1399 cleanup (#1409)

2025-02-23 12:37:00 +01:00 · 2023-03-01 10:11:36 +10:00 · 2023-03-01 10:11:36 +10:00 · a5656b99f5
parent f1c9e92f93
commit a5656b99f5
15 changed files with 2421 additions and 2152 deletions
--- a/kanidm_book/src/SUMMARY.md
+++ b/kanidm_book/src/SUMMARY.md
@ -52,6 +52,7 @@
  - [Access Profiles 2022](developers/designs/access_profiles_rework_2022.md)
  - [Access Profiles Original](developers/designs/access_profiles_and_security.md)
  - [REST Interface](developers/designs/rest_interface.md)
  - [Elevated Priv Mode](developers/designs/elevated_priv_mode.md)
 - [Python Module](developers/python.md)
 - [RADIUS Integration](developers/radius.md)
--- a/kanidm_tools/src/cli/badlist.rs
+++ b/kanidm_tools/src/cli/badlist.rs
@ -31,8 +31,11 @@ impl PwBadlistOpt {
                    Err(e) => eprintln!("{:?}", e),
                }
            }
-            PwBadlistOpt::Upload { copt, paths } => {
+            PwBadlistOpt::Upload {
-                let client = copt.to_client().await;
+                copt,
                paths,
                dryrun,
            } => {
                info!("pre-processing - this may take a while ...");
                let mut pwset: Vec<String> = Vec::new();
@ -101,19 +104,28 @@ impl PwBadlistOpt {
                let results = task_handles.join().await;
-                let filt_pwset: Vec<_> = results
+                let mut filt_pwset: Vec<_> = results
                    .into_iter()
                    .flat_map(|res| res.expect("Thread join failure"))
                    .collect();
                filt_pwset.sort_unstable();
                info!(
                    "{} passwords passed zxcvbn, uploading ...",
                    filt_pwset.len()
                );
-                match client.system_password_badlist_append(filt_pwset).await {
+                if *dryrun {
-                    Ok(_) => println!("Success"),
+                    for pw in filt_pwset {
-                    Err(e) => eprintln!("{:?}", e),
+                        println!("{}", pw);
                    }
                } else {
                    let client = copt.to_client().await;
                    match client.system_password_badlist_append(filt_pwset).await {
                        Ok(_) => println!("Success"),
                        Err(e) => eprintln!("{:?}", e),
                    }
                }
            } // End Upload
            PwBadlistOpt::Remove { copt, paths } => {
--- a/kanidm_tools/src/opt/kanidm.rs
+++ b/kanidm_tools/src/opt/kanidm.rs
@ -715,6 +715,9 @@ pub enum PwBadlistOpt {
        copt: CommonOpt,
        #[clap(parse(from_os_str))]
        paths: Vec<PathBuf>,
        /// Perform a dry run and display the list that would have been uploaded instead.
        #[clap(short = 'n', long)]
        dryrun: bool,
    },
    #[clap[name = "remove", hide = true]]
    /// Remove the content of these lists if present in the configured
--- a/kanidmd/lib/src/constants/acp.rs
+++ b/kanidmd/lib/src/constants/acp.rs
--- a/kanidmd/lib/src/constants/entries.rs
+++ b/kanidmd/lib/src/constants/entries.rs
@ -21,9 +21,9 @@ pub const JSON_ADMIN_V1: &str = r#"{
 lazy_static! {
    pub static ref E_ADMIN_V1: EntryInitNew = entry_init!(
        ("class", CLASS_OBJECT.clone()),
        ("class", CLASS_MEMBEROF.clone()),
        ("class", CLASS_ACCOUNT.clone()),
        ("class", CLASS_MEMBEROF.clone()),
        ("class", CLASS_OBJECT.clone()),
        ("class", CLASS_SERVICE_ACCOUNT.clone()),
        ("name", Value::new_iname("admin")),
        ("uuid", Value::Uuid(UUID_ADMIN)),
@ -35,38 +35,52 @@ lazy_static! {
    );
 }
-/// Builtin IDM Admin account.
+lazy_static! {
-pub const JSON_IDM_ADMIN_V1: &str = r#"{
+    /// Builtin IDM Admin account.
