1#![allow(clippy::expect_used)]
2use crate::constants::uuids::*;
5use crate::entry::EntryInitNew;
6use crate::prelude::*;
7use crate::value::Value;
8use kanidm_proto::internal::Filter as ProtoFilter;
9
10lazy_static! {
11 pub static ref FILTER_RECYCLED_OR_TOMBSTONE: ProtoFilter = ProtoFilter::Or(vec![
13 match_class_filter!(EntryClass::Recycled),
14 match_class_filter!(EntryClass::Tombstone),
15 ]);
16
17 pub static ref FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED: ProtoFilter =
19 ProtoFilter::AndNot(Box::new(FILTER_RECYCLED_OR_TOMBSTONE.clone()));
20
21 pub static ref FILTER_HP: ProtoFilter = ProtoFilter::Eq(
23 Attribute::MemberOf.to_string(),
24 UUID_IDM_HIGH_PRIVILEGE.to_string(),
25 );
26
27 pub static ref FILTER_HP_OR_RECYCLED_OR_TOMBSTONE: ProtoFilter = ProtoFilter::Or(vec![
29 FILTER_HP.clone(),
30 match_class_filter!(EntryClass::Recycled),
31 match_class_filter!(EntryClass::Tombstone),
32 ]);
33
34 pub static ref FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE: ProtoFilter =
35 ProtoFilter::AndNot(Box::new(FILTER_HP_OR_RECYCLED_OR_TOMBSTONE.clone()));
36
37 pub static ref DEFAULT_TARGET_SCOPE: ProtoFilter = ProtoFilter::And(Vec::with_capacity(0));
38
39}
40
41#[derive(Clone, Debug, Default)]
42pub enum BuiltinAcpReceiver {
44 #[default]
45 None,
46 Group(Vec<Uuid>),
49 EntryManager,
50}
51
52#[derive(Clone, Debug, Default)]
53pub enum BuiltinAcpTarget {
55 #[default]
56 None,
57 Filter(ProtoFilter),
59 }
61
62#[derive(Clone, Debug, Default)]
63pub struct BuiltinAcp {
65 classes: Vec<EntryClass>,
66 pub name: &'static str,
67 uuid: Uuid,
68 description: &'static str,
69 receiver: BuiltinAcpReceiver,
70 target: BuiltinAcpTarget,
71 search_attrs: Vec<Attribute>,
72 modify_present_attrs: Vec<Attribute>,
73 modify_removed_attrs: Vec<Attribute>,
74 modify_classes: Vec<EntryClass>,
75 modify_present_classes: Vec<EntryClass>,
76 modify_remove_classes: Vec<EntryClass>,
77 create_classes: Vec<EntryClass>,
78 create_attrs: Vec<Attribute>,
79}
80
81impl From<BuiltinAcp> for EntryInitNew {
82 #[allow(clippy::panic)]
83 fn from(value: BuiltinAcp) -> Self {
84 let mut entry = EntryInitNew::default();
85
86 #[allow(clippy::panic)]
87 if value.name.is_empty() {
88 panic!("Builtin ACP has no name! {:?}", value);
89 }
90 #[allow(clippy::panic)]
91 if value.classes.is_empty() {
92 panic!("Builtin ACP has no classes! {:?}", value);
93 }
94
95 value.classes.iter().for_each(|class| {
96 entry.add_ava(Attribute::Class, class.to_value());
97 });
98
99 entry.set_ava(Attribute::Name, [Value::new_iname(value.name)]);
100
101 if value.uuid >= DYNAMIC_RANGE_MINIMUM_UUID {
102 panic!("Builtin ACP has invalid UUID! {:?}", value);
103 }
104
105 entry.set_ava(Attribute::Uuid, [Value::Uuid(value.uuid)]);
106 entry.set_ava(
107 Attribute::Description,
108 [Value::new_utf8s(value.description)],
109 );
110
111 match &value.receiver {
112 #[allow(clippy::panic)]
113 BuiltinAcpReceiver::None => {
114 panic!("Builtin ACP has no receiver! {:?}", &value);
115 }
116 BuiltinAcpReceiver::Group(list) => {
117 entry.add_ava(
118 Attribute::Class,
119 EntryClass::AccessControlReceiverGroup.to_value(),
120 );
121 for group in list {
122 entry.set_ava(Attribute::AcpReceiverGroup, [Value::Refer(*group)]);
123 }
124 }
125 BuiltinAcpReceiver::EntryManager => {
126 entry.add_ava(
127 Attribute::Class,
128 EntryClass::AccessControlReceiverEntryManager.to_value(),
129 );
130 }
131 };
132
133 match &value.target {
134 #[allow(clippy::panic)]
135 BuiltinAcpTarget::None => {
136 panic!("Builtin ACP has no target! {:?}", &value);
137 }
138 BuiltinAcpTarget::Filter(proto_filter) => {
139 entry.add_ava(
140 Attribute::Class,
141 EntryClass::AccessControlTargetScope.to_value(),
142 );
143 entry.set_ava(
144 Attribute::AcpTargetScope,
145 [Value::JsonFilt(proto_filter.clone())],
146 );
147 }
148 }
149
150 entry.set_ava(
151 Attribute::AcpSearchAttr,
152 value
153 .search_attrs
154 .into_iter()
155 .map(Value::from)
156 .collect::<Vec<Value>>(),
157 );
158 value.modify_present_attrs.into_iter().for_each(|attr| {
159 entry.add_ava(Attribute::AcpModifyPresentAttr, Value::from(attr));
160 });
161 value.modify_removed_attrs.into_iter().for_each(|attr| {
162 entry.add_ava(Attribute::AcpModifyRemovedAttr, Value::from(attr));
163 });
164
165 value.modify_classes.into_iter().for_each(|class| {
166 entry.add_ava(Attribute::AcpModifyClass, Value::from(class));
167 });
168
169 value.modify_present_classes.into_iter().for_each(|class| {
170 entry.add_ava(Attribute::AcpModifyPresentClass, Value::from(class));
171 });
172
173 value.modify_remove_classes.into_iter().for_each(|class| {
174 entry.add_ava(Attribute::AcpModifyRemoveClass, Value::from(class));
175 });
176
177 value.create_classes.into_iter().for_each(|class| {
178 entry.add_ava(Attribute::AcpCreateClass, Value::from(class));
179 });
180 value.create_attrs.into_iter().for_each(|attr| {
181 entry.add_ava(Attribute::AcpCreateAttr, Value::from(attr));
182 });
183 entry
184 }
185}
186
187lazy_static! {
188 pub static ref IDM_ACP_RECYCLE_BIN_SEARCH_V1: BuiltinAcp = BuiltinAcp {
189 uuid: UUID_IDM_ACP_RECYCLE_BIN_SEARCH_V1,
190 name: "idm_acp_recycle_bin_search",
191 description: "Builtin IDM recycle bin search permission.",
192 classes: vec![
193 EntryClass::Object,
194 EntryClass::AccessControlProfile,
195 EntryClass::AccessControlSearch,
196 ],
197 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_RECYCLE_BIN_ADMINS]),
198 target: BuiltinAcpTarget::Filter(ProtoFilter::Eq(
199 Attribute::Class.to_string(),
200 ATTR_RECYCLED.to_string()
201 )),
202
203 search_attrs: vec![
204 Attribute::Class,
205 Attribute::Name,
206 Attribute::Uuid,
207 Attribute::LastModifiedCid,
208 ],
209 ..Default::default()
210 };
211}
212
213lazy_static! {
214 pub static ref IDM_ACP_RECYCLE_BIN_REVIVE_V1: BuiltinAcp = BuiltinAcp {
215 uuid: UUID_IDM_ACP_RECYCLE_BIN_REVIVE_V1,
216 name: "idm_acp_recycle_bin_revive",
217 description: "Builtin IDM recycle bin revive permission.",
218 classes: vec![
219 EntryClass::Object,
220 EntryClass::AccessControlProfile,
221 EntryClass::AccessControlModify,
222 ],
223 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_RECYCLE_BIN_ADMINS]),
224 target: BuiltinAcpTarget::Filter(ProtoFilter::Eq(
225 Attribute::Class.to_string(),
226 ATTR_RECYCLED.to_string()
227 )),
228 modify_removed_attrs: vec![Attribute::Class],
229 modify_remove_classes: vec![EntryClass::Recycled],
230 ..Default::default()
231 };
232}
233
234lazy_static! {
235 pub static ref IDM_ACP_SCHEMA_WRITE_ATTRS_V1: BuiltinAcp = BuiltinAcp{
236 classes: vec![
237 EntryClass::Object,
238 EntryClass::AccessControlProfile,
239 EntryClass::AccessControlCreate,
240 EntryClass::AccessControlModify,
241 EntryClass::AccessControlSearch
242 ],
243 name: "idm_acp_schema_write_attrs",
244 uuid: UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_V1,
245 description: "Builtin IDM Control for management of schema attributes.",
246 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_SCHEMA_ADMINS] ),
247 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
249 ProtoFilter::Eq(EntryClass::Class.to_string(),EntryClass::AttributeType.to_string()),
250 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
251 ])),
252 search_attrs: vec![
253 Attribute::Class,
254 Attribute::Description,
255 Attribute::Index,
256 Attribute::Unique,
257 Attribute::MultiValue,
258 Attribute::AttributeName,
259 Attribute::Syntax,
260 Attribute::Uuid,
261 ],
262 modify_removed_attrs: vec![
263 Attribute::Description,
264 Attribute::Index,
265 Attribute::Unique,
266 Attribute::MultiValue,
267 Attribute::Syntax,
268 ],
269 modify_present_attrs: vec![
270 Attribute::Description,
271 Attribute::Index,
272 Attribute::Unique,
273 Attribute::MultiValue,
274 Attribute::Syntax,
275 ],
276 create_attrs: vec![
277 Attribute::Class,
278 Attribute::Description,
279 Attribute::Index,
280 Attribute::Unique,
281 Attribute::MultiValue,
282 Attribute::AttributeName,
283 Attribute::Syntax,
284 Attribute::Uuid,
285 ],
286 create_classes: vec![
287 EntryClass::Object,
288 EntryClass::AttributeType,
289 ],
290 ..Default::default()
291 };
292}
293
294lazy_static! {
295 pub static ref IDM_ACP_SCHEMA_WRITE_CLASSES_V1: BuiltinAcp = BuiltinAcp {
296 classes: vec![
297 EntryClass::Object,
298 EntryClass::AccessControlProfile,
299 EntryClass::AccessControlCreate,
300 EntryClass::AccessControlModify,
301 EntryClass::AccessControlSearch
302 ],
303 name: "idm_acp_schema_write_classes",
304 uuid: UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_V1,
305 description: "Builtin IDM Control for management of schema classes.",
306 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_SCHEMA_ADMINS]),
307 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
308 ProtoFilter::Eq(
