Bug 36121

Summary: UMC-Server: ACL evaluation does not match settings/umc_operationset
Product: UCS Reporter: Florian Best <best>
Component: UMC (Generic)Assignee: UMC maintainers <umc-maintainers>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: klaeser
Version: UCS 4.0   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=25187
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Cleanup
Max CVSS v3 score:

Description Florian Best univentionstaff 2014-10-10 11:22:33 CEST 
A settings/umc_operationset currently consists of the two LDAP attributes:
'umcOperationSetCommand' (restriction on umc commands and option patterns)
'umcOperationSetFlavor' (restriction on module flavors)

The ACL evaluation of UMC knows another attribute (which will never exists):
'umcOperationSetHost' (allows restriction of specific hosts, system roles or univentionService entries)

We needed the restriction of a flavor to a specific systemrole now (system-setup certificate flavor). The current solution for this was a UCR template which deactivates the flavor on non-master roles.

We don't need this feature that often, so maybe the ACLs evaluation should be simplified to remove the things which are not present in settings/umc_operationset.
Also: The restriction of hosts, systemrole and univentionService could be moved into the XML module(/flavor) definition. At least for the systemrole this would be good, as this is needed in practice. But it's not needed for specific ACLs.

This maybe also has advantages in performance, we had cases in big environments where ACL evaluation took long time.
Comment 1 Stefan Gohmann univentionstaff 2019-01-03 07:16:25 CET 
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.