or
b) not remove the userCertificate attribute from the ACI, or
c) deem this change acceptable and leave the patch as-is, in which
   case: ACK


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to