309 EntryClass::Class.to_string(),
310 EntryClass::ClassType.to_string()
311 ),
312 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
313 ])),
314 search_attrs: vec![
315 Attribute::Class,
316 Attribute::ClassName,
317 Attribute::Description,
318 Attribute::SystemMay,
319 Attribute::May,
320 Attribute::SystemMust,
321 Attribute::Must,
322 Attribute::Uuid,
323 ],
324 modify_removed_attrs: vec![
325 Attribute::Class,
326 Attribute::Description,
327 Attribute::May,
328 Attribute::Must,
329 ],
330 modify_present_attrs: vec![
331 Attribute::Name,
332 Attribute::Description,
333 Attribute::May,
334 Attribute::Must,
335 ],
336 create_attrs: vec![
337 Attribute::Class,
338 Attribute::ClassName,
339 Attribute::Description,
340 Attribute::May,
341 Attribute::Must,
342 Attribute::Uuid,
343 ],
344 create_classes: vec![EntryClass::Object, EntryClass::ClassType,],
345 ..Default::default()
346 };
347}
348
349lazy_static! {
350 pub static ref IDM_ACP_ACP_MANAGE_V1: BuiltinAcp = BuiltinAcp {
351 classes: vec![
352 EntryClass::Object,
353 EntryClass::AccessControlProfile,
354 EntryClass::AccessControlCreate,
355 EntryClass::AccessControlDelete,
356 EntryClass::AccessControlModify,
357 EntryClass::AccessControlSearch
358 ],
359 name: "idm_acp_acp_manage",
360 uuid: UUID_IDM_ACP_ACP_MANAGE_V1,
361 description: "Builtin IDM Control for access profiles management.",
362 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCESS_CONTROL_ADMINS]),
363 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
364 ProtoFilter::Eq(
365 EntryClass::Class.to_string(),
366 EntryClass::AccessControlProfile.to_string()
367 ),
368 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
369 ])),
370 search_attrs: vec![
371 Attribute::Class,
372 Attribute::Name,
373 Attribute::Description,
374 Attribute::AcpEnable,
375 Attribute::AcpReceiverGroup,
376 Attribute::AcpTargetScope,
377 Attribute::AcpSearchAttr,
378 Attribute::AcpModifyRemovedAttr,
379 Attribute::AcpModifyPresentAttr,
380 Attribute::AcpModifyClass,
381 Attribute::AcpCreateClass,
382 Attribute::AcpCreateAttr,
383 ],
384 modify_removed_attrs: vec![
385 Attribute::Class,
386 Attribute::Name,
387 Attribute::Description,
388 Attribute::AcpEnable,
389 Attribute::AcpReceiverGroup,
390 Attribute::AcpTargetScope,
391 Attribute::AcpSearchAttr,
392 Attribute::AcpModifyRemovedAttr,
393 Attribute::AcpModifyPresentAttr,
394 Attribute::AcpModifyClass,
395 Attribute::AcpCreateClass,
396 Attribute::AcpCreateAttr,
397 ],
398 modify_present_attrs: vec![
399 Attribute::Class,
400 Attribute::Name,
401 Attribute::Description,
402 Attribute::AcpEnable,
403 Attribute::AcpReceiverGroup,
404 Attribute::AcpTargetScope,
405 Attribute::AcpSearchAttr,
406 Attribute::AcpModifyRemovedAttr,
407 Attribute::AcpModifyPresentAttr,
408 Attribute::AcpModifyClass,
409 Attribute::AcpCreateClass,
410 Attribute::AcpCreateAttr,
411 ],
412 create_attrs: vec![
413 Attribute::Class,
414 Attribute::Name,
415 Attribute::Description,
416 Attribute::AcpEnable,
417 Attribute::AcpReceiverGroup,
418 Attribute::AcpTargetScope,
419 Attribute::AcpSearchAttr,
420 Attribute::AcpModifyRemovedAttr,
421 Attribute::AcpModifyPresentAttr,
422 Attribute::AcpModifyClass,
423 Attribute::AcpCreateClass,
424 Attribute::AcpCreateAttr,
425 ],
426 modify_classes: vec![
427 EntryClass::AccessControlProfile,
428 EntryClass::AccessControlSearch,
429 EntryClass::AccessControlModify,
430 EntryClass::AccessControlCreate,
431 EntryClass::AccessControlDelete,
432 ],
433 create_classes: vec![
434 EntryClass::AccessControlProfile,
435 EntryClass::AccessControlSearch,
436 EntryClass::AccessControlModify,
437 EntryClass::AccessControlCreate,
438 EntryClass::AccessControlDelete,
439 ],
440 ..Default::default()
441 };
442}
443
444lazy_static! {
445 pub static ref IDM_ACP_GROUP_READ_V1: BuiltinAcp = BuiltinAcp {
446 classes: vec![
447 EntryClass::Object,
448 EntryClass::AccessControlProfile,
449 EntryClass::AccessControlSearch
450 ],
451 name: "idm_acp_group_read",
452 uuid: UUID_IDM_ACP_GROUP_READ,
453 description:
454 "Builtin IDM Control for allowing all groups to be read by access control admins",
455 receiver: BuiltinAcpReceiver::Group(vec![
456 UUID_IDM_ACCESS_CONTROL_ADMINS,
457 ]),
460 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
461 match_class_filter!(EntryClass::Group),
462 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
463 ])),
464 search_attrs: vec![
465 Attribute::Class,
466 Attribute::DynMember,
467 Attribute::Name,
468 Attribute::Uuid,
469 Attribute::Spn,
470 Attribute::Description,
471 Attribute::Member,
472 Attribute::EntryManagedBy,
473 ],
474 ..Default::default()
475 };
476}
477
478lazy_static! {
479 pub static ref IDM_ACP_GROUP_ENTRY_MANAGED_BY_MODIFY_V1: BuiltinAcp = BuiltinAcp {
480 classes: vec![
481 EntryClass::Object,
482 EntryClass::AccessControlProfile,
483 EntryClass::AccessControlModify,
484 EntryClass::AccessControlSearch
485 ],
486 name: "idm_acp_group_entry_managed_by_modify",
487 uuid: UUID_IDM_ACP_GROUP_ENTRY_MANAGED_BY_MODIFY,
488 description: "Builtin IDM Control for allowing entry_managed_by to be set on group entries",
489 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCESS_CONTROL_ADMINS]),
490 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
491 match_class_filter!(EntryClass::Group),
492 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
493 ])),
494 search_attrs: vec![
495 Attribute::Class,
496 Attribute::Name,
497 Attribute::Spn,
498 Attribute::Uuid,
499 Attribute::EntryManagedBy,
500 ],
501 modify_removed_attrs: vec![Attribute::EntryManagedBy],
502 modify_present_attrs: vec![Attribute::EntryManagedBy],
503 ..Default::default()
504 };
505}
506
507lazy_static! {
508 pub static ref IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL6: BuiltinAcp = BuiltinAcp {
509 classes: vec![
510 EntryClass::Object,
511 EntryClass::AccessControlProfile,
512 EntryClass::AccessControlModify,
513 EntryClass::AccessControlSearch
514 ],
515 name: "idm_acp_group_account_policy_manage",
516 uuid: UUID_IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE,
517 description: "Builtin IDM Control for management of account policy on groups",
518 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCOUNT_POLICY_ADMINS]),
519 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
520 match_class_filter!(EntryClass::Group),
521 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
522 ])),
523 search_attrs: vec![
524 Attribute::Class,
525 Attribute::Name,
526 Attribute::Uuid,
527 Attribute::AuthSessionExpiry,
528 Attribute::AuthPasswordMinimumLength,
529 Attribute::CredentialTypeMinimum,
530 Attribute::PrivilegeExpiry,
531 Attribute::WebauthnAttestationCaList,
532 Attribute::LimitSearchMaxResults,
533 Attribute::LimitSearchMaxFilterTest,
534 ],
535 modify_removed_attrs: vec![
536 Attribute::Class,
537 Attribute::AuthSessionExpiry,
538 Attribute::AuthPasswordMinimumLength,
539 Attribute::CredentialTypeMinimum,
540 Attribute::PrivilegeExpiry,
541 Attribute::WebauthnAttestationCaList,
542 Attribute::LimitSearchMaxResults,
543 Attribute::LimitSearchMaxFilterTest,
544 ],
545 modify_present_attrs: vec![
546 Attribute::Class,
547 Attribute::AuthSessionExpiry,
548 Attribute::AuthPasswordMinimumLength,
549 Attribute::CredentialTypeMinimum,
550 Attribute::PrivilegeExpiry,
551 Attribute::WebauthnAttestationCaList,
552 Attribute::LimitSearchMaxResults,
553 Attribute::LimitSearchMaxFilterTest,
554 ],
555 modify_classes: vec![EntryClass::AccountPolicy,],
556 ..Default::default()
557 };
558}
559
560lazy_static! {
561 pub static ref IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL8: BuiltinAcp = BuiltinAcp {
562 classes: vec![
563 EntryClass::Object,
564 EntryClass::AccessControlProfile,
565 EntryClass::AccessControlModify,
566 EntryClass::AccessControlSearch
567 ],
568 name: "idm_acp_group_account_policy_manage",
569 uuid: UUID_IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE,
570 description: "Builtin IDM Control for management of account policy on groups",
571 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCOUNT_POLICY_ADMINS]),
572 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
573 match_class_filter!(EntryClass::Group),
574 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
575 ])),
576 search_attrs: vec![
577 Attribute::Class,
578 Attribute::Name,
579 Attribute::Uuid,
580 Attribute::AuthSessionExpiry,
581 Attribute::AuthPasswordMinimumLength,
582 Attribute::CredentialTypeMinimum,
583 Attribute::PrivilegeExpiry,
584 Attribute::WebauthnAttestationCaList,
585 Attribute::LimitSearchMaxResults,
586 Attribute::LimitSearchMaxFilterTest,
587 Attribute::AllowPrimaryCredFallback,
588 ],
589 modify_removed_attrs: vec![
590 Attribute::Class,
591 Attribute::AuthSessionExpiry,
592 Attribute::AuthPasswordMinimumLength,