-    "attrs": {
+    pub static ref E_IDM_ADMIN_V1: EntryInitNew = entry_init!(
-        "class": ["account", "service_account", "memberof", "object"],
+        ("class", CLASS_ACCOUNT.clone()),
-        "name": ["idm_admin"],
+        ("class", CLASS_MEMBEROF.clone()),
-        "uuid": ["00000000-0000-0000-0000-000000000018"],
+        ("class", CLASS_OBJECT.clone()),
-        "description": ["Builtin IDM Admin account."],
+        ("class", CLASS_SERVICE_ACCOUNT.clone()),
-        "displayname": ["IDM Administrator"]
+        ("name", Value::new_iname("idm_admin")),
-    }
+        ("uuid", Value::Uuid(UUID_IDM_ADMIN)),
-}"#;
+        (
            "description",
            Value::new_utf8s("Builtin IDM Admin account.")
        ),
        ("displayname", Value::new_utf8s("IDM Administrator"))
    );
 }
-/// Builtin IDM Administrators Group.
+lazy_static! {
-pub const JSON_IDM_ADMINS_V1: &str = r#"{
+    /// Builtin IDM Administrators Group.
-    "attrs": {
+    pub static ref E_IDM_ADMINS_V1: EntryInitNew = entry_init!(
-        "class": ["group", "object"],
+        ("class", CLASS_GROUP.clone()),
-        "name": ["idm_admins"],
+        ("class", CLASS_OBJECT.clone()),
-        "uuid": ["00000000-0000-0000-0000-000000000001"],
+        ("name", Value::new_iname("idm_admins")),
-        "description": ["Builtin IDM Administrators Group."],
+        ("uuid", Value::Uuid(UUID_IDM_ADMINS)),
-        "member": ["00000000-0000-0000-0000-000000000018"]
+        (
-    }
+            "description",
-}"#;
+            Value::new_utf8s("Builtin IDM Administrators Group.")
        ),
        ("member", Value::Refer(UUID_IDM_ADMIN))
    );
 }
-/// Builtin System Administrators Group.
+lazy_static! {
-pub const JSON_SYSTEM_ADMINS_V1: &str = r#"{
+    /// Builtin System Administrators Group.
-    "attrs": {
+    pub static ref E_SYSTEM_ADMINS_V1: EntryInitNew = entry_init!(
-        "class": ["group", "object"],
+        ("class", CLASS_GROUP.clone()),
-        "name": ["system_admins"],
+        ("class", CLASS_OBJECT.clone()),
-        "uuid": ["00000000-0000-0000-0000-000000000019"],
+        ("name", Value::new_iname("system_admins")),
-        "description": ["Builtin System Administrators Group."],
+        ("uuid", Value::Uuid(UUID_SYSTEM_ADMINS)),
-        "member": ["00000000-0000-0000-0000-000000000000"]
+        (
-    }
+            "description",
-}"#;
+            Value::new_utf8s("Builtin System Administrators Group.")
        ),
        ("member", Value::Refer(UUID_ADMIN))
    );
 }
 // * People read managers
 /// Builtin IDM Group for granting elevated people (personal data) read permissions.
@ -560,23 +574,33 @@ pub const JSON_IDM_HIGH_PRIVILEGE_V1: &str = r#"{
    }
 }"#;
-pub const JSON_SYSTEM_INFO_V1: &str = r#"{
+lazy_static! {
-    "attrs": {
+    pub static ref E_SYSTEM_INFO_V1: EntryInitNew = entry_init!(
-        "class": ["object", "system_info", "system"],
+        ("class", CLASS_OBJECT.clone()),
-        "uuid": ["00000000-0000-0000-0000-ffffff000001"],
+        ("class", CLASS_SYSTEM_INFO.clone()),
-        "description": ["System (local) info and metadata object."],
+        ("class", CLASS_SYSTEM.clone()),
-        "version": ["12"]
+        ("uuid", Value::Uuid(UUID_SYSTEM_INFO)),
-    }
+        (
-}"#;
+            "description",
            Value::new_utf8s("System (local) info and metadata object.")
        ),
        ("version", Value::Uint32(12))
    );
 }
-pub const JSON_DOMAIN_INFO_V1: &str = r#"{
+lazy_static! {
-    "attrs": {
+    pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!(
-        "class": ["object", "domain_info", "system"],
+        ("class", CLASS_OBJECT.clone()),
-        "name": ["domain_local"],
+        ("class", CLASS_DOMAIN_INFO.clone()),
-        "uuid": ["00000000-0000-0000-0000-ffffff000025"],
+        ("class", CLASS_SYSTEM.clone()),
-        "description": ["This local domain's info and metadata object."]
+        ("name", Value::new_iname("domain_local")),
-    }
+        ("uuid", Value::Uuid(UUID_DOMAIN_INFO)),
-}"#;
+        (
            "description",
            Value::new_utf8s("This local domain's info and metadata object.")
