This change is about "Managed Permissions" in general, not just "Read" ones.

Overview

The IPA framework will handle default permissions more robustly with respect to IPA updates and user-made changes.

In the future, this allow us to create a system of fine-grained, user-controllable permissions with good defaults and predictable behavior over upgrades.

Use Cases

Modifications to permissions that come with FreeIPA by default will be restricted to changing the attribute lists and bind types.

For example, attempting to change a default "Modify Users" permission to apply to Groups will fail:

$ ipa permission-mod 'System: Modify Users' --type=group
ipa: ERROR: invalid 'ipapermlocation': not modifiable on managed permissions

So will attempting to make it apply to Read operations:

$ ipa permission-mod 'System: Modify Users' --right=read,
ipa: ERROR: invalid 'ipapermright': not modifiable on managed permissions

On the other hand, making the permission not apply to the "gecos" attribute is possible:

$ ipa permission-mod 'System: Modify Users' --excludedattrs=gecos
------------------------------------------
Modified permission "System: Modify Users"
------------------------------------------
  Permission name: System: Modify Users
  Granted rights: write
  Effective attributes: businesscategory, carlicense, cn, description, displayname, employeetype, facsimiletelephonenumber, givenname, homephone, inetuserhttpurl, initials, l, labeleduri, loginshell, manager, mepmanagedentry, mobile, objectclass, ou, pager, postalcode,
                        preferredlanguage, roomnumber, secretary, seealso, sn, st, street, telephonenumber, title, userclass
  Excluded attributes: gecos
  Default attributes: telephonenumber, cn, labeleduri, manager, street, displayname, homephone, title, facsimiletelephonenumber, loginshell, employeetype, description, businesscategory, preferredlanguage, roomnumber, mepmanagedentry, carlicense, postalcode, givenname,
                      pager, seealso, objectclass, inetuserhttpurl, l, st, mobile, gecos, sn, ou, secretary, userclass, initials
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
  Type: user
  Granted to Privilege: Modify Users and Reset passwords, User Administrators
  Indirect Member of roles: helpdesk, User Administrator

So is changing the bind rule type, i.e. making a permission apply to all authenticated users, anyone including anonymous users, or specific users selected by privileges:

$ ipa permission-mod 'System: Read User Membership' --bindtype=anonymous
--------------------------------------------------
Modified permission "System: Read User Membership"
--------------------------------------------------
  Permission name: System: Read User Membership
  Granted rights: read, compare, search
  Effective attributes: memberof
  Default attributes: memberof
  Bind rule type: anonymous
  Subtree: cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
  Type: user

Documentation draft

This section explains the behavior from the user's point of view:

"Managed" permissions are those permissions that come pre-installed with IPA, and are updated in new releases to cover new functionality. They behave like regular, user-created permissions, with these differences:

• Their name, location and target can not be modified
• They cannot be deleted (but note that setting default bindtype and removing from all privileges will effectively disable a permission)
• They have three sets of attributes:
  • default attributes, managed by IPA, cannot be changed by the user
  • included attributes (--includedattrs in the CLI) are extra attrs that the user has added
  • excluded attributes (--excludedattrs in the CLI) are those that the user has removed

The permission applies to all attributes that appear in either its default or included sets, but not in its excluded set.

It is possible to control the effective attributes using permission-mod's --attrs option, as with other permissions. The modifies the included and excluded lists so that the effective list matches the request.

(Note that attributes of user-created permissions work the same way, but since the default and excluded sets are empty, only the included set determines the effective attributes.)

Newer versions of IPA may add additional attributes to the default set. Attributes added this way should be listed in the corresponding Release Notes. If some of the new attributes are undesirable, add them to the corresponding excluded list before the upgrade.

All managed permissions currently have the "System:" prefix in their name, to prevent naming clashes between user-created permissions and future IPA defaults.

In FreeIPA 4.0, most default permissions have been turned into Managed ones. Some permissions still use the old "SYSTEM" scheme (i.e. they are not modifiable, but may be only assigned to privileges). A list of these permissions follows:

• Add Automember Rebuild Membership Task
• Add Replication Agreements
• Certificate Remove Hold
• Get Certificates status from the CA
• Modify DNA Range
• Modify Replication Agreements
• Remove Replication Agreements
• Request Certificate
• Request Certificates from a different host
• Retrieve Certificates from the CA
• Revoke Certificate
• Write IPA Configuration

Upgrade considerations

When upgrading to IPA 4.0, the process will convert old default permissions, such as.

ipa-3-3$ ipa permission-find 'Modify Groups'
--------------------
1 permission matched
--------------------
  Permission name: Modify Groups
  Permissions: write
  Attributes: cn, description, gidnumber, objectclass, mepmanagedby, ipauniqueid
  Type: group
  Granted to Privilege: Group Administrators
  Indirect Member of roles: User Administrator
----------------------------
Number of entries returned 1
----------------------------

to managed ones, e.g.