593 Attribute::CredentialTypeMinimum,
594 Attribute::PrivilegeExpiry,
595 Attribute::WebauthnAttestationCaList,
596 Attribute::LimitSearchMaxResults,
597 Attribute::LimitSearchMaxFilterTest,
598 Attribute::AllowPrimaryCredFallback,
599 ],
600 modify_present_attrs: vec![
601 Attribute::Class,
602 Attribute::AuthSessionExpiry,
603 Attribute::AuthPasswordMinimumLength,
604 Attribute::CredentialTypeMinimum,
605 Attribute::PrivilegeExpiry,
606 Attribute::WebauthnAttestationCaList,
607 Attribute::LimitSearchMaxResults,
608 Attribute::LimitSearchMaxFilterTest,
609 Attribute::AllowPrimaryCredFallback,
610 ],
611 modify_classes: vec![EntryClass::AccountPolicy,],
612 ..Default::default()
613 };
614}
615
616lazy_static! {
617 pub static ref IDM_ACP_OAUTH2_MANAGE: BuiltinAcp = BuiltinAcp {
618 classes: vec![
619 EntryClass::Object,
620 EntryClass::AccessControlProfile,
621 EntryClass::AccessControlCreate,
622 EntryClass::AccessControlDelete,
623 EntryClass::AccessControlModify,
624 EntryClass::AccessControlSearch
625 ],
626 name: "idm_acp_oauth2_manage",
627 uuid: UUID_IDM_ACP_OAUTH2_MANAGE_V1,
628 description: "Builtin IDM Control for managing OAuth2 resource server integrations.",
629 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_OAUTH2_ADMINS]),
630 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
631 match_class_filter!(EntryClass::OAuth2ResourceServer),
632 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
633 ])),
634 search_attrs: vec![
635 Attribute::Class,
636 Attribute::Description,
637 Attribute::DisplayName,
638 Attribute::Name,
639 Attribute::Spn,
640 Attribute::OAuth2Session,
641 Attribute::OAuth2RsOrigin,
642 Attribute::OAuth2RsOriginLanding,
643 Attribute::OAuth2RsScopeMap,
644 Attribute::OAuth2RsSupScopeMap,
645 Attribute::OAuth2RsBasicSecret,
646 Attribute::OAuth2AllowInsecureClientDisablePkce,
647 Attribute::OAuth2JwtLegacyCryptoEnable,
648 Attribute::OAuth2PreferShortUsername,
649 Attribute::OAuth2AllowLocalhostRedirect,
650 Attribute::OAuth2RsClaimMap,
651 Attribute::Image,
652 Attribute::OAuth2StrictRedirectUri,
653 Attribute::OAuth2DeviceFlowEnable,
654 Attribute::KeyInternalData,
655 ],
656 modify_removed_attrs: vec![
657 Attribute::Description,
658 Attribute::DisplayName,
659 Attribute::Name,
660 Attribute::OAuth2Session,
661 Attribute::OAuth2RsOrigin,
662 Attribute::OAuth2RsOriginLanding,
663 Attribute::OAuth2RsScopeMap,
664 Attribute::OAuth2RsSupScopeMap,
665 Attribute::OAuth2RsBasicSecret,
666 Attribute::OAuth2AllowInsecureClientDisablePkce,
667 Attribute::OAuth2JwtLegacyCryptoEnable,
668 Attribute::OAuth2PreferShortUsername,
669 Attribute::OAuth2AllowLocalhostRedirect,
670 Attribute::OAuth2RsClaimMap,
671 Attribute::Image,
672 Attribute::OAuth2StrictRedirectUri,
673 Attribute::OAuth2DeviceFlowEnable,
674 Attribute::KeyActionRevoke,
675 Attribute::KeyActionRotate,
676 ],
677 modify_present_attrs: vec![
678 Attribute::Description,
679 Attribute::DisplayName,
680 Attribute::Name,
681 Attribute::OAuth2RsOrigin,
682 Attribute::OAuth2RsOriginLanding,
683 Attribute::OAuth2RsSupScopeMap,
684 Attribute::OAuth2RsScopeMap,
685 Attribute::OAuth2AllowInsecureClientDisablePkce,
686 Attribute::OAuth2JwtLegacyCryptoEnable,
687 Attribute::OAuth2PreferShortUsername,
688 Attribute::OAuth2AllowLocalhostRedirect,
689 Attribute::OAuth2RsClaimMap,
690 Attribute::Image,
691 Attribute::OAuth2StrictRedirectUri,
692 Attribute::OAuth2DeviceFlowEnable,
693 Attribute::KeyActionRevoke,
694 Attribute::KeyActionRotate,
695 ],
696 create_attrs: vec![
697 Attribute::Class,
698 Attribute::Description,
699 Attribute::Name,
700 Attribute::DisplayName,
701 Attribute::OAuth2RsName,
702 Attribute::OAuth2RsOrigin,
703 Attribute::OAuth2RsOriginLanding,
704 Attribute::OAuth2RsSupScopeMap,
705 Attribute::OAuth2RsScopeMap,
706 Attribute::OAuth2AllowInsecureClientDisablePkce,
707 Attribute::OAuth2JwtLegacyCryptoEnable,
708 Attribute::OAuth2PreferShortUsername,
709 Attribute::OAuth2AllowLocalhostRedirect,
710 Attribute::OAuth2RsClaimMap,
711 Attribute::Image,
712 Attribute::OAuth2StrictRedirectUri,
713 Attribute::OAuth2DeviceFlowEnable,
714 ],
715 create_classes: vec![
716 EntryClass::Object,
717 EntryClass::Account,
718 EntryClass::OAuth2ResourceServer,
719 EntryClass::OAuth2ResourceServerBasic,
720 EntryClass::OAuth2ResourceServerPublic,
721 ],
722 ..Default::default()
723 };
724}
725
726lazy_static! {
727 pub static ref IDM_ACP_DOMAIN_ADMIN_DL9: BuiltinAcp = BuiltinAcp {
728 classes: vec![
729 EntryClass::Object,
730 EntryClass::AccessControlProfile,
731 EntryClass::AccessControlModify,
732 EntryClass::AccessControlSearch
733 ],
734 name: "idm_acp_domain_admin",
735 uuid: UUID_IDM_ACP_DOMAIN_ADMIN_V1,
736 description: "Builtin IDM Control for granting domain info administration locally",
737 receiver: BuiltinAcpReceiver::Group(vec![UUID_DOMAIN_ADMINS]),
738 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
739 ProtoFilter::Eq(
740 Attribute::Uuid.to_string(),
741 STR_UUID_DOMAIN_INFO.to_string()
742 ),
743 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
744 ])),
745 search_attrs: vec![
746 Attribute::Class,
747 Attribute::Name,
748 Attribute::Uuid,
749 Attribute::DomainAllowEasterEggs,
750 Attribute::DomainDisplayName,
751 Attribute::DomainName,
752 Attribute::DomainLdapBasedn,
753 Attribute::LdapMaxQueryableAttrs,
754 Attribute::DomainSsid,
755 Attribute::DomainUuid,
756 Attribute::KeyInternalData,
757 Attribute::LdapAllowUnixPwBind,
758 Attribute::Version,
759 Attribute::Image,
760 ],
761 modify_removed_attrs: vec![
762 Attribute::DomainDisplayName,
763 Attribute::DomainSsid,
764 Attribute::DomainLdapBasedn,
765 Attribute::LdapMaxQueryableAttrs,
766 Attribute::DomainAllowEasterEggs,
767 Attribute::LdapAllowUnixPwBind,
768 Attribute::KeyActionRevoke,
769 Attribute::KeyActionRotate,
770 Attribute::Image,
771 ],
772 modify_present_attrs: vec![
773 Attribute::DomainDisplayName,
774 Attribute::DomainLdapBasedn,
775 Attribute::LdapMaxQueryableAttrs,
776 Attribute::DomainSsid,
777 Attribute::DomainAllowEasterEggs,
778 Attribute::LdapAllowUnixPwBind,
779 Attribute::KeyActionRevoke,
780 Attribute::KeyActionRotate,
781 Attribute::Image,
782 ],
783 ..Default::default()
784 };
785}
786
787lazy_static! {
788 pub static ref IDM_ACP_SYNC_ACCOUNT_MANAGE_V1: BuiltinAcp = BuiltinAcp {
789 classes: vec![
790 EntryClass::Object,
791 EntryClass::AccessControlProfile,
792 EntryClass::AccessControlCreate,
793 EntryClass::AccessControlDelete,
794 EntryClass::AccessControlModify,
795 EntryClass::AccessControlSearch,
796 ],
797 name: "idm_acp_sync_account_manage",
798 uuid: UUID_IDM_ACP_SYNC_ACCOUNT_MANAGE_V1,
799 description: "Builtin IDM Control for managing IDM synchronisation accounts / connections",
800 receiver: BuiltinAcpReceiver::Group(vec![UUID_DOMAIN_ADMINS]),
801 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
802 ProtoFilter::Eq(
803 Attribute::Class.to_string(),
804 EntryClass::SyncAccount.to_string()
805 ),
806 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
807 ])),
808 search_attrs: vec![
809 Attribute::Class,
810 Attribute::Uuid,
811 Attribute::Name,
812 Attribute::Description,
813 Attribute::JwsEs256PrivateKey,
814 Attribute::SyncTokenSession,
815 Attribute::SyncCredentialPortal,
816 Attribute::SyncYieldAuthority,
817 Attribute::SyncCookie,
818 ],
819 modify_removed_attrs: vec![
820 Attribute::Name,
821 Attribute::Description,
822 Attribute::JwsEs256PrivateKey,
823 Attribute::SyncTokenSession,
824 Attribute::SyncCredentialPortal,
825 Attribute::SyncCookie,
826 Attribute::SyncYieldAuthority,
827 ],
828 modify_present_attrs: vec![
829 Attribute::Name,
830 Attribute::Description,
831 Attribute::SyncTokenSession,
832 Attribute::SyncCredentialPortal,
833 Attribute::SyncYieldAuthority,
834 ],
835 create_attrs: vec![Attribute::Class, Attribute::Name, Attribute::Description,],
836 create_classes: vec![EntryClass::Object, EntryClass::SyncAccount,],
837 ..Default::default()
838 };
839}
840
841lazy_static! {
842 pub static ref IDM_ACP_GROUP_ENTRY_MANAGER_V1: BuiltinAcp = BuiltinAcp{
843 classes: vec![
844 EntryClass::Object,
845 EntryClass::AccessControlProfile,
846 EntryClass::AccessControlModify,
847 EntryClass::AccessControlSearch
848 ],
849 name: "idm_acp_group_entry_manager",
850 uuid: UUID_IDM_ACP_GROUP_ENTRY_MANAGER_V1,
851 description: "Builtin IDM Control for allowing EntryManager to read and modify groups",
852 receiver: BuiltinAcpReceiver::EntryManager,
853 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
855 match_class_filter!(EntryClass::Group),
856 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
857 ])),
858 search_attrs: vec![
859 Attribute::Class,
860 Attribute::Name,
861 Attribute::Uuid,
862 Attribute::Spn,
863 Attribute::Uuid,
864 Attribute::Description,
865 Attribute::Member,
866 Attribute::DynMember,