        )
    );
 }
 // Anonymous should be the last object in the range here.
 pub const JSON_ANONYMOUS_V1: &str = r#"{
--- a/kanidmd/lib/src/constants/system_config.rs
+++ b/kanidmd/lib/src/constants/system_config.rs
--- a/kanidmd/lib/src/constants/uuids.rs
+++ b/kanidmd/lib/src/constants/uuids.rs
@ -5,54 +5,53 @@ use uuid::{uuid, Uuid};
 // Built in group and account ranges.
 pub const STR_UUID_ADMIN: &str = "00000000-0000-0000-0000-000000000000";
 pub const UUID_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000000");
-pub const _UUID_IDM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000001");
+pub const UUID_IDM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000001");
-pub const _UUID_IDM_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000002");
+pub const UUID_IDM_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000002");
-pub const _UUID_IDM_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000003");
+pub const UUID_IDM_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000003");
-pub const _UUID_IDM_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000004");
+pub const UUID_IDM_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000004");
-pub const _UUID_IDM_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000005");
+pub const UUID_IDM_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000005");
-pub const _UUID_IDM_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000006");
+pub const UUID_IDM_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000006");
-pub const _UUID_IDM_RADIUS_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000007");
+pub const UUID_IDM_RADIUS_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000007");
-pub const _UUID_IDM_HP_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000008");
+pub const UUID_IDM_HP_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000008");
-pub const _UUID_IDM_HP_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000009");
+pub const UUID_IDM_HP_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000009");
-pub const _UUID_IDM_SCHEMA_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000010");
+pub const UUID_IDM_SCHEMA_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000010");
-pub const _UUID_IDM_ACP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000011");
+pub const UUID_IDM_ACP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000011");
-pub const _UUID_IDM_HP_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000012");
+pub const UUID_IDM_HP_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000012");
-pub const _UUID_IDM_PEOPLE_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000013");
+pub const UUID_IDM_PEOPLE_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000013");
-pub const _UUID_IDM_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000014");
+pub const UUID_IDM_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000014");
-pub const _UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000015");
+pub const UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000015");
-pub const _UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
+pub const UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
-pub const _UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
+pub const UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
 pub const UUID_IDM_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000018");
 pub const STR_UUID_SYSTEM_ADMINS: &str = "00000000-0000-0000-0000-000000000000";
 pub const UUID_SYSTEM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000019");
 pub const UUID_DOMAIN_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000020");
-pub const _UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
+pub const UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
-pub const _UUID_IDM_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000022");
+pub const UUID_IDM_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000022");
-pub const _UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV: Uuid =
+pub const UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV: Uuid =
    uuid!("00000000-0000-0000-0000-000000000023");
-pub const _UUID_IDM_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000024");
+pub const UUID_IDM_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000024");
-pub const _UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV: Uuid =
+pub const UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV: Uuid =
    uuid!("00000000-0000-0000-0000-000000000025");
-pub const _UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000026");
+pub const UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000026");
-pub const _UUID_IDM_HP_OAUTH2_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000027");
+pub const UUID_IDM_HP_OAUTH2_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000027");
-pub const _UUID_IDM_HP_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000028");
+pub const UUID_IDM_HP_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000028");
-pub const _UUID_IDM_HP_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000029");
+pub const UUID_IDM_HP_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000029");
-pub const _UUID_IDM_HP_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000030");
+pub const UUID_IDM_HP_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000030");
-pub const _UUID_IDM_RADIUS_SECRET_READ_PRIV_V1: Uuid =
+pub const UUID_IDM_RADIUS_SECRET_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-000000000032");
-    uuid!("00000000-0000-0000-0000-000000000032");
+pub const UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
 pub const _UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-000000000031");
-pub const _UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV: Uuid =
+pub const UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV: Uuid =
    uuid!("00000000-0000-0000-0000-000000000033");
-pub const _UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
+pub const UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
    uuid!("00000000-0000-0000-0000-000000000034");
 pub const UUID_IDM_ALL_PERSONS: Uuid = uuid!("00000000-0000-0000-0000-000000000035");
 pub const STR_UUID_IDM_ALL_ACCOUNTS: &str = "00000000-0000-0000-0000-000000000036";
 pub const UUID_IDM_ALL_ACCOUNTS: Uuid = uuid!("00000000-0000-0000-0000-000000000036");
-pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
+pub const UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
    uuid!("00000000-0000-0000-0000-000000000037");
 pub const UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: Uuid =
@ -236,73 +235,70 @@ pub const UUID_DOMAIN_INFO: Uuid = uuid!("00000000-0000-0000-0000-ffffff000025")
 // Access controls
 // skip 00 / 01 - see system info
-pub const _UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: Uuid =
+pub const UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000002");
-pub const _UUID_IDM_ADMINS_ACP_REVIVE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000003");
+pub const UUID_IDM_ADMINS_ACP_REVIVE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000003");
-pub const _UUID_IDM_SELF_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000004");
