58649 – Update policy format (delegative administration)

Bug 58649 - Update policy format (delegative administration)

Summary: Update policy format (delegative administration)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.2-3-errata
Assignee:	Felix Botner
QA Contact:	Florian Best

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:

Reported:	2025-09-18 10:58 CEST by Felix Botner
Modified:	2025-11-06 13:41 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2025-09-18 10:58:42 CEST

- remove '{context}'
- ucr templating for position
- rename named_condition to condition
- evaluate context position as is

Comment 1 Felix Botner

2025-09-23 08:53:15 CEST

univention-directory-manager-modules (17.3.0)
00d21fe5d94c6d160925d0a233edcfa4b78f8953 | chore(udm): update advisory

Comment 2 Florian Best

2025-09-23 12:50:11 CEST

The following changes have been done:

1. in `guardianRoles` the UDM position context now needs to include the whole LDAP base (to be future compatible with e.g. `cn=internal`):
Prior: `&udm:contexts:position=ou=bremen`
After: `&udm:contexts:position=ou=bremen,dc=ucs,dc=org`

2. The context now isn't a format-string placeholder in the policy language anymore:

Before:
```
access by role="udm:default-roles:organizational-unit-admin" context="udm:contexts:position"
  to objecttype="users/user" position.subtree="{context}"
```

Afterwards:
```
access by role="udm:default-roles:organizational-unit-admin"
  to objecttype="users/user" position.subtree="context=udm:contexts:position"
```

So we can treat it like a special DN with length 1 and the RDN attribute `context`.
It makes it explicit, that the role is not bound to a context but only the current capability/privilege.
That makes it easier in the future to create UDM objects out of the policy description language.

univention-directory-manager-modules.yaml
00d21fe5d94c | chore(udm): update advisory

univention-directory-manager-modules (17.3.1)
7ccfbc85eb8e | feat(udm): policy format changes

univention-directory-manager-modules (17.3.0)
e3ae5339e006 | docs(udm): fix typos in Guardian concept docs
59f528f88cec | style(udm-authorization): give privileges explicit names

univention-authorization.yaml
aa5b682f379e | chore(authorization): update advisory

univention-authorization (1.1.0)
ddec471d384a | feat(authorization): evaluate context position as is

Comment 3 Florian Best

2025-09-25 11:49:51 CEST

OK: YAML
OK: policy changes
OK: documentation changes

Comment 4 Christian Castens

2025-09-25 16:24:39 CEST

<https://errata.software-univention.de/#/?erratum=5.2x224>
<https://errata.software-univention.de/#/?erratum=5.2x233>

Comment 5 Florian Best

2025-11-06 13:41:30 CET

The placeholder "ldap_base" was changed to "ldap/base".

univention-directory-manager-modules (17.3.1)
7ccfbc85eb8e | feat(udm): policy format changes
e3ae5339e006 | docs(udm): fix typos in Guardian concept docs
59f528f88cec | style(udm-authorization): give privileges explicit names

univention-authorization.yaml
aa5b682f379e | chore(authorization): update advisory

univention-authorization (1.1.0)
ddec471d384a | feat(authorization): evaluate context position as is