Update to 1.7.0-dev

Cargo.lock

@@ -1010,7 +1010,7 @@ dependencies = [
 
 [[package]]
 name = "daemon"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "clap",
  "clap_complete",
@@ -3012,7 +3012,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm-ipa-sync"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "chrono",
  "clap",
@@ -3036,7 +3036,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm-ldap-sync"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "chrono",
  "clap",
@@ -3061,7 +3061,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_build_profiles"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "base64 0.22.1",
  "gix",
@@ -3072,7 +3072,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_client"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "compact_jwt",
  "http 1.3.1",
@@ -3094,7 +3094,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_device_flow"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "anyhow",
  "kanidm_proto",
@@ -3107,7 +3107,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_lib_crypto"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "argon2",
  "base64 0.22.1",
@@ -3130,14 +3130,14 @@ dependencies = [
 
 [[package]]
 name = "kanidm_lib_file_permissions"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "kanidm_utils_users",
 ]
 
 [[package]]
 name = "kanidm_proto"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "base32",
  "base64 0.22.1",
@@ -3163,7 +3163,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_tools"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "anyhow",
  "clap",
@@ -3194,7 +3194,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_unix_common"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "bytes",
  "csv",
@@ -3215,7 +3215,7 @@ dependencies = [
 
 [[package]]
 name = "kanidm_unix_int"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "async-trait",
  "bytes",
@@ -3256,14 +3256,14 @@ dependencies = [
 
 [[package]]
 name = "kanidm_utils_users"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "libc",
 ]
 
 [[package]]
 name = "kanidmd_core"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "askama",
  "askama_axum",
@@ -3319,7 +3319,7 @@ dependencies = [
 
 [[package]]
 name = "kanidmd_lib"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "base64 0.22.1",
  "base64urlsafedata",
@@ -3371,7 +3371,7 @@ dependencies = [
 
 [[package]]
 name = "kanidmd_lib_macros"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3380,7 +3380,7 @@ dependencies = [
 
 [[package]]
 name = "kanidmd_testkit"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "compact_jwt",
  "escargot",
@@ -3921,7 +3921,7 @@ checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d"
 
 [[package]]
 name = "nss_kanidm"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "cc",
  "kanidm_unix_common",
@@ -4286,7 +4286,7 @@ checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
 
 [[package]]
 name = "orca"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "async-trait",
  "chrono",
@@ -4323,7 +4323,7 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
 
 [[package]]
 name = "pam_kanidm"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "kanidm_unix_common",
  "libc",
@@ -5207,7 +5207,7 @@ dependencies = [
 
 [[package]]
 name = "scim_proto"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "base64urlsafedata",
  "peg",
@@ -5512,7 +5512,7 @@ dependencies = [
 
 [[package]]
 name = "sketching"
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 dependencies = [
  "num_enum",
  "opentelemetry",

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace.package]
-version = "1.6.0-dev"
+version = "1.7.0-dev"
 authors = [
     "William Brown <william@blackhats.net.au>",
     "James Hodgkinson <james@terminaloutcomes.com>",
@@ -128,20 +128,20 @@ sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "3a081c
 compact_jwt = { git = "https://github.com/Firstyear/compact-jwt.git", rev = "b3d2b5700cfe567d384c81df35d25537fbf7f110" }
 
 [workspace.dependencies]
-kanidmd_core = { path = "./server/core", version = "=1.6.0-dev" }
-kanidmd_lib = { path = "./server/lib", version = "=1.6.0-dev" }
-kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.6.0-dev" }
-kanidmd_testkit = { path = "./server/testkit", version = "=1.6.0-dev" }
-kanidm_build_profiles = { path = "./libs/profiles", version = "=1.6.0-dev" }
-kanidm_client = { path = "./libs/client", version = "=1.6.0-dev" }
+kanidmd_core = { path = "./server/core", version = "=1.7.0-dev" }
+kanidmd_lib = { path = "./server/lib", version = "=1.7.0-dev" }
+kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.7.0-dev" }
+kanidmd_testkit = { path = "./server/testkit", version = "=1.7.0-dev" }
+kanidm_build_profiles = { path = "./libs/profiles", version = "=1.7.0-dev" }
+kanidm_client = { path = "./libs/client", version = "=1.7.0-dev" }
 kanidm-hsm-crypto = "^0.2.0"
-kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.6.0-dev" }
-kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.6.0-dev" }
-kanidm_proto = { path = "./proto", version = "=1.6.0-dev" }
-kanidm_unix_common = { path = "./unix_integration/common", version = "=1.6.0-dev" }
-kanidm_utils_users = { path = "./libs/users", version = "=1.6.0-dev" }
-scim_proto = { path = "./libs/scim_proto", version = "=1.6.0-dev" }
-sketching = { path = "./libs/sketching", version = "=1.6.0-dev" }
+kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.7.0-dev" }
+kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.7.0-dev" }
+kanidm_proto = { path = "./proto", version = "=1.7.0-dev" }
+kanidm_unix_common = { path = "./unix_integration/common", version = "=1.7.0-dev" }
+kanidm_utils_users = { path = "./libs/users", version = "=1.7.0-dev" }
+scim_proto = { path = "./libs/scim_proto", version = "=1.7.0-dev" }
+sketching = { path = "./libs/sketching", version = "=1.7.0-dev" }
 
 anyhow = { version = "1.0.98" }
 argon2 = { version = "0.5.3", features = ["alloc"] }

server/lib/src/constants/mod.rs

@@ -65,6 +65,10 @@ pub const DOMAIN_LEVEL_10: DomainVersion = 10;
 /// Deprecated as of 1.9.0
 pub const DOMAIN_LEVEL_11: DomainVersion = 11;
 