+pub const UUID_IDM_SELF_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000004");
-pub const _UUID_IDM_ALL_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000006");
+pub const UUID_IDM_ALL_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000006");
-pub const _UUID_IDM_ACP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000007");
+pub const UUID_IDM_ACP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000007");
-pub const _UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000008");
+pub const UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000008");
-pub const _UUID_IDM_ACP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000009");
+pub const UUID_IDM_ACP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000009");
-pub const _UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000010");
+pub const UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000010");
-pub const _UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000011");
+pub const UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000011");
-pub const _UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000012");
-    uuid!("00000000-0000-0000-0000-ffffff000012");
+pub const UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000013");
-pub const _UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000013");
+pub const UUID_IDM_ACP_RADIUS_SERVERS_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000014");
-pub const _UUID_IDM_ACP_RADIUS_SERVERS_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000014");
+pub const UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: Uuid =
 pub const _UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000015");
-pub const _UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000016");
-pub const _UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000017");
-    uuid!("00000000-0000-0000-0000-ffffff000017");
+pub const UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: Uuid =
 pub const _UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000018");
-pub const _UUID_IDM_ACP_ACP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000019");
+pub const UUID_IDM_ACP_ACP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000019");
-pub const _UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000020");
-pub const _UUID_IDM_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000021");
+pub const UUID_IDM_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000021");
-pub const _UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000022");
+pub const UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000022");
-pub const _UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000023");
-pub const _UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000024");
 // Skip 25 - see domain info.
-pub const _UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000026");
+pub const UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000026");
 pub const STR_UUID_SYSTEM_CONFIG: &str = "00000000-0000-0000-0000-ffffff000027";
 pub const UUID_SYSTEM_CONFIG: Uuid = uuid!("00000000-0000-0000-0000-ffffff000027");
-pub const _UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000028");
+pub const UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000028");
-pub const _UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000029");
-pub const _UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000030");
-pub const _UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000031");
-pub const _UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000032");
+pub const UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000032");
-pub const _UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
+pub const UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000033");
-pub const _UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
+pub const UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000034");
-pub const _UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: Uuid =
+pub const UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000035");
-pub const _UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000036");
-    uuid!("00000000-0000-0000-0000-ffffff000036");
+pub const UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: Uuid =
 pub const _UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000037");
-pub const _UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000038");
-pub const _UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000039");
-pub const _UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
+pub const UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000040");
-pub const _UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
+pub const UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000041");
-pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
+pub const UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000042");
 pub const UUID_IDM_ACP_OAUTH2_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000043");
-pub const _UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
+pub const UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000044");
 pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000045");
--- a/kanidmd/lib/src/constants/values.rs
+++ b/kanidmd/lib/src/constants/values.rs
@ -40,6 +40,9 @@ lazy_static! {
    pub static ref PVUUID_SYSTEM_CONFIG: PartialValue = PartialValue::Uuid(UUID_SYSTEM_CONFIG);
    pub static ref PVUUID_SYSTEM_INFO: PartialValue = PartialValue::Uuid(UUID_SYSTEM_INFO);
    pub static ref CLASS_ACCESS_CONTROL_PROFILE: Value = Value::new_class("access_control_profile");
    pub static ref CLASS_ACCESS_CONTROL_CREATE: Value = Value::new_class("access_control_create");
    pub static ref CLASS_ACCESS_CONTROL_DELETE: Value = Value::new_class("access_control_delete");
    pub static ref CLASS_ACCESS_CONTROL_MODIFY: Value = Value::new_class("access_control_modify");
    pub static ref CLASS_ACCESS_CONTROL_SEARCH: Value = Value::new_class("access_control_search");
    pub static ref CLASS_ACCOUNT: Value = Value::new_class("account");
    pub static ref CLASS_ATTRIBUTETYPE: Value = Value::new_class("attributetype");
--- a/kanidmd/lib/src/plugins/dyngroup.rs
+++ b/kanidmd/lib/src/plugins/dyngroup.rs
@ -18,8 +18,7 @@ impl DynGroup {
    fn apply_dyngroup_change(
        qs: &mut QueryServerWriteTransaction,
        ident: &Identity,
-        pre_candidates: &mut Vec<Arc<EntrySealedCommitted>>,
+        candidate_tuples: &mut Vec<(Arc<EntrySealedCommitted>, EntryInvalidCommitted)>,
        candidates: &mut Vec<EntryInvalidCommitted>,
        affected_uuids: &mut Vec<Uuid>,
        expect: bool,
        ident_internal: &Identity,
@ -80,8 +79,7 @@ impl DynGroup {
                nd_group.purge_ava("member");
            }
-            pre_candidates.push(pre);
+            candidate_tuples.push((pre, nd_group));
            candidates.push(nd_group);
            // Insert to our new instances
            if dyn_groups.insts.insert(uuid, scope_i).is_none() == expect {
@ -159,8 +157,7 @@ impl DynGroup {
        // dyn groups will see the created entries on an internal search
        // so we don't need to reference them.