$ ipa permission-find 'System: Modify Groups'
--------------------
1 permission matched
--------------------
  Permission name: System: Modify Groups
  Granted rights: write
  Effective attributes: cn, description, gidnumber, ipauniqueid, mepmanagedby, objectclass
  Default attributes: cn, objectclass, mepmanagedby, gidnumber, ipauniqueid, description
  Bind rule type: permission
  Subtree: cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
  Type: group
  Granted to Privilege: Group Administrators
  Indirect Member of roles: User Administrator
----------------------------
Number of entries returned 1
----------------------------

If the default permissions that come with IPA have been modified, special care should be taken when upgrading.

Removed default permissions

If a default permission was removed, the upgrade process will simply create a new default permission. This is consistent with to how all IPA upgrades work.

Changed attribute lists

If only the attribute list differs from a past default, the permission updater will set the included/excluded lists of the new default permission to match the modifications.

Note that the updater considers default values from all past IPA versions. Be sure to check the result after updating.

Other ACI changes

If any other changes were made to a default permission, the updater emits a warning and does not create the new permission. In this case, there are two options:

1) Delete the old permission (e.g. ipa permission-del 'Modify Groups'), then run ipa-ldap-updater -p. This will create the new default permission.

2) Change the old permission to a new-style (V2) permission by issuing e.g. ipa permission-mod 'Modify Groups' on a server with IPA 4.0+, then run ipa-ldap-updater -p. This will also create the new default permission, but the old one will be preserved as a user-created permission.

The problem

Currently, updates to permissions that come with IPA are specified in .update files.

This approach has the disadvantage that if the user modifies the permission, the updater will not recognize it, so it will end up not being updated. This may result in reduced functionality (if needed attributes are not added), or security issues (if attributes are not deleted).

Design

Managed Permissions

V2 permissions with the MANAGED flag set are called Managed permissions.

These permissions grant access to a set of attributes defined by IPA and kept up-to-date on upgrades, while allowing users to add or remove specific attributes from the default list.

The user can also manage the bind rule and privilege membership of Managed permissions.

The other aspects of Managed permissions (name, location, target) are not modifiable by the user. The user cannot manually add new Managed permissions, or delete existing ones (unless --force is applied; but later we may restrict this via ACIs).

To ensure that installing low-version replicas or disabling plugins does not revoke access to existing data, the default list of attributes will be kept in LDAP as ipaPermDefaultAttr. Users can not modify this list via the framework. On updates, new attributes will only be added to this list. (To remove attributes, we would need to write a separate update plugin.)

There will be two attribute types for holding attributes the admin added and removed: ipaPermIncludedAttr and ipaPermExcludedAttr respectively. (In user-created permissions, ipaPermIncludedAttr is used for the same purpose as here, and excluded & default are empty.) See V3/Permissions V2 for the schema definition.

When generating the ACI, the resulting attribute list will be computed by taking the ipaPermDefaultAttr set, adding any ipaPermIncludedAttrs, and then removing any ipaPermExcludedAttrs.

For example, this permission:

dn: cn=Read Users,cn=permissions,cn=pbac,$SUFFIX
cn: Read Users
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: sn
ipaPermDefaultAttr: givenName
ipaPermDefaultAttr: l
...
ipaPermIncludedAttr: favoriteColor
ipaPermExcludedAttr: givenName
objectClass: top
objectClass: groupOfNames
objectclass: ipaPermission
objectclass: ipaManagedPermission
ipaPermType: SYSTEM
ipaPermType: V2
ipaPermType: MANAGED
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: read
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermBindRuleType: permission

would allow users to read all default user attributes except givenName, plus additionally favoriteColor.

CLI & API

The permission-{mod,find} commands will gain two new options, --includedattrs (API: ipapermincludedattr) and --excludedattrs (API: ipapermexcludedattr). For permission-mod it is an error to use --excludedattrs with non-managed permissions.

For a managed permission, the permission-{mod,find,show} commands will output all three lists (ipapermdefaultattr, ipapermallowedattr, ipapermexcludedattr), as well as the computed list of effective attributes.

For a non-managed permission, permission-{mod,find,show} will only output the effective attributes (attrs). With --all, the included attributes will also be included. As any missing attribute course excluded and default will not be output. With --raw, only ipaPermIncludedAttr, and not attrs, wil be output.

