diff --git a/cts/cli/regression.acls.exp b/cts/cli/regression.acls.exp
index 22c2ce9f94..d9e76459ec 100644
--- a/cts/cli/regression.acls.exp
+++ b/cts/cli/regression.acls.exp
@@ -1,2348 +1,4438 @@
 Created new pacemaker configuration
 Setting up shadow instance
 A new shadow instance was created.  To begin using it paste the following into your shell:
   CIB_shadow=cts-cli ; export CIB_shadow
 =#=#=#= Begin test: Configure some ACLs =#=#=#=
 =#=#=#= Current cib after: Configure some ACLs =#=#=#=
 <cib epoch="1" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config/>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: Configure some ACLs - OK (0) =#=#=#=
 * Passed: cibadmin       - Configure some ACLs
 =#=#=#= Begin test: Enable ACLs =#=#=#=
 =#=#=#= Current cib after: Enable ACLs =#=#=#=
 <cib epoch="2" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: Enable ACLs - OK (0) =#=#=#=
 * Passed: crm_attribute  - Enable ACLs
 =#=#=#= Begin test: Set cluster option =#=#=#=
 =#=#=#= Current cib after: Set cluster option =#=#=#=
 <cib epoch="3" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: Set cluster option - OK (0) =#=#=#=
 * Passed: crm_attribute  - Set cluster option
 =#=#=#= Begin test: New ACL =#=#=#=
 =#=#=#= Current cib after: New ACL =#=#=#=
 <cib epoch="4" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: New ACL - OK (0) =#=#=#=
 * Passed: cibadmin       - New ACL
 =#=#=#= Begin test: Another ACL =#=#=#=
 =#=#=#= Current cib after: Another ACL =#=#=#=
 <cib epoch="5" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: Another ACL - OK (0) =#=#=#=
 * Passed: cibadmin       - Another ACL
 =#=#=#= Begin test: Updated ACL =#=#=#=
 =#=#=#= Current cib after: Updated ACL =#=#=#=
 <cib epoch="6" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: Updated ACL - OK (0) =#=#=#=
 * Passed: cibadmin       - Updated ACL
 =#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
 Call failed: Permission denied
 =#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - unknownguy: Query configuration
 =#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
 * Passed: crm_attribute  - unknownguy: Set enable-acl
 =#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
 * Passed: crm_attribute  - unknownguy: Set stonith-enabled
 =#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
 pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
 pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
 pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
 pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
 pcmk__apply_creation_acl 	trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
 Call failed: Permission denied
 =#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - unknownguy: Create a resource
 =#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
 Call failed: Permission denied
 =#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - l33t-haxor: Query configuration
 =#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
 * Passed: crm_attribute  - l33t-haxor: Set enable-acl
 =#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
 * Passed: crm_attribute  - l33t-haxor: Set stonith-enabled
 =#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
 pcmk__check_acl 	trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
 pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
 Call failed: Permission denied
 =#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - l33t-haxor: Create a resource
 =#=#=#= Begin test: niceguy: Query configuration =#=#=#=
 <cib epoch="6" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
 * Passed: cibadmin       - niceguy: Query configuration
 =#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
 Error performing operation: Permission denied
 Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
 =#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
 * Passed: crm_attribute  - niceguy: Set enable-acl
 =#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
 pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="cib-bootstrap-options-stonith-enabled"
 =#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
 <cib epoch="7" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
 * Passed: crm_attribute  - niceguy: Set stonith-enabled
 =#=#=#= Begin test: niceguy: Create a resource =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
 pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
 Call failed: Permission denied
 =#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - niceguy: Create a resource
 =#=#=#= Begin test: root: Query configuration =#=#=#=
 <cib epoch="7" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
 * Passed: cibadmin       - root: Query configuration
 =#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
 =#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
 <cib epoch="8" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources/>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
 * Passed: crm_attribute  - root: Set stonith-enabled
 =#=#=#= Begin test: root: Create a resource =#=#=#=
 =#=#=#= Current cib after: root: Create a resource =#=#=#=
 <cib epoch="9" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
 * Passed: cibadmin       - root: Create a resource
 =#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
 * Passed: crm_resource   - l33t-haxor: Create a resource meta attribute
 =#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
 * Passed: crm_resource   - l33t-haxor: Query a resource meta attribute
 =#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
 Error performing operation: Permission denied
 =#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
 * Passed: crm_resource   - l33t-haxor: Remove a resource meta attribute
 =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
 unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
 unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
 unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
 pcmk__apply_creation_acl 	trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
 pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
 Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
 =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
 <cib epoch="10" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
 * Passed: crm_resource   - niceguy: Create a resource meta attribute
 =#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
 unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
 unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
 unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
 Stopped
 =#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
 <cib epoch="10" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
 * Passed: crm_resource   - niceguy: Query a resource meta attribute
 =#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
 unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
 unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
 unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
 Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
 =#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