-        let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
+        let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
        let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
        // Apply existing dyn_groups to entries.
        trace!(?dyn_groups.insts);
@ -199,8 +196,7 @@ impl DynGroup {
                    affected_uuids.extend(matches.into_iter());
                    affected_uuids.push(*dg_uuid);
-                    pre_candidates.push(pre);
+                    candidate_tuples.push((pre, d_group));
                    candidates.push(d_group);
                }
            }
        }
@ -213,8 +209,7 @@ impl DynGroup {
            Self::apply_dyngroup_change(
                qs,
                ident,
-                &mut pre_candidates,
+                &mut candidate_tuples,
                &mut candidates,
                &mut affected_uuids,
                false,
                &ident_internal,
@ -224,14 +219,12 @@ impl DynGroup {
        }
        // Write back the new changes.
        debug_assert!(pre_candidates.len() == candidates.len());
        // Write this stripe if populated.
-        if !pre_candidates.is_empty() {
+        if !candidate_tuples.is_empty() {
-            qs.internal_apply_writable(pre_candidates, candidates)
+            qs.internal_apply_writable(candidate_tuples).map_err(|e| {
-                .map_err(|e| {
+                admin_error!("Failed to commit dyngroup set {:?}", e);
-                    admin_error!("Failed to commit dyngroup set {:?}", e);
+                e
-                    e
+            })?;
                })?;
        }
        Ok(affected_uuids)
@ -265,8 +258,7 @@ impl DynGroup {
        // lifetime here is safe since we are the sole accessor.
        let dyn_groups: &mut DynGroupCache = unsafe { &mut *(qs.get_dyngroup_cache() as *mut _) };
-        let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
+        let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
        let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
        // If we modified a dyngroups member or filter, re-trigger it here.
        //    if the event is not internal, reject (for now)
@ -278,8 +270,7 @@ impl DynGroup {
            Self::apply_dyngroup_change(
                qs,
                ident,
-                &mut pre_candidates,
+                &mut candidate_tuples,
                &mut candidates,
                &mut affected_uuids,
                true,
                &ident_internal,
@ -334,21 +325,18 @@ impl DynGroup {
                    }));
                    affected_uuids.push(*dg_uuid);
-                    pre_candidates.push(pre);
+                    candidate_tuples.push((pre, d_group));
                    candidates.push(d_group);
                }
            }
        }
        // Write back the new changes.
        debug_assert!(pre_candidates.len() == candidates.len());
        // Write this stripe if populated.
-        if !pre_candidates.is_empty() {
+        if !candidate_tuples.is_empty() {
-            qs.internal_apply_writable(pre_candidates, candidates)
+            qs.internal_apply_writable(candidate_tuples).map_err(|e| {
-                .map_err(|e| {
+                admin_error!("Failed to commit dyngroup set {:?}", e);
-                    admin_error!("Failed to commit dyngroup set {:?}", e);
+                e
-                    e
+            })?;
                })?;
        }
        Ok(affected_uuids)
--- a/kanidmd/lib/src/plugins/memberof.rs
+++ b/kanidmd/lib/src/plugins/memberof.rs
@ -113,9 +113,6 @@ fn apply_memberof(
    while !group_affect.is_empty() {
        group_affect.sort();
        group_affect.dedup();
        // Prep the write lists
        let mut pre_candidates = Vec::with_capacity(group_affect.len());
        let mut candidates = Vec::with_capacity(group_affect.len());
        // Ignore recycled/tombstones
        let filt = filter!(FC::Or(
@ -125,10 +122,12 @@ fn apply_memberof(
                .collect()
        ));
-        let mut work_set = qs.internal_search_writeable(&filt)?;
+        let work_set = qs.internal_search_writeable(&filt)?;
        // Load the vecdeque with this batch.