It is an error to set the ipapermlocation, ipapermtargetfilter, or ipapermtarget of a managed permission. (This means that it's an error to ise the API options subtree, extratargetfilter, target, memberof, targetgroup, or type with a managed permission.)

Default Permission Updater

A server post-update plugin will walk through ipalib Object plugins and create/update managed permissions pertaining to them.

Names of such default permissions are required to start with "System: ", so that default permissions added in future IPA releases do not conflict with user-created permissions. The ":" character will not be usable in permission-add. (It will be usable in permission-mod and permission-del, where managed permissions are subject to the limitations stated above.)

The IPA Object plugins will gain a new Python attribute, managed_permissions, which will hold a template for the permissions that are to be added by default to manage that object.

This will allow plugins to be more self-contained; it will no longer be necessary to modify IPA's update files to add the common cases of plugin-specific permissions.

The format of the managed_permissions templates will be documented in the update_managed_permissions server plugin (link).

Replacing legacy default permissions

Another entry in the managed_permissionstemplate, replaces, will be used for replacing legacy permissions with new managed ones. Example:

   managed_permissions = {
       'ipa:Modify SUDO Rule': {
           'ipapermbindruletype': 'permission',
           'ipapermright': {'write'},
           'ipapermdefaultattr': {
               'description', 'ipaenabledflag', 'usercategory',
               'hostcategory', 'cmdcategory', 'ipasudorunasusercategory',
               'ipasudorunasgroupcategory', 'externaluser',
               'ipasudorunasextuser', 'ipasudorunasextgroup', 'memberdenycmd',
               'memberallowcmd', 'memberuser'
           },
           'replaces': [
               '(targetattr = "description || ipaenabledflag || usercategory || hostcategory || cmdcategory || ipasudorunasusercategory || ipasudorunasgroupcategory || externaluser || ipasudorunasextuser || ipasudorunasextgroup || memberdenycmd || memberallowcmd || memberuser")(target = "ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo rule";allow (write) groupdn = "ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX";)',
           }
       },
       ...

If the an existing legacy (i.e. non-v2) permission exists either without an associated ACI or with an ACI that exactly matches the information specified in the replaces list, the old permission is removed after the new one is added.

This ensures that

• the old permission is retained if the user has changed it
• at no time are the ACIs revoked (briefly, there are two ACIs granting the same access).

If an existing legacy permission does match cn but not some other attributes in the replaces dict, a warning is logged, the new permission is added, and the old one is left in place.

The exception are attributes. If the ACI only differs in the list of attributes, the permission is upgraded as notmal but with ipapermincludedattr and ipapermexcludedattr set to reflect the difference between the old default and the pre-existing permission.

Removing the global anonymous read ACI

After the permission updater successfully runs, it will look for an ACI named "Enable Anonymous access" in $SUFFIX, and remove it.

The update_anonymous_aci server update plugin will be removed.

ACI.txt

To ensure that permission changes are properly reviewed, a summary file similar to API.txt will be generated, and it will be checked on each build.

It will contain a summary of the default managed permissions.

A makeaci script similar to makeapi will be provided and called to check the file on each build.

Implementation

No additional requirements or changes discovered during the implementation phase.

Feature Managment

UI

The immutable aspects of Managed permissions are grayed out in the Web UI.

CLI

See the CLI & API section in Design.

Major configuration options and enablement

Access control is configured via the existing RBAC system.

Replication

N/A, ACIs and permissions are replicated.

Updates and Upgrades

Old servers will not be able to modify Managed permissions, except adding/removing them to/from prigileges. Details are in Permissions V2, which will be implemented in the same release. Managed permissions use the MANAGED flag.

Installations with customized ACIs will need some extra care when upgrading, as detailed in Upgrade considerations above. (But note that IPA's upgrade behavior wrt modified default permissions has always been underspecified and likely surprising.)

Dependencies

No new package and library dependencies.

External Impact

Tests and documentation need to be written.

Backup and Restore

ACIs, permissions, privileges and roles are already included in backup & restore.

Test Plan

Test managed permissions

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_managed_permissions

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

First, create a managed permission entry as follows:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermBindRuleType: permission
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: l
ipaPermDefaultAttr: o
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
ipaPermissionType: MANAGED
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

This corresponds to ipa permission-add permission1 --type=user permissions=write, with added ipaPermissionType of MANAGED, and ipaPermDefaultAttr of cn, l, and o.