867 Attribute::EntryManagedBy,
868 ],
869 modify_present_attrs: vec![
870 Attribute::Description,
871 Attribute::Member,
872 ],
873 modify_removed_attrs: vec![
874 Attribute::Description,
875 Attribute::Member,
876 ],
877 ..Default::default()
878 };
879}
880
881lazy_static! {
882 pub static ref IDM_ACP_RADIUS_SERVERS_V1: BuiltinAcp = BuiltinAcp {
883 classes: vec![
884 EntryClass::Object,
885 EntryClass::AccessControlProfile,
886 EntryClass::AccessControlSearch,
887 ],
888 name: "idm_acp_radius_servers",
889 uuid: UUID_IDM_ACP_RADIUS_SERVERS_V1,
890 description:
891 "Builtin IDM Control for RADIUS servers to read credentials and other needed details.",
892 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_RADIUS_SERVERS]),
893 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
894 ProtoFilter::Pres(EntryClass::Class.to_string()),
895 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
896 ])),
897 search_attrs: vec![
898 Attribute::Class,
899 Attribute::Name,
900 Attribute::Spn,
901 Attribute::Uuid,
902 Attribute::RadiusSecret,
903 ],
904 ..Default::default()
905 };
906}
907
908lazy_static! {
909 pub static ref IDM_ACP_RADIUS_SECRET_MANAGE_V1: BuiltinAcp = BuiltinAcp {
910 classes: vec![
911 EntryClass::Object,
912 EntryClass::AccessControlProfile,
913 EntryClass::AccessControlModify,
914 EntryClass::AccessControlSearch,
915 ],
916 name: "idm_acp_radius_secret_manage",
917 uuid: UUID_IDM_ACP_RADIUS_SECRET_MANAGE_V1,
918 description: "Builtin IDM Control allowing reads and writes to user radius secrets.",
919 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_RADIUS_ADMINS]),
920 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
921 match_class_filter!(EntryClass::Account),
922 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
923 ])),
924 search_attrs: vec![Attribute::RadiusSecret],
925 modify_present_attrs: vec![Attribute::RadiusSecret],
926 modify_removed_attrs: vec![Attribute::RadiusSecret],
927 ..Default::default()
928 };
929}
930
931lazy_static! {
932 pub static ref IDM_ACP_MAIL_SERVERS_DL8: BuiltinAcp = BuiltinAcp {
933 classes: vec![
934 EntryClass::Object,
935 EntryClass::AccessControlProfile,
936 EntryClass::AccessControlSearch,
937 ],
938 name: "idm_acp_mail_servers",
939 uuid: UUID_IDM_ACP_MAIL_SERVERS,
940 description:
941 "Builtin IDM Control for MAIL servers to read email addresses and other needed attributes.",
942 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_MAIL_SERVERS]),
943 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
944 ProtoFilter::Or(vec![
945 match_class_filter!(EntryClass::Account),
946 match_class_filter!(EntryClass::Group),
947 ]),
948 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
949 ])),
950 search_attrs: vec![
951 Attribute::Class,
952 Attribute::Name,
953 Attribute::Spn,
954 Attribute::Uuid,
955 Attribute::DisplayName,
956 Attribute::Mail,
957 Attribute::Member,
958 Attribute::DynMember,
959 Attribute::MemberOf,
960 Attribute::GidNumber,
961 ],
962 ..Default::default()
963 };
964}
965
966lazy_static! {
967 pub static ref IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1: BuiltinAcp = BuiltinAcp {
968 classes: vec![
969 EntryClass::Object,
970 EntryClass::AccessControlProfile,
971 EntryClass::AccessControlModify,
972 ],
973 name: "idm_acp_people_self_write_mail",
974 uuid: UUID_IDM_ACP_PEOPLE_SELF_WRITE_MAIL,
975 description: "Builtin IDM Control for self write of mail for people accounts.",
976 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_PEOPLE_SELF_MAIL_WRITE]),
977 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
978 match_class_filter!(EntryClass::Person).clone(),
979 match_class_filter!(EntryClass::Account).clone(),
980 ProtoFilter::SelfUuid,
981 ])),
982 modify_removed_attrs: vec![Attribute::Mail],
983 modify_present_attrs: vec![Attribute::Mail],
984 ..Default::default()
985 };
986}
987
988lazy_static! {
989 pub static ref IDM_ACP_SELF_READ_V1: BuiltinAcp = BuiltinAcp {
990 name: "idm_acp_self_read",
991 uuid: UUID_IDM_ACP_SELF_READ,
992 description:
993 "Builtin IDM Control for self read - required for whoami and many other functions",
994 classes: vec![
995 EntryClass::Object,
996 EntryClass::AccessControlProfile,
997 EntryClass::AccessControlSearch,
998 ],
999 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ALL_ACCOUNTS]),
1000 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1001 search_attrs: vec![
1002 Attribute::Class,
1003 Attribute::Name,
1004 Attribute::Spn,
1005 Attribute::DisplayName,
1006 Attribute::LegalName,
1007 Attribute::Class,
1008 Attribute::MemberOf,
1009 Attribute::Mail,
1010 Attribute::RadiusSecret,
1011 Attribute::GidNumber,
1012 Attribute::LoginShell,
1013 Attribute::Uuid,
1014 Attribute::SyncParentUuid,
1015 Attribute::AccountExpire,
1016 Attribute::AccountValidFrom,
1017 Attribute::PrimaryCredential,
1018 Attribute::UserAuthTokenSession,
1019 Attribute::PassKeys,
1020 Attribute::AttestedPasskeys,
1021 ],
1022 ..Default::default()
1023 };
1024}
1025
1026lazy_static! {
1027 pub static ref IDM_ACP_SELF_READ_DL8: BuiltinAcp = BuiltinAcp {
1028 name: "idm_acp_self_read",
1029 uuid: UUID_IDM_ACP_SELF_READ,
1030 description:
1031 "Builtin IDM Control for self read - required for whoami and many other functions",
1032 classes: vec![
1033 EntryClass::Object,
1034 EntryClass::AccessControlProfile,
1035 EntryClass::AccessControlSearch,
1036 ],
1037 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ALL_ACCOUNTS]),
1038 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1039 search_attrs: vec![
1040 Attribute::Class,
1041 Attribute::Name,
1042 Attribute::Spn,
1043 Attribute::DisplayName,
1044 Attribute::LegalName,
1045 Attribute::Class,
1046 Attribute::MemberOf,
1047 Attribute::Mail,
1048 Attribute::RadiusSecret,
1049 Attribute::GidNumber,
1050 Attribute::LoginShell,
1051 Attribute::Uuid,
1052 Attribute::SyncParentUuid,
1053 Attribute::AccountExpire,
1054 Attribute::AccountValidFrom,
1055 Attribute::PrimaryCredential,
1056 Attribute::UserAuthTokenSession,
1057 Attribute::PassKeys,
1058 Attribute::AttestedPasskeys,
1059 Attribute::ApplicationPassword,
1060 Attribute::SshPublicKey,
1061 Attribute::UnixPassword,
1062 ],
1063 ..Default::default()
1064 };
1065}
1066
1067lazy_static! {
1068 pub static ref IDM_ACP_SELF_WRITE_V1: BuiltinAcp = BuiltinAcp{
1069 name: "idm_acp_self_write",
1070 uuid: UUID_IDM_ACP_SELF_WRITE_V1,
1071 classes: vec![
1072 EntryClass::Object,
1073 EntryClass::AccessControlProfile,
1074 EntryClass::AccessControlModify,
1075 ],
1076 description: "Builtin IDM Control for self write - required for people to update their own identities and credentials in line with best practices.",
1077 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_ALL_PERSONS] ),
1078 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1079 modify_removed_attrs: vec![
1080 Attribute::DisplayName,
1081 Attribute::LegalName,
1082 Attribute::RadiusSecret,
1083 Attribute::PrimaryCredential,
1084 Attribute::SshPublicKey,
1085 Attribute::UnixPassword,
1086 Attribute::PassKeys,
1087 Attribute::AttestedPasskeys,
1088 Attribute::UserAuthTokenSession,
1089 Attribute::ApplicationPassword,
1090 ],
1091 modify_present_attrs: vec![
1092 Attribute::DisplayName,
1093 Attribute::LegalName,
1094 Attribute::RadiusSecret,
1095 Attribute::PrimaryCredential,
1096 Attribute::SshPublicKey,
1097 Attribute::UnixPassword,
1098 Attribute::PassKeys,
1099 Attribute::AttestedPasskeys,
1100 Attribute::ApplicationPassword,
1101 ],
1102 ..Default::default()
1103 };
1104}
1105
1106lazy_static! {
1107 pub static ref IDM_ACP_SELF_WRITE_DL7: BuiltinAcp = BuiltinAcp{
1108 name: "idm_acp_self_write",
1109 uuid: UUID_IDM_ACP_SELF_WRITE_V1,
1110 classes: vec![
1111 EntryClass::Object,
1112 EntryClass::AccessControlProfile,
1113 EntryClass::AccessControlModify,
1114 ],
1115 description: "Builtin IDM Control for self write - required for people to update their own credentials in line with best practices.",
1116 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_ALL_PERSONS] ),
1117 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1118 modify_removed_attrs: vec![
1119 Attribute::RadiusSecret,
1120 Attribute::PrimaryCredential,
1121 Attribute::SshPublicKey,
1122 Attribute::UnixPassword,
1123 Attribute::PassKeys,
1124 Attribute::AttestedPasskeys,
1125 Attribute::UserAuthTokenSession,
1126 ],
1127 modify_present_attrs: vec![
1128 Attribute::RadiusSecret,
1129 Attribute::PrimaryCredential,
1130 Attribute::SshPublicKey,
1131 Attribute::UnixPassword,
1132 Attribute::PassKeys,
1133 Attribute::AttestedPasskeys,
1134 ],
1135 ..Default::default()
1136 };
1137}
1138
1139lazy_static! {
1140 pub static ref IDM_ACP_SELF_WRITE_DL8: BuiltinAcp = BuiltinAcp{
1141 name: "idm_acp_self_write",
1142 uuid: UUID_IDM_ACP_SELF_WRITE_V1,
