On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: > usercertificate attr was moved from "System Modify Users" to this > new permission. > > https://fedorahosted.org/freeipa/ticket/5177 > > Note: hosts have permission "System: Manage Host Certificates", services > don't have it but usercertificate is in "System: Modify Services". I would > move it as well if usercertificate was not the only attr in "System: Modify > Services". > New permission works as expected.
What are the implications of removing userCertificate attribute from "Modify Users" ACI? Users could be relying on it given that there is (until now) no more fine-grained permission. Perhaps we should a) use update script to add the new permission to any roles that have the Modify Users permission, or b) not remove the userCertificate attribute from the ACI, or c) deem this change acceptable and leave the patch as-is, in which case: ACK Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code