Also create the corresponding ACI at cn=users,cn=accounts,$SUFFIX:

(targetattr = "cn || l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

The first two tests check that this preparation was successful.

ipa permission_show testperm --all

  dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o, cn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn
  ipapermissiontype: SYSTEM, V2, MANAGED
  objectclass: groupofnames, ipapermission, top, ipapermissionv2

(targetattr = "cn || l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

ipa permission_mod testperm --subtree='cn=users,cn=accounts,$SUFFIX'

invalid 'ipapermlocation': not modifiable on managed permissions

ipa permission_mod testperm --permissions=compare

invalid 'ipapermright': not modifiable on managed permissions

ipa permission_mod testperm --target='cn=users,cn=accounts,$SUFFIX'

invalid 'ipapermtarget': not modifiable on managed permissions

ipa permission_mod testperm --filter='(ou=engineering)'

invalid 'ipapermtargetfilter': not modifiable on managed permissions

ipa permission_mod testperm --memberof=admins

invalid 'ipapermtargetfilter': not modifiable on managed permissions

ipa permission_mod testperm --targetgroup=admins

invalid 'ipapermtarget': not modifiable on managed permissions

ipa permission_mod testperm --type=group

invalid 'ipapermlocation': not modifiable on managed permissions

ipa permission_mod testperm --rename=testperm2

invalid 'rename': cannot rename managed permissions

(targetattr = "cn || l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

ipa permission_mod testperm --all --includedattrs=dc --excludedattrs=cn

------------------------------
Modified permission "testperm"
------------------------------
  dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o, dc
  Excluded attributes: cn
  Included attributes: dc
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn
  ipapermissiontype: SYSTEM, V2, MANAGED
  objectclass: groupofnames, ipapermission, top, ipapermissionv2

(targetattr = "dc || l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

ipa permission_mod testperm --all --includedattrs={cn,sn}

------------------------------
Modified permission "testperm"
------------------------------
  dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o, sn
  Excluded attributes: cn
  Included attributes: cn, sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn
  ipapermissiontype: SYSTEM, V2, MANAGED
  objectclass: groupofnames, ipapermission, top, ipapermissionv2

(targetattr = "l || o || sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

ipa permission_mod testperm --all --includedattrs={cn,sn,o}

------------------------------
Modified permission "testperm"
------------------------------
  dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o, sn
  Excluded attributes: cn
  Included attributes: cn, sn, o
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn
  ipapermissiontype: SYSTEM, V2, MANAGED
  objectclass: groupofnames, ipapermission, top, ipapermissionv2

(targetattr = "l || o || sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

ipa permission_mod testperm --all --excludedattrs={cn,sn}

------------------------------
Modified permission "testperm"
------------------------------
  dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o
  Excluded attributes: cn, sn
  Included attributes: cn, sn, o
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn
  ipapermissiontype: SYSTEM, V2, MANAGED
  objectclass: groupofnames, ipapermission, top, ipapermissionv2

(targetattr = "l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)

ipa permission_mod testperm --bindtype=all

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o
  Excluded attributes: cn, sn
  Included attributes: cn, sn, o
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn

(targetattr = "l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///all";)

ipa permission_show testperm

  Permission name: testperm
  Permissions: write
  Effective attributes: l, o
  Excluded attributes: cn, sn
  Included attributes: cn, sn, o
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn

ipa permission_show testperm --all

  dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o
  Excluded attributes: cn, sn
  Included attributes: cn, sn, o
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn
  ipapermissiontype: SYSTEM, V2, MANAGED
  objectclass: groupofnames, ipapermission, top, ipapermissionv2

ipa permission_show testperm --raw

  cn: testperm
  ipapermright: write
  ipapermexcludedattr: cn
  ipapermexcludedattr: sn
  ipapermincludedattr: cn
  ipapermincludedattr: sn
  ipapermincludedattr: o
  ipapermbindruletype: all
  ipapermlocation: cn=users,cn=accounts,$SUFFIX
  ipapermtarget: uid=*,cn=users,cn=accounts,$SUFFIX
  aci: (targetattr = "l

ipa permission_mod testperm --attrs={l,o}

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o
  Excluded attributes: cn
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn

(targetattr = "l || o")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///all";)

ipa permission_mod testperm --attrs={l,o,sn}

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o, sn
  Excluded attributes: cn
  Included attributes: sn
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn

(targetattr = "l || o || sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///all";)

ipa permission_mod testperm --attrs={l,o,sn,cn}

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Effective attributes: l, o, sn, cn
  Included attributes: sn
  Bind rule type: all
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Default attributes: l, o, cn

(targetattr = "cn || l || o || sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) userdn = "ldap:///all";)

ipa permission_del testperm

Insufficient access: cannot delete managed permissions

ipa permission_del testperm --force

-----------------------------
Deleted permission "testperm"
-----------------------------

Cleanup

ipa permission_del testperm --force
ipa permission_del testperm2 --force

RFE Author

Petr Viktorin