1143 classes: vec![
1144 EntryClass::Object,
1145 EntryClass::AccessControlProfile,
1146 EntryClass::AccessControlModify,
1147 ],
1148 description: "Builtin IDM Control for self write - required for people to update their own credentials in line with best practices.",
1149 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_ALL_PERSONS] ),
1150 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1151 modify_removed_attrs: vec![
1152 Attribute::RadiusSecret,
1153 Attribute::PrimaryCredential,
1154 Attribute::SshPublicKey,
1155 Attribute::UnixPassword,
1156 Attribute::PassKeys,
1157 Attribute::AttestedPasskeys,
1158 Attribute::UserAuthTokenSession,
1159 Attribute::ApplicationPassword,
1160 ],
1161 modify_present_attrs: vec![
1162 Attribute::RadiusSecret,
1163 Attribute::PrimaryCredential,
1164 Attribute::SshPublicKey,
1165 Attribute::UnixPassword,
1166 Attribute::PassKeys,
1167 Attribute::AttestedPasskeys,
1168 Attribute::ApplicationPassword,
1169 ],
1170 ..Default::default()
1171 };
1172}
1173
1174lazy_static! {
1175 pub static ref IDM_ACP_SELF_NAME_WRITE_V1: BuiltinAcp = BuiltinAcp{
1176 name: "idm_acp_self_name_write",
1177 uuid: UUID_IDM_ACP_SELF_NAME_WRITE_V1,
1178 classes: vec![
1179 EntryClass::Object,
1180 EntryClass::AccessControlProfile,
1181 EntryClass::AccessControlModify,
1182 ],
1183 description: "Builtin IDM Control for self write of name - required for people to update their own identities in line with best practices.",
1184 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_ALL_PERSONS] ),
1185 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1186 modify_removed_attrs: vec![
1187 Attribute::Name,
1188 ],
1189 modify_present_attrs: vec![
1190 Attribute::Name,
1191 ],
1192 ..Default::default()
1193 };
1194}
1195
1196lazy_static! {
1197 pub static ref IDM_ACP_SELF_NAME_WRITE_DL7: BuiltinAcp = BuiltinAcp{
1198 name: "idm_acp_self_name_write",
1199 uuid: UUID_IDM_ACP_SELF_NAME_WRITE_V1,
1200 classes: vec![
1201 EntryClass::Object,
1202 EntryClass::AccessControlProfile,
1203 EntryClass::AccessControlModify,
1204 ],
1205 description: "Builtin IDM Control for self write of name - required for people to update their own identities in line with best practices.",
1206 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_PEOPLE_SELF_NAME_WRITE] ),
1207 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1208 ProtoFilter::SelfUuid,
1209 match_class_filter!(EntryClass::Person).clone(),
1210 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1211 ])),
1212 modify_removed_attrs: vec![
1213 Attribute::Name,
1214 Attribute::DisplayName,
1215 Attribute::LegalName,
1216 ],
1217 modify_present_attrs: vec![
1218 Attribute::Name,
1219 Attribute::DisplayName,
1220 Attribute::LegalName,
1221 ],
1222 ..Default::default()
1223 };
1224}
1225
1226lazy_static! {
1227 pub static ref IDM_ACP_ACCOUNT_SELF_WRITE_V1: BuiltinAcp = BuiltinAcp {
1228 name: "idm_acp_account_self_write",
1229 uuid: UUID_IDM_ACP_ACCOUNT_SELF_WRITE_V1,
1230 description: "Builtin IDM Control for self write - required for accounts to update their own session state.",
1231 classes: vec![
1232 EntryClass::Object,
1233 EntryClass::AccessControlProfile,
1234 EntryClass::AccessControlModify
1235 ],
1236 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_ALL_ACCOUNTS] ),
1237 target: BuiltinAcpTarget::Filter(ProtoFilter::SelfUuid),
1238 modify_removed_attrs: vec![
1239 Attribute::UserAuthTokenSession
1240 ],
1241 ..Default::default()
1242 };
1243}
1244
1245lazy_static! {
1246 pub static ref IDM_ACP_ALL_ACCOUNTS_POSIX_READ_V1: BuiltinAcp = BuiltinAcp {
1247 classes: vec![
1248 EntryClass::Object,
1249 EntryClass::AccessControlProfile,
1250 EntryClass::AccessControlSearch,
1251 ],
1252 name: "idm_acp_all_accounts_posix_read",
1253 uuid: UUID_IDM_ACP_ALL_ACCOUNTS_POSIX_READ_V1,
1254 description:
1255 "Builtin IDM Control for reading minimal posix attrs - applies anonymous and all authenticated accounts.",
1256 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_ALL_ACCOUNTS] ),
1257 target: BuiltinAcpTarget::Filter( ProtoFilter::And(
1258 vec![
1259 ProtoFilter::Or(vec![
1260 match_class_filter!(EntryClass::Account),
1261 match_class_filter!(EntryClass::Group),
1262 ]),
1263 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1264 ]
1265 )),
1266 search_attrs: vec![
1267 Attribute::Class,
1268 Attribute::Name,
1269 Attribute::Spn,
1270 Attribute::DisplayName,
1271 Attribute::Class,
1272 Attribute::MemberOf,
1273 Attribute::Member,
1274 Attribute::DynMember,
1275 Attribute::Uuid,
1276 Attribute::GidNumber,
1277 Attribute::LoginShell,
1278 Attribute::SshPublicKey,
1279 ],
1280 ..Default::default()
1281 };
1282}
1283
1284lazy_static! {
1285 pub static ref IDM_ACP_ACCOUNT_MAIL_READ_DL6: BuiltinAcp = BuiltinAcp {
1286 classes: vec![
1287 EntryClass::Object,
1288 EntryClass::AccessControlProfile,
1289 EntryClass::AccessControlSearch
1290 ],
1291 name: "idm_acp_account_mail_read",
1292 uuid: UUID_IDM_ACP_ACCOUNT_MAIL_READ_V1,
1293 description: "Builtin IDM Control for reading account and group mail attributes.",
1294 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCOUNT_MAIL_READ]),
1295 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1296 ProtoFilter::Or(vec![
1297 match_class_filter!(EntryClass::Account),
1298 match_class_filter!(EntryClass::Group),
1299 ]),
1300 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1301 ])),
1302 search_attrs: vec![Attribute::Mail],
1303 ..Default::default()
1304 };
1305}
1306
1307lazy_static! {
1308 pub static ref IDM_ACP_SYSTEM_CONFIG_ACCOUNT_POLICY_MANAGE_V1: BuiltinAcp = BuiltinAcp {
1309 classes: vec![
1310 EntryClass::Object,
1311 EntryClass::AccessControlProfile,
1312 EntryClass::AccessControlModify,
1313 EntryClass::AccessControlSearch
1314 ],
1315 name: "idm_acp_system_config_account_policy_manage",
1316 uuid: UUID_IDM_ACP_SYSTEM_CONFIG_ACCOUNT_POLICY_MANAGE_V1,
1317 description: "Builtin IDM Control for granting system configuration of account policy",
1318 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCOUNT_POLICY_ADMINS]),
1319 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1320 ProtoFilter::Eq(
1321 Attribute::Uuid.to_string(),
1322 STR_UUID_SYSTEM_CONFIG.to_string()
1323 ),
1324 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
1325 ])),
1326 search_attrs: vec![
1327 Attribute::Class,
1328 Attribute::Name,
1329 Attribute::Uuid,
1330 Attribute::Description,
1331 Attribute::BadlistPassword,
1332 Attribute::DeniedName,
1333 Attribute::AuthSessionExpiry,
1334 Attribute::PrivilegeExpiry,
1335 Attribute::Version,
1336 ],
1337 modify_removed_attrs: vec![
1338 Attribute::BadlistPassword,
1339 Attribute::DeniedName,
1340 Attribute::AuthSessionExpiry,
1341 Attribute::PrivilegeExpiry,
1342 ],
1343 modify_present_attrs: vec![
1344 Attribute::BadlistPassword,
1345 Attribute::DeniedName,
1346 Attribute::AuthSessionExpiry,
1347 Attribute::PrivilegeExpiry,
1348 ],
1349 ..Default::default()
1350 };
1351}
1352
1353lazy_static! {
1354 pub static ref IDM_ACP_HP_GROUP_UNIX_MANAGE_V1: BuiltinAcp = BuiltinAcp{
1355 classes: vec![
1356 EntryClass::Object,
1357 EntryClass::AccessControlProfile,
1358 EntryClass::AccessControlModify,
1359 EntryClass::AccessControlSearch
1360 ],
1361 name: "idm_acp_hp_group_unix_manage",
1362 uuid: UUID_IDM_ACP_HP_GROUP_UNIX_MANAGE_V1,
1363 description: "Builtin IDM Control for managing and extending high privilege groups with unix attributes",
1364 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_UNIX_ADMINS] ),
1365 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
1367 match_class_filter!(EntryClass::Group),
1368 FILTER_HP.clone(),
1369 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1370 ])),
1371 search_attrs: vec![
1372 Attribute::DynMember,
1373 Attribute::Class,
1374 Attribute::Name,
1375 Attribute::Uuid,
1376 Attribute::Spn,
1377 Attribute::Description,
1378 Attribute::Member,
1379 Attribute::GidNumber,
1380 ],
1381 modify_removed_attrs: vec![
1382 Attribute::GidNumber,
1383 ],
1384 modify_present_attrs: vec![
1385 Attribute::Class,
1386 Attribute::GidNumber,
1387 ],
1388 modify_classes: vec![
1389 EntryClass::PosixGroup,
1390 ],
1391 ..Default::default()
1392 };
1393}
1394
1395lazy_static! {
1396 pub static ref IDM_ACP_GROUP_MANAGE_DL6: BuiltinAcp = BuiltinAcp{
1397 classes: vec![
1398 EntryClass::Object,
1399 EntryClass::AccessControlProfile,
1400 EntryClass::AccessControlCreate,
1401 EntryClass::AccessControlDelete,
1402 EntryClass::AccessControlModify,
1403 EntryClass::AccessControlSearch
1404 ],
1405 name: "idm_acp_group_manage",
1406 uuid: UUID_IDM_ACP_GROUP_MANAGE_V1,
1407 description: "Builtin IDM Control for creating and deleting groups in the directory",
1408 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_GROUP_ADMINS] ),