+/// Domain Level introduced with 1.8.0.
+/// Deprecated as of 1.10.0
+pub const DOMAIN_LEVEL_12: DomainVersion = 12;
+
 // The minimum level that we can re-migrate from.
 // This should be DOMAIN_TGT_LEVEL minus 2
 pub const DOMAIN_MIN_REMIGRATION_LEVEL: DomainVersion = DOMAIN_LEVEL_8;
@@ -76,13 +80,13 @@ pub const DOMAIN_PREVIOUS_TGT_LEVEL: DomainVersion = DOMAIN_TGT_LEVEL - 1;
 // the NEXT level that users will upgrade too. In other words if we are
 // developing 1.6.0-dev, then we need to set TGT_LEVEL to 10 which is
 // the corresponding level.
-pub const DOMAIN_TGT_LEVEL: DomainVersion = DOMAIN_LEVEL_10;
+pub const DOMAIN_TGT_LEVEL: DomainVersion = DOMAIN_LEVEL_11;
 // The current patch level if any out of band fixes are required.
 pub const DOMAIN_TGT_PATCH_LEVEL: u32 = PATCH_LEVEL_2;
 // The target domain functional level for the SUBSEQUENT release/dev cycle.
 pub const DOMAIN_TGT_NEXT_LEVEL: DomainVersion = DOMAIN_TGT_LEVEL + 1;
 // The maximum supported domain functional level
-pub const DOMAIN_MAX_LEVEL: DomainVersion = DOMAIN_LEVEL_11;
+pub const DOMAIN_MAX_LEVEL: DomainVersion = DOMAIN_LEVEL_12;
 
 // On test builds define to 60 seconds
 #[cfg(test)]

server/lib/src/migration_data/dl11/accounts.rs

@@ -0,0 +1,35 @@
+//! Constant Entries for the IDM
+use crate::constants::uuids::*;
+use crate::migration_data::types::BuiltinAccount;
+use kanidm_proto::v1::AccountType;
+
+lazy_static! {
+    /// Builtin System Admin account.
+    pub static ref BUILTIN_ACCOUNT_IDM_ADMIN: BuiltinAccount = BuiltinAccount {
+        account_type: AccountType::ServiceAccount,
+        entry_managed_by: None,
+        name: "idm_admin",
+        uuid: UUID_IDM_ADMIN,
+        description: "Builtin IDM Admin account.",
+        displayname: "IDM Administrator",
+    };
+
+    /// Builtin System Admin account.
+    pub static ref BUILTIN_ACCOUNT_ADMIN: BuiltinAccount = BuiltinAccount {
+        account_type: AccountType::ServiceAccount,
+        entry_managed_by: None,
+        name: "admin",
+        uuid: UUID_ADMIN,
+        description: "Builtin System Admin account.",
+        displayname: "System Administrator",
+    };
+
+    pub static ref BUILTIN_ACCOUNT_ANONYMOUS_DL6: BuiltinAccount = BuiltinAccount {
+        account_type: AccountType::ServiceAccount,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        name: "anonymous",
+        uuid: UUID_ANONYMOUS,
+        description: "Anonymous access account.",
+        displayname: "Anonymous",
+    };
+}