-        while let Some((pre, mut tgte)) = work_set.pop() {
+        let mut changes = Vec::with_capacity(work_set.len());
        for (pre, mut tgte) in work_set.into_iter() {
            let guuid = pre.get_uuid();
            // load the entry from the db.
            if !tgte.attribute_equality("class", &PVCLASS_GROUP) {
@ -160,28 +159,24 @@ fn apply_memberof(
                };
                // push the entries to pre/cand
-                pre_candidates.push(pre);
+                changes.push((pre, tgte));
                candidates.push(tgte);
            } else {
                trace!("{:?} stable", guuid);
            }
        }
        debug_assert!(pre_candidates.len() == candidates.len());
        // Write this stripe if populated.
-        if !pre_candidates.is_empty() {
+        if !changes.is_empty() {
-            qs.internal_apply_writable(pre_candidates, candidates)
+            qs.internal_apply_writable(changes).map_err(|e| {
-                .map_err(|e| {
+                admin_error!("Failed to commit memberof group set {:?}", e);
-                    admin_error!("Failed to commit memberof group set {:?}", e);
+                e
-                    e
+            })?;
                })?;
        }
        // Next loop!
    }
    // ALL GROUP MOS + DMOS ARE NOW STABLE. We can load these into other items directly.
-    let mut pre_candidates = Vec::with_capacity(other_cache.len());
+    let mut changes = Vec::with_capacity(other_cache.len());
    let mut candidates = Vec::with_capacity(other_cache.len());
    other_cache
        .into_iter()
@ -193,15 +188,14 @@ fn apply_memberof(
            if pre.get_ava_set("memberof") != tgte.get_ava_set("memberof")
                || pre.get_ava_set("directmemberof") != tgte.get_ava_set("directmemberof")
            {
-                pre_candidates.push(pre);
+                changes.push((pre, tgte));
                candidates.push(tgte);
            }
            Ok(())
        })?;
    // Turn the other_cache into a write set.
    // Write the batch out in a single stripe.
-    qs.internal_apply_writable(pre_candidates, candidates)
+    qs.internal_apply_writable(changes)
    // Done! 🎉
 }
--- a/kanidmd/lib/src/plugins/refint.rs
+++ b/kanidmd/lib/src/plugins/refint.rs
@ -155,19 +155,15 @@ impl Plugin for ReferentialIntegrity {
            .map(|e| PartialValue::Refer(e.get_uuid()))
            .collect();
-        let work_set = qs.internal_search_writeable(&filt)?;
+        let mut work_set = qs.internal_search_writeable(&filt)?;
-        let (pre_candidates, candidates) = work_set
+        work_set.iter_mut().for_each(|(_, post)| {
-            .into_iter()
+            ref_types
-            .map(|(pre, mut post)| {
+                .values()
-                ref_types
+                .for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids));
-                    .values()
+        });
                    .for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids));
                (pre, post)
            })
            .unzip();
-        qs.internal_apply_writable(pre_candidates, candidates)
+        qs.internal_apply_writable(work_set)
    }
    #[instrument(level = "debug", name = "verify", skip(qs))]
--- a/kanidmd/lib/src/server/migrations.rs
+++ b/kanidmd/lib/src/server/migrations.rs
@ -343,7 +343,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_11_to_12(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 11 to 12 migration.");
-            // sync_token_session
+        // sync_token_session
        let filter = filter!(f_or!([
            f_pres("api_token_session"),
            f_pres("sync_token_session"),
@ -365,41 +365,32 @@ impl<'a> QueryServerWriteTransaction<'a> {
        for (_, ent) in mod_candidates.iter_mut() {
            if let Some(api_token_session) = ent.pop_ava("api_token_session") {
-                let api_token_session = api_token_session.migrate_session_to_apitoken()
+                let api_token_session =
-                    .map_err(|e| {
+                    api_token_session
-                        error!("Failed to convert api_token_session from session -> apitoken");
+                        .migrate_session_to_apitoken()
-                        e
+                        .map_err(|e| {
-                    })?;
+                            error!("Failed to convert api_token_session from session -> apitoken");
                            e
                        })?;
-                ent.set_ava_set(
+                ent.set_ava_set("api_token_session", api_token_session);
                    "api_token_session",
                    api_token_session);
            }
            if let Some(sync_token_session) = ent.pop_ava("sync_token_session") {
-                let sync_token_session = sync_token_session.migrate_session_to_apitoken()
+                let sync_token_session =
-                    .map_err(|e| {
+                    sync_token_session
-                        error!("Failed to convert sync_token_session from session -> apitoken");
+                        .migrate_session_to_apitoken()
-                        e
+                        .map_err(|e| {
-                    })?;
+                            error!("Failed to convert sync_token_session from session -> apitoken");
                            e
                        })?;
-                ent.set_ava_set(
+                ent.set_ava_set("sync_token_session", sync_token_session);
                    "sync_token_session",
                    sync_token_session);
            }
-        };
+        }
        let (
            pre_candidates,
            candidates
        ) = mod_candidates
            .into_iter()
            .unzip();
        // Apply the batch mod.