1409 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
1411 match_class_filter!(EntryClass::Group),
1412 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1413 ])),
1414 search_attrs: vec![
1415 Attribute::Class,
1416 Attribute::Name,
1417 Attribute::Uuid,
1418 Attribute::Spn,
1419 Attribute::Uuid,
1420 Attribute::Description,
1421 Attribute::Mail,
1422 Attribute::Member,
1423 Attribute::DynMember,
1424 Attribute::EntryManagedBy,
1425 ],
1426 create_attrs: vec![
1427 Attribute::Class,
1428 Attribute::Name,
1429 Attribute::Uuid,
1430 Attribute::Description,
1431 Attribute::Mail,
1432 Attribute::Member,
1433 Attribute::EntryManagedBy,
1434 ],
1435 create_classes: vec![
1436 EntryClass::Object,
1437 EntryClass::Group,
1438 ],
1439 modify_present_attrs: vec![
1440 Attribute::Name,
1441 Attribute::Description,
1442 Attribute::Mail,
1443 Attribute::Member,
1444 ],
1445 modify_removed_attrs: vec![
1446 Attribute::Name,
1447 Attribute::Description,
1448 Attribute::Mail,
1449 Attribute::Member,
1450 ],
1451 ..Default::default()
1452 };
1453}
1454
1455lazy_static! {
1456 pub static ref IDM_ACP_GROUP_MANAGE_DL9: BuiltinAcp = BuiltinAcp{
1457 classes: vec![
1458 EntryClass::Object,
1459 EntryClass::AccessControlProfile,
1460 EntryClass::AccessControlCreate,
1461 EntryClass::AccessControlDelete,
1462 EntryClass::AccessControlModify,
1463 EntryClass::AccessControlSearch
1464 ],
1465 name: "idm_acp_group_manage",
1466 uuid: UUID_IDM_ACP_GROUP_MANAGE_V1,
1467 description: "Builtin IDM Control for creating and deleting groups in the directory",
1468 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_GROUP_ADMINS] ),
1469 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
1471 match_class_filter!(EntryClass::Group),
1472 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1473 ])),
1474 search_attrs: vec![
1475 Attribute::Class,
1476 Attribute::Name,
1477 Attribute::Uuid,
1478 Attribute::Spn,
1479 Attribute::Uuid,
1480 Attribute::Description,
1481 Attribute::Mail,
1482 Attribute::Member,
1483 Attribute::DynMember,
1484 Attribute::EntryManagedBy,
1485 ],
1486 create_attrs: vec![
1487 Attribute::Class,
1488 Attribute::Name,
1489 Attribute::Uuid,
1490 Attribute::Description,
1491 Attribute::Mail,
1492 Attribute::Member,
1493 Attribute::EntryManagedBy,
1494 ],
1495 create_classes: vec![
1496 EntryClass::Object,
1497 EntryClass::Group,
1498 ],
1499 modify_present_attrs: vec![
1500 Attribute::Name,
1501 Attribute::Description,
1502 Attribute::Mail,
1503 Attribute::Member,
1504 Attribute::EntryManagedBy,
1505 ],
1506 modify_removed_attrs: vec![
1507 Attribute::Name,
1508 Attribute::Description,
1509 Attribute::Mail,
1510 Attribute::Member,
1511 Attribute::EntryManagedBy,
1512 ],
1513 ..Default::default()
1514 };
1515}
1516
1517lazy_static! {
1518 pub static ref IDM_ACP_GROUP_UNIX_MANAGE_V1: BuiltinAcp = BuiltinAcp {
1519 classes: vec![
1520 EntryClass::Object,
1521 EntryClass::AccessControlProfile,
1522 EntryClass::AccessControlModify,
1523 EntryClass::AccessControlSearch
1524 ],
1525 name: "idm_acp_group_unix_manage",
1526 uuid: UUID_IDM_ACP_GROUP_UNIX_MANAGE_V1,
1527 description: "Builtin IDM Control for managing unix groups",
1528 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_UNIX_ADMINS]),
1529 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1530 match_class_filter!(EntryClass::Group),
1531 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1532 ])),
1533 search_attrs: vec![
1534 Attribute::DynMember,
1535 Attribute::Class,
1536 Attribute::Name,
1537 Attribute::Uuid,
1538 Attribute::Spn,
1539 Attribute::Description,
1540 Attribute::Member,
1541 Attribute::GidNumber,
1542 ],
1543 modify_removed_attrs: vec![Attribute::GidNumber,],
1544 modify_present_attrs: vec![Attribute::Class, Attribute::GidNumber,],
1545 modify_classes: vec![EntryClass::PosixGroup,],
1546 ..Default::default()
1547 };
1548}
1549
1550lazy_static! {
1551 pub static ref IDM_ACP_ACCOUNT_UNIX_EXTEND_V1: BuiltinAcp = BuiltinAcp {
1552 classes: vec![
1553 EntryClass::Object,
1554 EntryClass::AccessControlProfile,
1555 EntryClass::AccessControlModify,
1556 EntryClass::AccessControlSearch
1557 ],
1558 name: "idm_acp_account_unix_extend",
1559 uuid: UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_V1,
1560 description: "Builtin IDM Control for managing and extending unix accounts",
1561 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_UNIX_ADMINS]),
1562 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1563 match_class_filter!(EntryClass::Account),
1564 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1565 ])),
1566 search_attrs: vec![
1567 Attribute::Class,
1568 Attribute::Name,
1569 Attribute::Uuid,
1570 Attribute::Spn,
1571 Attribute::Description,
1572 Attribute::GidNumber,
1573 Attribute::LoginShell,
1574 Attribute::UnixPassword,
1575 Attribute::SshPublicKey,
1576 ],
1577 modify_removed_attrs: vec![
1578 Attribute::GidNumber,
1579 Attribute::LoginShell,
1580 Attribute::UnixPassword,
1581 Attribute::SshPublicKey,
1582 ],
1583 modify_present_attrs: vec![
1584 Attribute::Class,
1585 Attribute::GidNumber,
1586 Attribute::LoginShell,
1587 Attribute::UnixPassword,
1588 Attribute::SshPublicKey,
1589 ],
1590 modify_classes: vec![EntryClass::PosixAccount,],
1591 ..Default::default()
1592 };
1593}
1594
1595lazy_static! {
1596 pub static ref IDM_ACP_PEOPLE_PII_READ_V1: BuiltinAcp = BuiltinAcp {
1597 classes: vec![
1598 EntryClass::Object,
1599 EntryClass::AccessControlProfile,
1600 EntryClass::AccessControlSearch,
1601 ],
1602 name: "idm_acp_people_pii_read",
1603 uuid: UUID_IDM_ACP_PEOPLE_PII_READ_V1,
1604 description: "Builtin IDM Control for reading personal and sensitive data.",
1605 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_PEOPLE_ADMINS, UUID_IDM_PEOPLE_PII_READ]),
1606 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1607 match_class_filter!(EntryClass::Person).clone(),
1608 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1609 ])),
1610 search_attrs: vec![
1611 Attribute::Class,
1612 Attribute::Name,
1613 Attribute::Uuid,
1614 Attribute::Spn,
1615 Attribute::DisplayName,
1616 Attribute::LegalName,
1617 Attribute::Mail,
1618 ],
1619 ..Default::default()
1620 };
1621}
1622
1623lazy_static! {
1624 pub static ref IDM_ACP_PEOPLE_PII_MANAGE_V1: BuiltinAcp = BuiltinAcp {
1625 classes: vec![
1626 EntryClass::Object,
1627 EntryClass::AccessControlProfile,
1628 EntryClass::AccessControlModify
1629 ],
1630 name: "idm_acp_people_pii_manage",
1631 uuid: UUID_IDM_ACP_PEOPLE_PII_MANAGE_V1,
1632 description: "Builtin IDM Control for modifying peoples personal and sensitive data",
1633 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_PEOPLE_ADMINS]),
1634 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1635 match_class_filter!(EntryClass::Person),
1636 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1637 ])),
1638 modify_removed_attrs: vec![
1639 Attribute::Name,
1640 Attribute::DisplayName,
1641 Attribute::LegalName,
1642 Attribute::Mail,
1643 ],
1644 modify_present_attrs: vec![
1645 Attribute::Name,
1646 Attribute::DisplayName,
1647 Attribute::LegalName,
1648 Attribute::Mail,
1649 ],
1650 ..Default::default()
1651 };
1652}
1653
1654lazy_static! {
1655 pub static ref IDM_ACP_PEOPLE_CREATE_DL6: BuiltinAcp = BuiltinAcp {
1656 classes: vec![
1657 EntryClass::Object,
1658 EntryClass::AccessControlProfile,
1659 EntryClass::AccessControlCreate,
1660 ],
1661 name: "idm_acp_people_create",
1662 uuid: UUID_IDM_ACP_PEOPLE_CREATE_V1,
1663 description: "Builtin IDM Control for creating new persons.",
1664 receiver: BuiltinAcpReceiver::Group(vec![
1665 UUID_IDM_PEOPLE_ADMINS,
1666 UUID_IDM_PEOPLE_ON_BOARDING
1667 ]),
1668 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1669 match_class_filter!(EntryClass::Person).clone(),
1670 match_class_filter!(EntryClass::Account).clone(),
1671 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1672 ])),
1673 create_attrs: vec![
1674 Attribute::Class,
1675 Attribute::Uuid,
1676 Attribute::Name,
1677 Attribute::DisplayName,
1678 Attribute::Mail,
1679 Attribute::AccountExpire,
1680 Attribute::AccountValidFrom,
1681 ],
1682 create_classes: vec![EntryClass::Object, EntryClass::Account, EntryClass::Person,],
1683 ..Default::default()
1684 };
1685}
1686
1687lazy_static! {
1688 pub static ref IDM_ACP_PEOPLE_MANAGE_V1: BuiltinAcp = BuiltinAcp {
1689 classes: vec![
1690 EntryClass::Object,
1691 EntryClass::AccessControlProfile,
1692 EntryClass::AccessControlModify,
1693 ],
1694 name: "idm_acp_people_manage",
1695 uuid: UUID_IDM_ACP_PEOPLE_MANAGE_V1,
1696 description: "Builtin IDM Control for management of peoples non sensitive attributes.",
1697 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_PEOPLE_ADMINS]),
1698 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1699 match_class_filter!(EntryClass::Person),