server/lib/src/migration_data/dl11/groups.rs

@@ -0,0 +1,408 @@
+use crate::entry::EntryInitNew;
+use crate::prelude::*;
+use crate::value::CredentialType;
+
+use kanidm_proto::internal::{Filter, OperationError, UiHint};
+
+#[derive(Clone, Debug, Default)]
+/// Built-in group definitions
+pub struct BuiltinGroup {
+    pub name: &'static str,
+    pub description: &'static str,
+    pub uuid: uuid::Uuid,
+    pub members: Vec<uuid::Uuid>,
+    pub entry_managed_by: Option<uuid::Uuid>,
+    pub dyngroup: bool,
+    pub dyngroup_filter: Option<Filter>,
+    pub extra_attributes: Vec<(Attribute, Value)>,
+}
+
+impl TryFrom<BuiltinGroup> for EntryInitNew {
+    type Error = OperationError;
+
+    fn try_from(val: BuiltinGroup) -> Result<Self, OperationError> {
+        let mut entry = EntryInitNew::new();
+
+        if val.uuid >= DYNAMIC_RANGE_MINIMUM_UUID {
+            error!("Builtin ACP has invalid UUID! {:?}", val);
+            return Err(OperationError::InvalidUuid);
+        }
+
+        entry.add_ava(Attribute::Name, Value::new_iname(val.name));
+        entry.add_ava(Attribute::Description, Value::new_utf8s(val.description));
+        // classes for groups
+        entry.set_ava(
+            Attribute::Class,
+            vec![EntryClass::Group.into(), EntryClass::Object.into()],
+        );
+        if val.dyngroup {
+            if !val.members.is_empty() {
+                return Err(OperationError::InvalidSchemaState(format!(
+                    "Builtin dyngroup {} has members specified, this is not allowed",
+                    val.name
+                )));
+            }
+            entry.add_ava(Attribute::Class, EntryClass::DynGroup.to_value());
+            match val.dyngroup_filter {
+                Some(filter) => entry.add_ava(Attribute::DynGroupFilter, Value::JsonFilt(filter)),
+                None => {
+                    error!(
+                        "No filter specified for dyngroup '{}' this is going to break things!",
+                        val.name
+                    );
+                    return Err(OperationError::FilterGeneration);
+                }
+            };
+        }
+
+        if let Some(entry_manager) = val.entry_managed_by {
+            entry.add_ava(Attribute::EntryManagedBy, Value::Refer(entry_manager));
+        }
+
+        entry.add_ava(Attribute::Uuid, Value::Uuid(val.uuid));
+        entry.set_ava(
+            Attribute::Member,
+            val.members
+                .into_iter()
+                .map(Value::Refer)
+                .collect::<Vec<Value>>(),
+        );
+        // add any extra attributes
+        val.extra_attributes
+            .into_iter()
+            .for_each(|(attr, val)| entry.add_ava(attr, val));
+        // all done!
+        Ok(entry)
+    }
+}
+
+lazy_static! {
+    // There are our built in "roles". They encapsulate some higher level collections
+    // of roles. The intent is to allow a pretty generic and correct by default set
+    // of these use cases.
+    pub static ref BUILTIN_GROUP_SYSTEM_ADMINS_V1: BuiltinGroup = BuiltinGroup {
+        name: NAME_SYSTEM_ADMINS,
+        description: "Builtin System Administrators Group.",
+        uuid: UUID_SYSTEM_ADMINS,
+        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
+        members: vec![UUID_ADMIN],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_IDM_ADMINS_V1: BuiltinGroup = BuiltinGroup {
+        name: NAME_IDM_ADMINS,
+        description: "Builtin IDM Administrators Group.",
+        uuid: UUID_IDM_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMIN],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_SERVICE_DESK: BuiltinGroup = BuiltinGroup {
+        name: "idm_service_desk",
+        description: "Builtin Service Desk Group.",
+        uuid: UUID_IDM_SERVICE_DESK,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![],
+        ..Default::default()
+    };
+}
+
+lazy_static! {
+    // These are the "finer" roles. They encapsulate different concepts in the system.
+    // The next section is the "system style" roles. These adjust the operation of
+    // kanidm and relate to it's internals and how it functions.
+    pub static ref BUILTIN_GROUP_RECYCLE_BIN_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_recycle_bin_admins",
+        description: "Builtin Recycle Bin Administrators Group.",
+        uuid: UUID_IDM_RECYCLE_BIN_ADMINS,
+        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
+        members: vec![UUID_SYSTEM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for granting local domain administration rights and trust administration rights
+    pub static ref BUILTIN_GROUP_DOMAIN_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "domain_admins",
+        description: "Builtin IDM Group for granting local domain administration rights and trust administration rights.",
+        uuid: UUID_DOMAIN_ADMINS,
+        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
+        members: vec![UUID_SYSTEM_ADMINS],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_SCHEMA_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_schema_admins",
+        description: "Builtin Schema Administration Group.",
+        uuid: UUID_IDM_SCHEMA_ADMINS,
+        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
+        members: vec![UUID_SYSTEM_ADMINS],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_ACCESS_CONTROL_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_access_control_admins",
+        description: "Builtin Access Control Administration Group.",
+        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
+        uuid: UUID_IDM_ACCESS_CONTROL_ADMINS,
+        members: vec![UUID_SYSTEM_ADMINS],
+        ..Default::default()
+    };
+
+    // These are the IDM roles. They concern application integration, user permissions
+    // and credential security management.
+
+    /// Builtin IDM Group for managing persons and their account details
+    pub static ref BUILTIN_GROUP_PEOPLE_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_people_admins",
+        description: "Builtin People Administration Group.",
+        uuid: UUID_IDM_PEOPLE_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_PEOPLE_ON_BOARDING: BuiltinGroup = BuiltinGroup {
+        name: "idm_people_on_boarding",
+        description: "Builtin People On Boarding Group.",
+        uuid: UUID_IDM_PEOPLE_ON_BOARDING,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for granting elevated people (personal data) read permissions.
+    pub static ref BUILTIN_GROUP_PEOPLE_PII_READ: BuiltinGroup = BuiltinGroup {
+        name: NAME_IDM_PEOPLE_PII_READ,
+        description: "Builtin IDM Group for granting elevated people (personal data) read permissions.",
+        uuid: UUID_IDM_PEOPLE_PII_READ,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for granting people the ability to write to their own name attributes.
+    pub static ref BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7: BuiltinGroup = BuiltinGroup {
+        name: "idm_people_self_name_write",
+        description: "Builtin IDM Group denoting users that can write to their own name attributes.",
+        uuid: UUID_IDM_PEOPLE_SELF_NAME_WRITE,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![
+            UUID_IDM_ALL_PERSONS
+        ],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_service_account_admins",
+        description: "Builtin Service Account Administration Group.",
+        uuid: UUID_IDM_SERVICE_ACCOUNT_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for managing oauth2 resource server integrations to this authentication domain.