-        self.internal_apply_writable(
+        self.internal_apply_writable(mod_candidates)
            pre_candidates, candidates
        )
    }
    #[instrument(level = "info", skip_all)]
@ -512,9 +503,9 @@ impl<'a> QueryServerWriteTransaction<'a> {
        // and details. It's a pretty const thing. Also check anonymous, important to many
        // concepts.
        let res = self
-            .internal_migrate_or_create_str(JSON_SYSTEM_INFO_V1)
+            .internal_migrate_or_create(E_SYSTEM_INFO_V1.clone())
-            .and_then(|_| self.internal_migrate_or_create_str(JSON_DOMAIN_INFO_V1))
+            .and_then(|_| self.internal_migrate_or_create(E_DOMAIN_INFO_V1.clone()))
-            .and_then(|_| self.internal_migrate_or_create_str(JSON_SYSTEM_CONFIG_V1));
+            .and_then(|_| self.internal_migrate_or_create(E_SYSTEM_CONFIG_V1.clone()));
        if res.is_err() {
            admin_error!("initialise_idm p1 -> result {:?}", res);
        }
@ -527,16 +518,16 @@ impl<'a> QueryServerWriteTransaction<'a> {
        // Check the admin object exists (migrations).
        // Create the default idm_admin group.
        let admin_entries = [
-            JSON_ANONYMOUS_V1,
+            E_ANONYMOUS_V1.clone(),
-            JSON_ADMIN_V1,
+            E_ADMIN_V1.clone(),
-            JSON_IDM_ADMIN_V1,
+            E_IDM_ADMIN_V1.clone(),
-            JSON_IDM_ADMINS_V1,
+            E_IDM_ADMINS_V1.clone(),
-            JSON_SYSTEM_ADMINS_V1,
+            E_SYSTEM_ADMINS_V1.clone(),
        ];
        let res: Result<(), _> = admin_entries
-            .iter()
+            .into_iter()
            // Each item individually logs it's result
-            .try_for_each(|e_str| self.internal_migrate_or_create_str(e_str));
+            .try_for_each(|ent| self.internal_migrate_or_create(ent));
        if res.is_err() {
            admin_error!("initialise_idm p2 -> result {:?}", res);
        }
@ -586,48 +577,6 @@ impl<'a> QueryServerWriteTransaction<'a> {
            JSON_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV,
            // All members must exist before we write HP
            JSON_IDM_HIGH_PRIVILEGE_V1,
            // Built in access controls.
            JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1,
            JSON_IDM_ADMINS_ACP_REVIVE_V1,
            // JSON_IDM_ADMINS_ACP_MANAGE_V1,
            JSON_IDM_ALL_ACP_READ_V1,
            JSON_IDM_SELF_ACP_READ_V1,
            JSON_IDM_SELF_ACP_WRITE_V1,
            JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1,
            JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,
            JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1,
            JSON_IDM_ACP_RADIUS_SERVERS_V1,
            JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1,
            JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1,
            JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1,
            JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1,
            JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1,
            JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1,
            JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1,
            JSON_IDM_ACP_ACP_MANAGE_PRIV_V1,
            JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1,
            JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1,
            JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1,
            JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1,
            JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1,
            JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1,
            JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1,
            JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1,
            // JSON_IDM_ACP_OAUTH2_READ_PRIV_V1,
            JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1,
        ];
        let res: Result<(), _> = idm_entries
@ -642,6 +591,46 @@ impl<'a> QueryServerWriteTransaction<'a> {
        res?;
        let idm_entries = [
            // Built in access controls.