1700 match_class_filter!(EntryClass::Account),
1701 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1702 ])),
1703 modify_removed_attrs: vec![Attribute::AccountExpire, Attribute::AccountValidFrom,],
1704 modify_present_attrs: vec![Attribute::AccountExpire, Attribute::AccountValidFrom,],
1705 ..Default::default()
1706 };
1707}
1708
1709lazy_static! {
1711 pub static ref IDM_ACP_PEOPLE_READ_V1: BuiltinAcp = BuiltinAcp {
1712 classes: vec![
1713 EntryClass::Object,
1714 EntryClass::AccessControlProfile,
1715 EntryClass::AccessControlSearch,
1716 ],
1717 name: "idm_acp_people_read",
1718 uuid: UUID_IDM_ACP_PEOPLE_READ_V1,
1719 description: "Builtin IDM Control for reading non-sensitive data.",
1720 receiver: BuiltinAcpReceiver::Group(vec![
1721 UUID_IDM_PEOPLE_ADMINS,
1722 UUID_IDM_PEOPLE_PII_READ,
1723 UUID_IDM_ACCOUNT_MAIL_READ,
1724 UUID_IDM_SERVICE_DESK
1725 ]),
1726 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1727 match_class_filter!(EntryClass::Person).clone(),
1728 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1729 ])),
1730 search_attrs: vec![
1731 Attribute::Class,
1732 Attribute::Name,
1733 Attribute::Spn,
1734 Attribute::Uuid,
1735 Attribute::DisplayName,
1736 Attribute::MemberOf,
1737 Attribute::Uuid,
1738 Attribute::AccountExpire,
1739 Attribute::AccountValidFrom,
1740 ],
1741 ..Default::default()
1742 };
1743}
1744
1745lazy_static! {
1747 pub static ref IDM_ACP_PEOPLE_DELETE_V1: BuiltinAcp = BuiltinAcp {
1748 classes: vec![
1749 EntryClass::Object,
1750 EntryClass::AccessControlProfile,
1751 EntryClass::AccessControlDelete,
1752 ],
1753 name: "idm_acp_people_delete",
1754 uuid: UUID_IDM_ACP_PEOPLE_DELETE_V1,
1755 description: "Builtin IDM Control for deleting persons.",
1756 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_PEOPLE_ADMINS,]),
1757 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1758 match_class_filter!(EntryClass::Person).clone(),
1759 match_class_filter!(EntryClass::Account).clone(),
1760 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1761 ])),
1762 ..Default::default()
1763 };
1764}
1765
1766lazy_static! {
1768 pub static ref IDM_ACP_PEOPLE_CREDENTIAL_RESET_V1: BuiltinAcp = BuiltinAcp {
1769 classes: vec![
1770 EntryClass::Object,
1771 EntryClass::AccessControlProfile,
1772 EntryClass::AccessControlModify,
1773 EntryClass::AccessControlSearch
1774 ],
1775 name: "idm_acp_people_credential_reset",
1776 uuid: UUID_IDM_ACP_PEOPLE_CREDENTIAL_RESET_V1,
1777 description: "Builtin IDM Control for resetting peoples credentials ",
1778 receiver: BuiltinAcpReceiver::Group(vec![
1779 UUID_IDM_PEOPLE_ADMINS,
1780 UUID_IDM_SERVICE_DESK,
1781 UUID_IDM_PEOPLE_ON_BOARDING,
1782 ]),
1783 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1784 match_class_filter!(EntryClass::Person),
1785 match_class_filter!(EntryClass::Account),
1786 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1787 ])),
1788 search_attrs: vec![
1789 Attribute::Class,
1790 Attribute::Uuid,
1791 Attribute::Name,
1792 Attribute::Spn,
1793 Attribute::PrimaryCredential,
1794 Attribute::AccountExpire,
1795 Attribute::AccountValidFrom,
1796 Attribute::PassKeys,
1797 Attribute::AttestedPasskeys,
1798 ],
1799 modify_removed_attrs: vec![
1800 Attribute::PrimaryCredential,
1801 Attribute::PassKeys,
1802 Attribute::AttestedPasskeys,
1803 ],
1804 modify_present_attrs: vec![
1805 Attribute::PrimaryCredential,
1806 Attribute::PassKeys,
1807 Attribute::AttestedPasskeys,
1808 ],
1809 ..Default::default()
1810 };
1811}
1812
1813lazy_static! {
1815 pub static ref IDM_ACP_HP_PEOPLE_CREDENTIAL_RESET_V1: BuiltinAcp = BuiltinAcp {
1816 classes: vec![
1817 EntryClass::Object,
1818 EntryClass::AccessControlProfile,
1819 EntryClass::AccessControlModify,
1820 EntryClass::AccessControlSearch
1821 ],
1822 name: "idm_acp_hp_people_credential_reset",
1823 uuid: UUID_IDM_ACP_HP_PEOPLE_CREDENTIAL_RESET_V1,
1824 description: "Builtin IDM Control for resetting high privilege peoples credentials ",
1825 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_PEOPLE_ADMINS,]),
1826 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1827 match_class_filter!(EntryClass::Person),
1828 match_class_filter!(EntryClass::Account),
1829 FILTER_HP.clone(),
1830 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1831 ])),
1832 search_attrs: vec![
1833 Attribute::Class,
1834 Attribute::Uuid,
1835 Attribute::Name,
1836 Attribute::Spn,
1837 Attribute::PrimaryCredential,
1838 Attribute::AccountExpire,
1839 Attribute::AccountValidFrom,
1840 Attribute::PassKeys,
1841 Attribute::AttestedPasskeys,
1842 ],
1843 modify_removed_attrs: vec![
1844 Attribute::PrimaryCredential,
1845 Attribute::AccountExpire,
1846 Attribute::AccountValidFrom,
1847 Attribute::PassKeys,
1848 Attribute::AttestedPasskeys,
1849 ],
1850 modify_present_attrs: vec![
1851 Attribute::PrimaryCredential,
1852 Attribute::AccountExpire,
1853 Attribute::AccountValidFrom,
1854 Attribute::PassKeys,
1855 Attribute::AttestedPasskeys,
1856 ],
1857 ..Default::default()
1858 };
1859}
1860
1861lazy_static! {
1864 pub static ref IDM_ACP_SERVICE_ACCOUNT_CREATE_V1: BuiltinAcp = BuiltinAcp {
1865 classes: vec![
1866 EntryClass::Object,
1867 EntryClass::AccessControlProfile,
1868 EntryClass::AccessControlCreate,
1869 ],
1870 name: "idm_acp_service_account_create",
1871 uuid: UUID_IDM_ACP_SERVICE_ACCOUNT_CREATE_V1,
1872 description: "Builtin IDM Control for creating new service accounts.",
1873 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_SERVICE_ACCOUNT_ADMINS]),
1874 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1875 match_class_filter!(EntryClass::ServiceAccount).clone(),
1876 match_class_filter!(EntryClass::Account).clone(),
1877 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1878 ])),
1879 create_attrs: vec![
1880 Attribute::Class,
1881 Attribute::Name,
1882 Attribute::DisplayName,
1883 Attribute::EntryManagedBy,
1884 Attribute::Description,
1885 Attribute::AccountExpire,
1886 Attribute::AccountValidFrom,
1887 ],
1888 create_classes: vec![
1889 EntryClass::Object,
1890 EntryClass::Account,
1891 EntryClass::ServiceAccount,
1892 ],
1893 ..Default::default()
1894 };
1895}
1896
1897lazy_static! {
1898 pub static ref IDM_ACP_SERVICE_ACCOUNT_MANAGE_V1: BuiltinAcp = BuiltinAcp {
1899 classes: vec![
1900 EntryClass::Object,
1901 EntryClass::AccessControlProfile,
1902 EntryClass::AccessControlModify
1903 ],
1904 name: "idm_acp_service_account_manage",
1905 uuid: UUID_IDM_ACP_SERVICE_ACCOUNT_MANAGE_V1,
1906 description: "Builtin IDM Control for modifying service account data",
1907 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_SERVICE_ACCOUNT_ADMINS]),
1908 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1909 match_class_filter!(EntryClass::ServiceAccount).clone(),
1910 match_class_filter!(EntryClass::Account).clone(),
1911 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1912 ])),
1913 modify_removed_attrs: vec![
1914 Attribute::Name,
1915 Attribute::DisplayName,
1916 Attribute::Mail,
1917 Attribute::SshPublicKey,
1918 Attribute::UnixPassword,
1919 Attribute::PrimaryCredential,
1920 Attribute::ApiTokenSession,
1921 Attribute::UserAuthTokenSession,
1922 ],
1923 modify_present_attrs: vec![Attribute::Name, Attribute::DisplayName, Attribute::Mail,],
1924 ..Default::default()
1925 };
1926}
1927
1928lazy_static! {
1929 pub static ref IDM_ACP_SERVICE_ACCOUNT_DELETE_V1: BuiltinAcp = BuiltinAcp {
1930 classes: vec![
1931 EntryClass::Object,
1932 EntryClass::AccessControlProfile,
1933 EntryClass::AccessControlDelete,
1934 ],
1935 name: "idm_acp_service_account_delete",
1936 uuid: UUID_IDM_ACP_SERVICE_ACCOUNT_DELETE_V1,
1937 description: "Builtin IDM Control for deleting service accounts.",
1938 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_SERVICE_ACCOUNT_ADMINS]),
1939 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
1940 match_class_filter!(EntryClass::ServiceAccount).clone(),
1941 match_class_filter!(EntryClass::Account).clone(),
1942 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
1943 ])),
1944 ..Default::default()
1945 };
1946}
1947
1948lazy_static! {
1952 pub static ref IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGER_V1: BuiltinAcp = BuiltinAcp{
1953 classes: vec![
1954 EntryClass::Object,
1955 EntryClass::AccessControlProfile,
1956 EntryClass::AccessControlModify,
1957 EntryClass::AccessControlSearch
1958 ],
1959 name: "idm_acp_service_account_entry_manager",
1960 uuid: UUID_IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGER_V1,
1961 description: "Builtin IDM Control for allowing entry managers to modify service accounts",
1962 receiver: BuiltinAcpReceiver::EntryManager,
1963 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
1964 match_class_filter!(EntryClass::Account),