+    pub static ref BUILTIN_GROUP_OAUTH2_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_oauth2_admins",
+        description: "Builtin Oauth2 Integration Administration Group.",
+        uuid: UUID_IDM_OAUTH2_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_RADIUS_SERVICE_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_radius_service_admins",
+        description: "Builtin Radius Administration Group.",
+        uuid: UUID_IDM_RADIUS_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for RADIUS server access delegation.
+    pub static ref BUILTIN_IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
+        name: "idm_radius_servers",
+        description: "Builtin IDM Group for RADIUS server access delegation.",
+        uuid: UUID_IDM_RADIUS_SERVERS,
+        entry_managed_by: Some(UUID_IDM_RADIUS_ADMINS),
+        members: vec![
+        ],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
+        name: "idm_mail_service_admins",
+        description: "Builtin Mail Server Administration Group.",
+        uuid: UUID_IDM_MAIL_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for MAIL server Access delegation.
+    pub static ref BUILTIN_IDM_MAIL_SERVERS_DL8: BuiltinGroup = BuiltinGroup {
+        name: "idm_mail_servers",
+        description: "Builtin IDM Group for MAIL server access delegation.",
+        uuid: UUID_IDM_MAIL_SERVERS,
+        entry_managed_by: Some(UUID_IDM_MAIL_ADMINS),
+        members: vec![
+        ],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_account_policy_admins",
+        description: "Builtin Account Policy Administration Group.",
+        uuid: UUID_IDM_ACCOUNT_POLICY_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for managing posix/unix attributes on groups and users.
+    pub static ref BUILTIN_GROUP_UNIX_ADMINS: BuiltinGroup = BuiltinGroup {
+        name: "idm_unix_admins",
+        description: "Builtin Unix Administration Group.",
+        uuid: UUID_IDM_UNIX_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for managing client authentication certificates.
+    pub static ref BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7: BuiltinGroup = BuiltinGroup {
+        name: "idm_client_certificate_admins",
+        description: "Builtin Client Certificate Administration Group.",
+        uuid: UUID_IDM_CLIENT_CERTIFICATE_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for granting elevated group write and lifecycle permissions.
+    pub static ref IDM_GROUP_ADMINS_V1: BuiltinGroup = BuiltinGroup {
+        name: "idm_group_admins",
+        description: "Builtin IDM Group for granting elevated group write and lifecycle permissions.",
+        uuid: UUID_IDM_GROUP_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Self-write of mail
+    pub static ref IDM_PEOPLE_SELF_MAIL_WRITE_DL7: BuiltinGroup = BuiltinGroup {
+        name: "idm_people_self_mail_write",
+        description: "Builtin IDM Group for people accounts to update their own mail.",
+        uuid: UUID_IDM_PEOPLE_SELF_MAIL_WRITE,
+        members: Vec::with_capacity(0),
+        ..Default::default()
+    };
+}
+
+// at some point vs code just gives up on syntax highlighting inside lazy_static...
+lazy_static! {
+    pub static ref IDM_ALL_PERSONS: BuiltinGroup = BuiltinGroup {
+        name: "idm_all_persons",
+        description: "Builtin IDM dynamic group containing all persons.",
+        uuid: UUID_IDM_ALL_PERSONS,
+        members: Vec::with_capacity(0),
+        dyngroup: true,
+        dyngroup_filter: Some(
+            Filter::And(vec![
+                Filter::Eq(Attribute::Class.to_string(), EntryClass::Person.to_string()),
+                Filter::Eq(Attribute::Class.to_string(), EntryClass::Account.to_string()),
+            ])
+        ),
+        extra_attributes: vec![
+            // Enable account policy by default
+            (Attribute::Class, EntryClass::AccountPolicy.to_value()),
+            // Enforce this is a system protected object
+            (Attribute::Class, EntryClass::System.to_value()),
+            // MFA By Default
+            (Attribute::CredentialTypeMinimum, CredentialType::Mfa.into()),
+        ],
+        ..Default::default()
+    };
+
+    pub static ref IDM_ALL_ACCOUNTS: BuiltinGroup = BuiltinGroup {
+        name: NAME_IDM_ALL_ACCOUNTS,
+        description: "Builtin IDM dynamic group containing all entries that can authenticate.",
+        uuid: UUID_IDM_ALL_ACCOUNTS,
+        members: Vec::with_capacity(0),
+        dyngroup: true,
+        dyngroup_filter: Some(
+                Filter::Eq(Attribute::Class.to_string(), EntryClass::Account.to_string()),
+        ),
+        extra_attributes: vec![
+            // Enable account policy by default
+            (Attribute::Class, EntryClass::AccountPolicy.to_value()),
+            // Enforce this is a system protected object
+            (Attribute::Class, EntryClass::System.to_value()),
+        ],
+        ..Default::default()
+    };
+
+
+    pub static ref IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: BuiltinGroup = BuiltinGroup {
+        name: "idm_ui_enable_experimental_features",
+        description: "Members of this group will have access to experimental web UI features.",
+        uuid: UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        extra_attributes: vec![
+            (Attribute::GrantUiHint, Value::UiHint(UiHint::ExperimentalFeatures))
+        ],
+        ..Default::default()
+    };
+
+    /// Members of this group will have access to read the mail attribute of all persons and service accounts.
+    pub static ref IDM_ACCOUNT_MAIL_READ: BuiltinGroup = BuiltinGroup {
+        name: "idm_account_mail_read",
+        description: "Members of this group will have access to read the mail attribute of all persons and service accounts.",
+        entry_managed_by: Some(UUID_IDM_ACCESS_CONTROL_ADMINS),
+        uuid: UUID_IDM_ACCOUNT_MAIL_READ,
+        ..Default::default()
+    };
+
+    /// This must be the last group to init to include the UUID of the other high priv groups.
+    pub static ref IDM_HIGH_PRIVILEGE_DL8: BuiltinGroup = BuiltinGroup {
+        name: "idm_high_privilege",
+        uuid: UUID_IDM_HIGH_PRIVILEGE,
+        entry_managed_by: Some(UUID_IDM_ACCESS_CONTROL_ADMINS),
+        description: "Builtin IDM provided groups with high levels of access that should be audited and limited in modification.",
+        members: vec![
+            UUID_SYSTEM_ADMINS,
+            UUID_IDM_ADMINS,
+            UUID_DOMAIN_ADMINS,
+            UUID_IDM_SERVICE_DESK,
+            UUID_IDM_RECYCLE_BIN_ADMINS,
+            UUID_IDM_SCHEMA_ADMINS,
+            UUID_IDM_ACCESS_CONTROL_ADMINS,
+            UUID_IDM_OAUTH2_ADMINS,
+            UUID_IDM_RADIUS_ADMINS,
+            UUID_IDM_ACCOUNT_POLICY_ADMINS,
+            UUID_IDM_RADIUS_SERVERS,
+            UUID_IDM_GROUP_ADMINS,
+            UUID_IDM_UNIX_ADMINS,
+            UUID_IDM_PEOPLE_PII_READ,
+            UUID_IDM_PEOPLE_ADMINS,
+            UUID_IDM_PEOPLE_ON_BOARDING,
+            UUID_IDM_SERVICE_ACCOUNT_ADMINS,
+            UUID_IDM_CLIENT_CERTIFICATE_ADMINS,
+            UUID_IDM_APPLICATION_ADMINS,
+            UUID_IDM_MAIL_ADMINS,
+            UUID_IDM_HIGH_PRIVILEGE,
+        ],
+        ..Default::default()
+    };
+
+    pub static ref BUILTIN_GROUP_APPLICATION_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
+        name: "idm_application_admins",
+        uuid: UUID_IDM_APPLICATION_ADMINS,
+        description: "Builtin Application Administration Group.",
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+}