            E_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1.clone(),
            E_IDM_ADMINS_ACP_REVIVE_V1.clone(),
            E_IDM_ALL_ACP_READ_V1.clone(),
            E_IDM_SELF_ACP_READ_V1.clone(),
            E_IDM_SELF_ACP_WRITE_V1.clone(),
            E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1.clone(),
            E_IDM_ACP_PEOPLE_READ_PRIV_V1.clone(),
            E_IDM_ACP_PEOPLE_WRITE_PRIV_V1.clone(),
            E_IDM_ACP_PEOPLE_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_ACCOUNT_READ_PRIV_V1.clone(),
            E_IDM_ACP_ACCOUNT_WRITE_PRIV_V1.clone(),
            E_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1.clone(),
            E_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1.clone(),
            E_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_GROUP_WRITE_PRIV_V1.clone(),
            E_IDM_ACP_GROUP_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_HP_GROUP_WRITE_PRIV_V1.clone(),
            E_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1.clone(),
            E_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1.clone(),
            E_IDM_ACP_ACP_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_RADIUS_SERVERS_V1.clone(),
            E_IDM_ACP_DOMAIN_ADMIN_PRIV_V1.clone(),
            E_IDM_ACP_SYSTEM_CONFIG_PRIV_V1.clone(),
            E_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1.clone(),
            E_IDM_ACP_PEOPLE_EXTEND_PRIV_V1.clone(),
            E_IDM_ACP_HP_PEOPLE_READ_PRIV_V1.clone(),
            E_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1.clone(),
            E_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1.clone(),
            E_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(),
            E_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(),
            E_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(),
            E_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(),
            E_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1.clone(),
            E_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1.clone(),
            E_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1.clone(),
            E_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1.clone(),
            E_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1.clone(),
            E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
            E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
            E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),
--- a/kanidmd/lib/src/server/modify.rs
+++ b/kanidmd/lib/src/server/modify.rs
@ -268,18 +268,27 @@ impl<'a> QueryServerWriteTransaction<'a> {
    #[instrument(level = "debug", skip_all)]
    pub(crate) fn internal_apply_writable(
        &mut self,
-        pre_candidates: Vec<Arc<EntrySealedCommitted>>,
+        candidate_tuples: Vec<(Arc<EntrySealedCommitted>, EntryInvalidCommitted)>,
        candidates: Vec<Entry<EntryInvalid, EntryCommitted>>,
    ) -> Result<(), OperationError> {
-        if pre_candidates.is_empty() && candidates.is_empty() {
+        if candidate_tuples.is_empty() {
            // No action needed.
            return Ok(());
        }
-        if pre_candidates.len() != candidates.len() {
+        let (pre_candidates, candidates): (
-            admin_error!("internal_apply_writable - cand lengths differ");
+            Vec<Arc<EntrySealedCommitted>>,
-            return Err(OperationError::InvalidRequestState);
+            Vec<EntryInvalidCommitted>,
        ) = candidate_tuples.into_iter().unzip();
        /*
        let mut pre_candidates = Vec::with_capacity(candidate_tuples.len());
        let mut candidates = Vec::with_capacity(candidate_tuples.len());
        for (pre, post) in candidate_tuples.into_iter() {
            pre_candidates.push(pre);
            candidates.push(post);
        }
        */
        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
            .into_iter()
--- a/kanidmd/lib/src/valueset/session.rs
+++ b/kanidmd/lib/src/valueset/session.rs
@ -33,23 +33,23 @@ impl ValueSetSession {
    }
    pub fn from_dbvs2(data: Vec<DbValueSession>) -> Result<ValueSet, OperationError> {
-        let map = data
+        let map =
-            .into_iter()
+            data.into_iter()
-            .filter_map(|dbv| {
+                .filter_map(|dbv| {
-                match dbv {
+                    match dbv {
-                    // MISTAKE - Skip due to lack of credential id
+                        // MISTAKE - Skip due to lack of credential id
-                    // Don't actually skip, generate a random cred id. Session cleanup will
+                        // Don't actually skip, generate a random cred id. Session cleanup will
-                    // trim sessions on users, but if we skip blazenly we invalidate every api
+                        // trim sessions on users, but if we skip blazenly we invalidate every api
-                    // token ever issued. OOPS!
+                        // token ever issued. OOPS!
-                    DbValueSession::V1 {
+                        DbValueSession::V1 {
-                        refer,
+                            refer,
-                        label,
+                            label,
-                        expiry,
+                            expiry,
-                        issued_at,
+                            issued_at,
-                        issued_by,
+                            issued_by,
-                        scope,
+                            scope,
-                    } => {
+                        } => {
-                        let cred_id = Uuid::new_v4();
+                            let cred_id = Uuid::new_v4();
                            // Convert things.
                            let issued_at = OffsetDateTime::parse(issued_at, time::Format::Rfc3339)
--- a/kanidmd/testkit/tests/default_entries.rs
+++ b/kanidmd/testkit/tests/default_entries.rs
@ -244,7 +244,7 @@ async fn test_read_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_r
 async fn test_write_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_writeable: bool) {
    println!("Test write to {}, is writeable: {}", id, is_writeable);
    for attr in attrs.iter() {
-        println!("Writing to {}", attr);
+        println!("Writing to {} - ex {}", attr, is_writeable);
        let is_ok = is_attr_writable(rsclient, id, attr).await.unwrap();
        assert!(is_ok == is_writeable)
    }