From f123b01d81696c52e9a4008d46e549864e4a8069 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 3 May 2023 10:47:19 +0300
Subject: [PATCH] updates: add ACIs for RBCD self-management

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
---
 install/updates/73-service-rbcd.update | 5 +++++
 install/updates/Makefile.am            | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 install/updates/73-service-rbcd.update

diff --git a/install/updates/73-service-rbcd.update b/install/updates/73-service-rbcd.update
new file mode 100644
index 00000000000..08a8b0f84a7
--- /dev/null
+++ b/install/updates/73-service-rbcd.update
@@ -0,0 +1,5 @@
+dn: $SUFFIX
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Kerberos principals can manage resource-based constrained delegation for themselves";allow (write) userdn = "ldap:///self";)
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Managing principals can manage resource-based constrained delegation for other principals";allow (write) userattr = "managedby#GROUPDN" or userattr = "managedby#USERDN";)
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Delegated permission to manage resource-based constrained delegation for other principals";allow (write) userattr="ipaAllowedToPerform;write_delegation#GROUPDN" or userattr="ipaAllowedToPerform;write_delegation#USERDN" ;)
+
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index fbc1b76ae4e..fd96831d8fd 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -66,6 +66,7 @@ app_DATA =				\
 	73-subid.update		\
 	73-winsync.update		\
 	73-certmap.update		\
+	73-service-rbcd.update		\
 	75-user-trust-attributes.update	\
 	80-schema_compat.update 	\
 	81-externalmembers.update	\