server/lib/src/migration_data/dl11/key_providers.rs

@@ -0,0 +1,18 @@
+use crate::constants::entries::{Attribute, EntryClass};
+use crate::constants::uuids::UUID_KEY_PROVIDER_INTERNAL;
+use crate::entry::{Entry, EntryInit, EntryInitNew, EntryNew};
+use crate::value::Value;
+
+lazy_static! {
+    pub static ref E_KEY_PROVIDER_INTERNAL_DL6: EntryInitNew = entry_init!(
+        (Attribute::Class, EntryClass::Object.to_value()),
+        (Attribute::Class, EntryClass::KeyProvider.to_value()),
+        (Attribute::Class, EntryClass::KeyProviderInternal.to_value()),
+        (Attribute::Uuid, Value::Uuid(UUID_KEY_PROVIDER_INTERNAL)),
+        (Attribute::Name, Value::new_iname("key_provider_internal")),
+        (
+            Attribute::Description,
+            Value::new_utf8s("The default database internal cryptographic key provider.")
+        )
+    );
+}

server/lib/src/migration_data/dl11/mod.rs

@@ -0,0 +1,270 @@
+mod access;
+pub(super) mod accounts;
+mod groups;
+mod key_providers;
+mod schema;
+mod system_config;
+
+use self::access::*;
+use self::accounts::*;
+use self::groups::*;
+use self::key_providers::*;
+use self::schema::*;
+use self::system_config::*;
+
+use crate::prelude::EntryInitNew;
+use kanidm_proto::internal::OperationError;
+
+pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
+    vec![
+        SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL.clone().into(),
+        SCHEMA_ATTR_SYNC_YIELD_AUTHORITY.clone().into(),
+        SCHEMA_ATTR_ACCOUNT_EXPIRE.clone().into(),
+        SCHEMA_ATTR_ACCOUNT_VALID_FROM.clone().into(),
+        SCHEMA_ATTR_API_TOKEN_SESSION.clone().into(),
+        SCHEMA_ATTR_AUTH_SESSION_EXPIRY.clone().into(),
+        SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY.clone().into(),
+        SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH.clone().into(),
+        SCHEMA_ATTR_BADLIST_PASSWORD.clone().into(),
+        SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN.clone().into(),
+        SCHEMA_ATTR_ATTESTED_PASSKEYS.clone().into(),
+        SCHEMA_ATTR_DOMAIN_DISPLAY_NAME.clone().into(),
+        SCHEMA_ATTR_DOMAIN_LDAP_BASEDN.clone().into(),
+        SCHEMA_ATTR_DOMAIN_NAME.clone().into(),
+        SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND.clone().into(),
+        SCHEMA_ATTR_DOMAIN_SSID.clone().into(),
+        SCHEMA_ATTR_DOMAIN_TOKEN_KEY.clone().into(),
+        SCHEMA_ATTR_DOMAIN_UUID.clone().into(),
+        SCHEMA_ATTR_DYNGROUP_FILTER.clone().into(),
+        SCHEMA_ATTR_EC_KEY_PRIVATE.clone().into(),
+        SCHEMA_ATTR_ES256_PRIVATE_KEY_DER.clone().into(),
+        SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR.clone().into(),
+        SCHEMA_ATTR_GIDNUMBER.clone().into(),
+        SCHEMA_ATTR_GRANT_UI_HINT.clone().into(),
+        SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY.clone().into(),
+        SCHEMA_ATTR_LOGINSHELL.clone().into(),
+        SCHEMA_ATTR_NAME_HISTORY.clone().into(),
+        SCHEMA_ATTR_NSUNIQUEID.clone().into(),
+        SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE
+            .clone()
+            .into(),
+        SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP.clone().into(),
+        SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE.clone().into(),
+        SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_NAME.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY.clone().into(),
+        SCHEMA_ATTR_OAUTH2_SESSION.clone().into(),
+        SCHEMA_ATTR_PASSKEYS.clone().into(),
+        SCHEMA_ATTR_PRIMARY_CREDENTIAL.clone().into(),
+        SCHEMA_ATTR_PRIVATE_COOKIE_KEY.clone().into(),
+        SCHEMA_ATTR_RADIUS_SECRET.clone().into(),
+        SCHEMA_ATTR_RS256_PRIVATE_KEY_DER.clone().into(),
+        SCHEMA_ATTR_SSH_PUBLICKEY.clone().into(),
+        SCHEMA_ATTR_SYNC_COOKIE.clone().into(),
+        SCHEMA_ATTR_SYNC_TOKEN_SESSION.clone().into(),
+        SCHEMA_ATTR_UNIX_PASSWORD.clone().into(),
+        SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION.clone().into(),
+        SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM.clone().into(),
+        SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST.clone().into(),
+        // DL4
+        SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP_DL4.clone().into(),
+        SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT_DL4
+            .clone()
+            .into(),
+        // DL5
+        // DL6
