Univention Bugzilla – Bug 36121
UMC-Server: ACL evaluation does not match settings/umc_operationset
Last modified: 2019-01-03 07:16:25 CET
A settings/umc_operationset currently consists of the two LDAP attributes: 'umcOperationSetCommand' (restriction on umc commands and option patterns) 'umcOperationSetFlavor' (restriction on module flavors) The ACL evaluation of UMC knows another attribute (which will never exists): 'umcOperationSetHost' (allows restriction of specific hosts, system roles or univentionService entries) We needed the restriction of a flavor to a specific systemrole now (system-setup certificate flavor). The current solution for this was a UCR template which deactivates the flavor on non-master roles. We don't need this feature that often, so maybe the ACLs evaluation should be simplified to remove the things which are not present in settings/umc_operationset. Also: The restriction of hosts, systemrole and univentionService could be moved into the XML module(/flavor) definition. At least for the systemrole this would be good, as this is needed in practice. But it's not needed for specific ACLs. This maybe also has advantages in performance, we had cases in big environments where ACL evaluation took long time.
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.