1965 match_class_filter!(EntryClass::ServiceAccount),
1966 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
1967 ])),
1968 search_attrs: vec![
1969 Attribute::Class,
1970 Attribute::Name,
1971 Attribute::Spn,
1972 Attribute::Uuid,
1973 Attribute::EntryManagedBy,
1974 Attribute::DisplayName,
1975 Attribute::SshPublicKey,
1976 Attribute::GidNumber,
1977 Attribute::LoginShell,
1978 Attribute::UnixPassword,
1979 Attribute::PassKeys,
1980 Attribute::PrimaryCredential,
1981 Attribute::AccountExpire,
1982 Attribute::AccountValidFrom,
1983 Attribute::ApiTokenSession,
1984 Attribute::UserAuthTokenSession,
1985 ],
1986 modify_removed_attrs: vec![
1987 Attribute::DisplayName,
1988 Attribute::SshPublicKey,
1989 Attribute::PrimaryCredential,
1990 Attribute::UnixPassword,
1991 Attribute::PassKeys,
1993 Attribute::AccountExpire,
1994 Attribute::AccountValidFrom,
1995 Attribute::ApiTokenSession,
1996 Attribute::UserAuthTokenSession,
1997 ],
1998 modify_present_attrs: vec![
1999 Attribute::DisplayName,
2000 Attribute::SshPublicKey,
2001 Attribute::PrimaryCredential,
2002 Attribute::AccountExpire,
2005 Attribute::AccountValidFrom,
2006 Attribute::ApiTokenSession,
2007 ],
2008 ..Default::default()
2009 };
2010}
2011
2012lazy_static! {
2014 pub static ref IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1: BuiltinAcp = BuiltinAcp {
2015 classes: vec![
2016 EntryClass::Object,
2017 EntryClass::AccessControlProfile,
2018 EntryClass::AccessControlModify,
2019 EntryClass::AccessControlSearch
2020 ],
2021 name: "idm_acp_service_account_entry_managed_by_modify",
2022 uuid: UUID_IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY,
2023 description:
2024 "Builtin IDM Control for allowing entry_managed_by to be set on service account entries",
2025 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_SERVICE_ACCOUNT_ADMINS]),
2026 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
2027 match_class_filter!(EntryClass::ServiceAccount).clone(),
2028 match_class_filter!(EntryClass::Account).clone(),
2029 FILTER_ANDNOT_HP_OR_RECYCLED_OR_TOMBSTONE.clone(),
2030 ])),
2031 search_attrs: vec![
2032 Attribute::Class,
2033 Attribute::Name,
2034 Attribute::Spn,
2035 Attribute::Uuid,
2036 Attribute::EntryManagedBy,
2037 ],
2038 modify_removed_attrs: vec![Attribute::EntryManagedBy],
2039 modify_present_attrs: vec![Attribute::EntryManagedBy],
2040 ..Default::default()
2041 };
2042}
2043
2044lazy_static! {
2045 pub static ref IDM_ACP_HP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1: BuiltinAcp = BuiltinAcp {
2046 classes: vec![
2047 EntryClass::Object,
2048 EntryClass::AccessControlProfile,
2049 EntryClass::AccessControlModify,
2050 EntryClass::AccessControlSearch
2051 ],
2052 name: "idm_acp_hp_service_account_entry_managed_by",
2053 uuid: UUID_IDM_ACP_HP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY,
2054 description: "Builtin IDM Control for allowing entry_managed_by to be set on high priv service account entries",
2055 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_ACCESS_CONTROL_ADMINS]),
2056 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
2057 match_class_filter!(EntryClass::ServiceAccount).clone(),
2058 match_class_filter!(EntryClass::Account).clone(),
2059 FILTER_HP.clone(),
2060 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone(),
2061 ])),
2062 search_attrs: vec![
2063 Attribute::Class,
2064 Attribute::Name,
2065 Attribute::Spn,
2066 Attribute::Uuid,
2067 Attribute::EntryManagedBy,
2068 ],
2069 modify_removed_attrs: vec![Attribute::EntryManagedBy],
2070 modify_present_attrs: vec![Attribute::EntryManagedBy],
2071 ..Default::default()
2072 };
2073}
2074
2075lazy_static! {
2076 pub static ref IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER_DL7: BuiltinAcp = BuiltinAcp {
2077 classes: vec![
2078 EntryClass::Object,
2079 EntryClass::AccessControlProfile,
2080 EntryClass::AccessControlCreate,
2081 EntryClass::AccessControlDelete,
2082 EntryClass::AccessControlModify,
2083 EntryClass::AccessControlSearch
2084 ],
2085 name: "idm_acp_hp_client_certificate_manager",
2086 uuid: UUID_IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER,
2087 description: "Builtin IDM Control for allowing client certificate management.",
2088 receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_CLIENT_CERTIFICATE_ADMINS]),
2089 target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
2090 ProtoFilter::Eq(
2091 EntryClass::Class.to_string(),
2092 EntryClass::ClientCertificate.to_string()
2093 ),
2094 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
2095 ])),
2096 search_attrs: vec![
2097 Attribute::Class,
2098 Attribute::Uuid,
2099 Attribute::Certificate,
2100 Attribute::Refers,
2101 ],
2102 modify_removed_attrs: vec![Attribute::Certificate, Attribute::Refers,],
2103 modify_present_attrs: vec![Attribute::Certificate, Attribute::Refers,],
2104 create_attrs: vec![Attribute::Class, Attribute::Certificate, Attribute::Refers,],
2105 create_classes: vec![EntryClass::Object, EntryClass::ClientCertificate,],
2106 ..Default::default()
2107 };
2108}
2109
2110lazy_static! {
2111 pub static ref IDM_ACP_APPLICATION_MANAGE_DL8: BuiltinAcp = BuiltinAcp{
2112 classes: vec![
2113 EntryClass::Object,
2114 EntryClass::AccessControlProfile,
2115 EntryClass::AccessControlCreate,
2116 EntryClass::AccessControlDelete,
2117 EntryClass::AccessControlModify,
2118 EntryClass::AccessControlSearch
2119 ],
2120 name: "idm_acp_application_manage",
2121 uuid: UUID_IDM_ACP_APPLICATION_MANAGE,
2122 description: "Builtin IDM Control for creating and deleting applications in the directory",
2123 receiver: BuiltinAcpReceiver::Group ( vec![UUID_IDM_APPLICATION_ADMINS] ),
2124 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
2126 match_class_filter!(EntryClass::Application),
2127 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
2128 ])),
2129 search_attrs: vec![
2130 Attribute::Class,
2131 Attribute::Uuid,
2132 Attribute::Name,
2133 Attribute::Description,
2134 Attribute::DisplayName,
2135 Attribute::Mail,
2136 Attribute::UnixPassword,
2137 Attribute::ApiTokenSession,
2138 Attribute::UserAuthTokenSession,
2139 Attribute::LinkedGroup,
2140 Attribute::EntryManagedBy,
2141 ],
2142 create_attrs: vec![
2143 Attribute::Class,
2144 Attribute::Uuid,
2145 Attribute::Name,
2146 Attribute::Description,
2147 Attribute::DisplayName,
2148 Attribute::Mail,
2149 Attribute::LinkedGroup,
2150 Attribute::EntryManagedBy,
2151 ],
2152 create_classes: vec![
2153 EntryClass::Object,
2154 EntryClass::Account,
2155 EntryClass::ServiceAccount,
2156 EntryClass::Application,
2157 ],
2158 modify_present_attrs: vec![
2159 Attribute::Name,
2160 Attribute::Description,
2161 Attribute::DisplayName,
2162 Attribute::Mail,
2163 Attribute::UnixPassword,
2164 Attribute::ApiTokenSession,
2165 Attribute::LinkedGroup,
2166 Attribute::EntryManagedBy,
2167 ],
2168 modify_removed_attrs: vec![
2169 Attribute::Name,
2170 Attribute::Description,
2171 Attribute::DisplayName,
2172 Attribute::Mail,
2173 Attribute::UnixPassword,
2174 Attribute::ApiTokenSession,
2175 Attribute::UserAuthTokenSession,
2176 Attribute::LinkedGroup,
2177 Attribute::EntryManagedBy,
2178 ],
2179 ..Default::default()
2180 };
2181}
2182
2183lazy_static! {
2184 pub static ref IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8: BuiltinAcp = BuiltinAcp {
2185 classes: vec![
2186 EntryClass::Object,
2187 EntryClass::AccessControlProfile,
2188 EntryClass::AccessControlModify,
2189 EntryClass::AccessControlSearch
2190 ],
2191 name: "idm_acp_application_entry_manager",
2192 uuid: UUID_IDM_ACP_APPLICATION_ENTRY_MANAGER,
2193 description: "Builtin IDM Control for allowing EntryManager to read and modify applications",
2194 receiver: BuiltinAcpReceiver::EntryManager,
2195 target: BuiltinAcpTarget::Filter( ProtoFilter::And(vec![
2197 match_class_filter!(EntryClass::Application),
2198 FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
2199 ])),
2200 search_attrs: vec![
2201 Attribute::Class,
2202 Attribute::Uuid,
2203 Attribute::Name,
2204 Attribute::DisplayName,
2205 Attribute::Mail,
2206 Attribute::UnixPassword,
2207 Attribute::ApiTokenSession,
2208 Attribute::UserAuthTokenSession,
2209 Attribute::Description,
2210 Attribute::LinkedGroup,
2211 Attribute::EntryManagedBy,
2212 ],
2213 modify_present_attrs: vec![
2214 Attribute::Name,
2215 Attribute::Description,
2216 Attribute::DisplayName,
2217 Attribute::Mail,
2218 Attribute::UnixPassword,
2219 Attribute::ApiTokenSession,
2220 Attribute::LinkedGroup,
2221 ],
2222 modify_removed_attrs: vec![
2223 Attribute::Name,
2224 Attribute::Description,
2225 Attribute::DisplayName,
2226 Attribute::Mail,
2227 Attribute::UnixPassword,
2228 Attribute::ApiTokenSession,
2229 Attribute::UserAuthTokenSession,
2230 Attribute::LinkedGroup,
2231 ],
2232 ..Default::default()
2233 };
2234}