+        SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS_DL6.clone().into(),
+        SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST_DL6.clone().into(),
+        SCHEMA_ATTR_KEY_INTERNAL_DATA_DL6.clone().into(),
+        SCHEMA_ATTR_KEY_PROVIDER_DL6.clone().into(),
+        SCHEMA_ATTR_KEY_ACTION_ROTATE_DL6.clone().into(),
+        SCHEMA_ATTR_KEY_ACTION_REVOKE_DL6.clone().into(),
+        SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256_DL6.clone().into(),
+        // DL7
+        SCHEMA_ATTR_PATCH_LEVEL_DL7.clone().into(),
+        SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT_DL7.clone().into(),
+        SCHEMA_ATTR_REFERS_DL7.clone().into(),
+        SCHEMA_ATTR_CERTIFICATE_DL7.clone().into(),
+        SCHEMA_ATTR_OAUTH2_RS_ORIGIN_DL7.clone().into(),
+        SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI_DL7.clone().into(),
+        SCHEMA_ATTR_MAIL_DL7.clone().into(),
+        SCHEMA_ATTR_LEGALNAME_DL7.clone().into(),
+        SCHEMA_ATTR_DISPLAYNAME_DL7.clone().into(),
+        // DL8
+        SCHEMA_ATTR_LINKED_GROUP_DL8.clone().into(),
+        SCHEMA_ATTR_APPLICATION_PASSWORD_DL8.clone().into(),
+        SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK_DL8.clone().into(),
+        // DL9
+        SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE_DL9.clone().into(),
+        SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS_DL9.clone().into(),
+        // DL10
+        SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
+        SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
+        SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6.clone().into(),
+    ]
+}
+
+pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
+    vec![
+        SCHEMA_CLASS_DYNGROUP.clone().into(),
+        SCHEMA_CLASS_ORGPERSON.clone().into(),
+        SCHEMA_CLASS_POSIXACCOUNT.clone().into(),
+        SCHEMA_CLASS_POSIXGROUP.clone().into(),
+        SCHEMA_CLASS_SYSTEM_CONFIG.clone().into(),
+        // DL4
+        SCHEMA_CLASS_OAUTH2_RS_PUBLIC_DL4.clone().into(),
+        // DL5
+        SCHEMA_CLASS_ACCOUNT_DL5.clone().into(),
+        SCHEMA_CLASS_OAUTH2_RS_BASIC_DL5.clone().into(),
+        // DL6
+        SCHEMA_CLASS_GROUP_DL6.clone().into(),
+        SCHEMA_CLASS_KEY_PROVIDER_DL6.clone().into(),
+        SCHEMA_CLASS_KEY_PROVIDER_INTERNAL_DL6.clone().into(),
+        SCHEMA_CLASS_KEY_OBJECT_DL6.clone().into(),
+        SCHEMA_CLASS_KEY_OBJECT_JWT_ES256_DL6.clone().into(),
+        SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM_DL6.clone().into(),
+        SCHEMA_CLASS_KEY_OBJECT_INTERNAL_DL6.clone().into(),
+        // DL7
+        SCHEMA_CLASS_SERVICE_ACCOUNT_DL7.clone().into(),
+        SCHEMA_CLASS_SYNC_ACCOUNT_DL7.clone().into(),
+        SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
+        // DL8
+        SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
+        SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
+        SCHEMA_CLASS_PERSON_DL8.clone().into(),
+        // DL9
+        SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),
+        // DL10
+        SCHEMA_CLASS_DOMAIN_INFO_DL10.clone().into(),
+        SCHEMA_CLASS_KEY_OBJECT_JWT_RS256.clone().into(),
+    ]
+}
+
+pub fn phase_3_key_provider() -> Vec<EntryInitNew> {
+    vec![E_KEY_PROVIDER_INTERNAL_DL6.clone()]
+}
+
+pub fn phase_4_system_entries() -> Vec<EntryInitNew> {
+    vec![
+        E_SYSTEM_INFO_V1.clone(),
+        E_DOMAIN_INFO_DL6.clone(),
+        E_SYSTEM_CONFIG_V1.clone(),
+    ]
+}
+
+pub fn phase_5_builtin_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
+    Ok(vec![
+        BUILTIN_ACCOUNT_ADMIN.clone().into(),
+        BUILTIN_ACCOUNT_IDM_ADMIN.clone().into(),
+        BUILTIN_GROUP_SYSTEM_ADMINS_V1.clone().try_into()?,
+        BUILTIN_GROUP_IDM_ADMINS_V1.clone().try_into()?,
+        // We need to push anonymous *after* groups due to entry-managed-by
+        BUILTIN_ACCOUNT_ANONYMOUS_DL6.clone().into(),
+    ])
+}
+
+pub fn phase_6_builtin_non_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
+    Ok(vec![
+        BUILTIN_GROUP_DOMAIN_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_SCHEMA_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_ACCESS_CONTROL_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_UNIX_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_RECYCLE_BIN_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_SERVICE_DESK.clone().try_into()?,
+        BUILTIN_GROUP_OAUTH2_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_RADIUS_SERVICE_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_PEOPLE_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_PEOPLE_PII_READ.clone().try_into()?,
+        BUILTIN_GROUP_PEOPLE_ON_BOARDING.clone().try_into()?,
+        BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS.clone().try_into()?,
+        BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8.clone().try_into()?,
+        IDM_GROUP_ADMINS_V1.clone().try_into()?,
+        IDM_ALL_PERSONS.clone().try_into()?,
+        IDM_ALL_ACCOUNTS.clone().try_into()?,
+        BUILTIN_IDM_RADIUS_SERVERS_V1.clone().try_into()?,
+        BUILTIN_IDM_MAIL_SERVERS_DL8.clone().try_into()?,
+        BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7
+            .clone()
+            .try_into()?,
+        IDM_PEOPLE_SELF_MAIL_WRITE_DL7.clone().try_into()?,
+        BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7
+            .clone()
+            .try_into()?,
+        BUILTIN_GROUP_APPLICATION_ADMINS_DL8.clone().try_into()?,
+        // Write deps on read.clone().try_into()?, so write must be added first.
+        // All members must exist before we write HP
+        IDM_HIGH_PRIVILEGE_DL8.clone().try_into()?,
+        // other things
+        IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone().try_into()?,
+        IDM_ACCOUNT_MAIL_READ.clone().try_into()?,
+    ])
+}
+
+pub fn phase_7_builtin_access_control_profiles() -> Vec<EntryInitNew> {
+    vec![
+        // Built in access controls.
+        IDM_ACP_RECYCLE_BIN_SEARCH_V1.clone().into(),
+        IDM_ACP_RECYCLE_BIN_REVIVE_V1.clone().into(),
+        IDM_ACP_SCHEMA_WRITE_ATTRS_V1.clone().into(),
+        IDM_ACP_SCHEMA_WRITE_CLASSES_V1.clone().into(),
+        IDM_ACP_ACP_MANAGE_V1.clone().into(),
+        IDM_ACP_GROUP_ENTRY_MANAGED_BY_MODIFY_V1.clone().into(),
+        IDM_ACP_GROUP_ENTRY_MANAGER_V1.clone().into(),
+        IDM_ACP_SYNC_ACCOUNT_MANAGE_V1.clone().into(),
+        IDM_ACP_RADIUS_SERVERS_V1.clone().into(),
+        IDM_ACP_RADIUS_SECRET_MANAGE_V1.clone().into(),
+        IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1.clone().into(),
+        IDM_ACP_ACCOUNT_SELF_WRITE_V1.clone().into(),
+        IDM_ACP_ALL_ACCOUNTS_POSIX_READ_V1.clone().into(),
+        IDM_ACP_SYSTEM_CONFIG_ACCOUNT_POLICY_MANAGE_V1
+            .clone()
+            .into(),
+        IDM_ACP_GROUP_UNIX_MANAGE_V1.clone().into(),
+        IDM_ACP_HP_GROUP_UNIX_MANAGE_V1.clone().into(),
+        IDM_ACP_GROUP_READ_V1.clone().into(),
+        IDM_ACP_ACCOUNT_UNIX_EXTEND_V1.clone().into(),
+        IDM_ACP_PEOPLE_PII_READ_V1.clone().into(),
+        IDM_ACP_PEOPLE_PII_MANAGE_V1.clone().into(),
+        IDM_ACP_PEOPLE_READ_V1.clone().into(),
+        IDM_ACP_PEOPLE_MANAGE_V1.clone().into(),
+        IDM_ACP_PEOPLE_DELETE_V1.clone().into(),
+        IDM_ACP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
+        IDM_ACP_HP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
+        IDM_ACP_SERVICE_ACCOUNT_CREATE_V1.clone().into(),
+        IDM_ACP_SERVICE_ACCOUNT_DELETE_V1.clone().into(),
+        IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGER_V1.clone().into(),
+        IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
+            .clone()
+            .into(),
+        IDM_ACP_HP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
+            .clone()
+            .into(),
+        IDM_ACP_SERVICE_ACCOUNT_MANAGE_V1.clone().into(),
+        // DL4
+        // DL5
+        // DL6
+        IDM_ACP_PEOPLE_CREATE_DL6.clone().into(),
+        IDM_ACP_ACCOUNT_MAIL_READ_DL6.clone().into(),
+        // DL7
+        IDM_ACP_SELF_NAME_WRITE_DL7.clone().into(),
+        IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER_DL7.clone().into(),
+        // DL8
+        IDM_ACP_SELF_READ_DL8.clone().into(),
+        IDM_ACP_SELF_WRITE_DL8.clone().into(),
+        IDM_ACP_APPLICATION_MANAGE_DL8.clone().into(),
+        IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8.clone().into(),
+        IDM_ACP_MAIL_SERVERS_DL8.clone().into(),
+        IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL8.clone().into(),
+        // DL9
+        IDM_ACP_GROUP_MANAGE_DL9.clone().into(),
+        IDM_ACP_DOMAIN_ADMIN_DL9.clone().into(),
+        // DL10
+        IDM_ACP_OAUTH2_MANAGE.clone().into(),
+    ]
+}

server/lib/src/migration_data/mod.rs

@@ -1,3 +1,4 @@
+pub(crate) mod dl11;
 pub(crate) mod dl10;
 pub(crate) mod dl8;
 pub(crate) mod dl9;
@@ -5,7 +6,7 @@ pub(crate) mod dl9;
 mod types;
 
 #[cfg(test)]
-pub(crate) use dl10::accounts::BUILTIN_ACCOUNT_ANONYMOUS_DL6 as BUILTIN_ACCOUNT_ANONYMOUS;
+pub(crate) use dl11::accounts::BUILTIN_ACCOUNT_ANONYMOUS_DL6 as BUILTIN_ACCOUNT_ANONYMOUS;
 
 #[cfg(test)]
 use self::types::BuiltinAccount;

server/lib/src/server/migrations.rs

@@ -61,6 +61,7 @@ impl QueryServer {
                 DOMAIN_LEVEL_9 => write_txn.migrate_domain_8_to_9()?,
                 DOMAIN_LEVEL_10 => write_txn.migrate_domain_9_to_10()?,
                 DOMAIN_LEVEL_11 => write_txn.migrate_domain_10_to_11()?,
+                DOMAIN_LEVEL_12 => write_txn.migrate_domain_11_to_12()?,
                 _ => {
                     error!("Invalid requested domain target level for server bootstrap");
                     debug_assert!(false);
@@ -615,6 +616,77 @@ impl QueryServerWriteTransaction<'_> {
             return Err(OperationError::MG0004DomainLevelInDevelopment);
         }
 
+        // =========== Apply changes ==============
+        self.internal_migrate_or_create_batch(
+            "phase 1 - schema attrs",
+            migration_data::dl11::phase_1_schema_attrs(),
+        )?;
+
+        self.internal_migrate_or_create_batch(
+            "phase 2 - schema classes",
+            migration_data::dl11::phase_2_schema_classes(),
+        )?;
+
+        // Reload for the new schema.
+        self.reload()?;
+
+        // Since we just loaded in a ton of schema, lets reindex it incase we added
+        // new indexes, or this is a bootstrap and we have no indexes yet.
+        self.reindex(false)?;
+
+        // Set Phase
+        // Indicate the schema is now ready, which allows dyngroups to work when they
+        // are created in the next phase of migrations.
+        self.set_phase(ServerPhase::SchemaReady);
+
+        self.internal_migrate_or_create_batch(
+            "phase 3 - key provider",
+            migration_data::dl11::phase_3_key_provider(),
+        )?;
+
+        // Reload for the new key providers
+        self.reload()?;
+
+        self.internal_migrate_or_create_batch(
+            "phase 4 - system entries",
+            migration_data::dl11::phase_4_system_entries(),
+        )?;
+
+        // Reload for the new system entries
+        self.reload()?;
+
+        // Domain info is now ready and reloaded, we can proceed.
+        self.set_phase(ServerPhase::DomainInfoReady);
+
+        // Bring up the IDM entries.
+        self.internal_migrate_or_create_batch(
+            "phase 5 - builtin admin entries",
+            migration_data::dl11::phase_5_builtin_admin_entries()?,
+        )?;
+
+        self.internal_migrate_or_create_batch(
+            "phase 6 - builtin not admin entries",
+            migration_data::dl11::phase_6_builtin_non_admin_entries()?,
+        )?;
+
+        self.internal_migrate_or_create_batch(
+            "phase 7 - builtin access control profiles",
+            migration_data::dl11::phase_7_builtin_access_control_profiles(),
+        )?;
+
+        self.reload()?;
+
+        Ok(())
+    }
+
+    /// Migration domain level 11 to 12 (1.8.0)
+    #[instrument(level = "info", skip_all)]
+    pub(crate) fn migrate_domain_11_to_12(&mut self) -> Result<(), OperationError> {
+        if !cfg!(test) && DOMAIN_TGT_LEVEL < DOMAIN_LEVEL_11 {
+            error!("Unable to raise domain level from 11 to 12.");
+            return Err(OperationError::MG0004DomainLevelInDevelopment);
+        }
+
         Ok(())
     }
 

server/lib/src/server/mod.rs

@@ -2478,6 +2478,11 @@ impl<'a> QueryServerWriteTransaction<'a> {
             self.migrate_domain_10_to_11()?;
         }
 
+        if previous_version <= DOMAIN_LEVEL_11 && domain_info_version >= DOMAIN_LEVEL_12 {
+            // 1.7 -> 1.8
+            self.migrate_domain_11_to_12()?;
+        }
+
         // This is here to catch when we increase domain levels but didn't create the migration
         // hooks. If this fails it probably means you need to add another migration hook
         // in the above.