 <cib epoch="11" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes"/>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
 * Passed: crm_resource   - niceguy: Remove a resource meta attribute
 =#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
 unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
 unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
 unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
 pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
 Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
 =#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
 <cib epoch="12" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
 * Passed: crm_resource   - niceguy: Create a resource meta attribute
 =#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
 <cib>
   <configuration>
     <resources>
       <primitive id="dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
   </configuration>
 </cib>
 =#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
 * Passed: cibadmin       - badidea: Query configuration - implied deny
 =#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
 <cib>
   <configuration>
     <resources>
       <primitive id="dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
   </configuration>
 </cib>
 =#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
 * Passed: cibadmin       - betteridea: Query configuration - explicit deny
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
   </configuration>
   <status/>
 </cib>
 =#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
 Call failed: Permission denied
 =#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - niceguy: Replace - remove acls
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
       <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
 pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy2"
 Call failed: Permission denied
 =#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - niceguy: Replace - create resource
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
 Call failed: Permission denied
 =#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
 Call failed: Permission denied
 =#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
 =#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
 pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
 Call failed: Permission denied
 =#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
 * Passed: cibadmin       - niceguy: Replace - create attribute (deny)
 <cib epoch="13" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin       - bob: Replace - create attribute (allow)
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - create attribute (direct allow)
 <cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
         <meta_attributes id="dummy-meta_attributes">
           <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin       - bob: Replace - modify attribute (allow)
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - modify attribute (direct allow)
 <cib epoch="15" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
       <acl_user id="badidea">
         <read id="badidea-resources" xpath="//meta_attributes"/>
       </acl_user>
       <acl_user id="betteridea">
         <deny id="betteridea-nothing" xpath="/cib"/>
         <read id="betteridea-resources" xpath="//meta_attributes"/>
       </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin       - bob: Replace - delete attribute (allow)
-
-
-    !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
-=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="observer-read-1"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="observer-write-1"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="observer-write-2"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="admin-read-1"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="admin-write-1"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="l33t-haxor"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="auto-l33t-haxor"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_role> with id="auto-l33t-haxor"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="crook-nothing"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="niceguy"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="observer"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="bob"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="admin"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="badidea"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="auto-badidea"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_role> with id="auto-badidea"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="badidea-resources"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="betteridea"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="auto-betteridea"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_role> with id="auto-betteridea"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="betteridea-nothing"
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="betteridea-resources"
-=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
-<cib epoch="2" num_updates="0" admin_epoch="1">
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - delete attribute (direct allow)
+<cib epoch="16" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
     </resources>
     <constraints/>
     <acls>
-      <acl_target id="l33t-haxor">
-        <role id="auto-l33t-haxor"/>
-      </acl_target>
-      <acl_role id="auto-l33t-haxor">
-        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
-      </acl_role>
-      <acl_target id="niceguy">
-        <role id="observer"/>
-      </acl_target>
-      <acl_target id="bob">
-        <role id="admin"/>
-      </acl_target>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
-        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
-        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
-        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
-        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
-        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
-      <acl_target id="badidea">
-        <role id="auto-badidea"/>
-      </acl_target>
-      <acl_role id="auto-badidea">
-        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
       </acl_role>
-      <acl_target id="betteridea">
-        <role id="auto-betteridea"/>
-      </acl_target>
-      <acl_role id="auto-betteridea">
-        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
-        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
       </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
-* Passed: cibadmin       - root: Upgrade to latest CIB schema
-=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
-Call failed: Permission denied
-=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - unknownguy: Query configuration
-=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute  - unknownguy: Set enable-acl
-=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute  - unknownguy: Set stonith-enabled
-=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
-pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
-pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
-pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
-pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
-pcmk__apply_creation_acl 	trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
-Call failed: Permission denied
-=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - unknownguy: Create a resource
-=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
-Call failed: Permission denied
-=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - l33t-haxor: Query configuration
-=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute  - l33t-haxor: Set enable-acl
-=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute  - l33t-haxor: Set stonith-enabled
-=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
-pcmk__check_acl 	trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
-Call failed: Permission denied
-=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - l33t-haxor: Create a resource
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - joe: Replace - create attribute (inherited allow)
+<cib epoch="17" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - joe: Replace - modify attribute (inherited allow)
+<cib epoch="18" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - joe: Replace - delete attribute (inherited allow)
+<cib epoch="19" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin       - mike: Replace - create attribute (allow overrides deny)
+<cib epoch="20" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin       - mike: Replace - modify attribute (allow overrides deny)
+<cib epoch="21" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin       - mike: Replace - delete attribute (allow overrides deny)
+<cib epoch="22" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - chris: Replace - create attribute (deny overrides allow)
+<cib epoch="23" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - chris: Replace - modify attribute (deny overrides allow)
+<cib epoch="24" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_user id="l33t-haxor">
+        <deny id="crook-nothing" xpath="/cib"/>
+      </acl_user>
+      <acl_user id="niceguy">
+        <role_ref id="observer"/>
+      </acl_user>
+      <acl_user id="bob">
+        <role_ref id="admin"/>
+      </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
+      <acl_role id="observer">
+        <read id="observer-read-1" xpath="/cib"/>
+        <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <read id="admin-read-1" xpath="/cib"/>
+        <write id="admin-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
+      <acl_user id="badidea">
+        <read id="badidea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+      <acl_user id="betteridea">
+        <deny id="betteridea-nothing" xpath="/cib"/>
+        <read id="betteridea-resources" xpath="//meta_attributes"/>
+      </acl_user>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - chris: Replace - delete attribute (deny overrides allow)
+
+
+    !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!
+=#=#=#= Begin test: root: Upgrade to latest CIB schema =#=#=#=
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="observer-read-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="observer-write-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="observer-write-2"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="admin-read-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="admin-write-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="super_user-write-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="rsc-writer-deny-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="rsc-writer-write-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="rsc-denied-write-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="rsc-denied-deny-1"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="l33t-haxor"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="auto-l33t-haxor"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_role> with id="auto-l33t-haxor"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="crook-nothing"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="niceguy"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="observer"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="bob"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="admin"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="joe"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="super_user"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="mike"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="rsc_writer"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="chris"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="rsc_denied"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="badidea"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="auto-badidea"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_role> with id="auto-badidea"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="badidea-resources"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_target> with id="betteridea"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <role> with id="auto-betteridea"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_role> with id="auto-betteridea"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="betteridea-nothing"
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <acl_permission> with id="betteridea-resources"
+=#=#=#= Current cib after: root: Upgrade to latest CIB schema =#=#=#=
+<cib epoch="2" num_updates="0" admin_epoch="1">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: root: Upgrade to latest CIB schema - OK (0) =#=#=#=
+* Passed: cibadmin       - root: Upgrade to latest CIB schema
+=#=#=#= Begin test: unknownguy: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - unknownguy: Query configuration
+=#=#=#= Begin test: unknownguy: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute  - unknownguy: Set enable-acl
+=#=#=#= Begin test: unknownguy: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: unknownguy: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute  - unknownguy: Set stonith-enabled
+=#=#=#= Begin test: unknownguy: Create a resource =#=#=#=
+pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@id]
+pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@class]
+pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@provider]
+pcmk__check_acl 	trace: User 'unknownguy' without ACLs denied read/write access to /cib/configuration/resources/primitive[@type]
+pcmk__apply_creation_acl 	trace: Creation of <primitive> scaffolding with id="<unset>" is implicitly allowed
+Call failed: Permission denied
+=#=#=#= End test: unknownguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - unknownguy: Create a resource
+=#=#=#= Begin test: l33t-haxor: Query configuration =#=#=#=
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Query configuration - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - l33t-haxor: Query configuration
+=#=#=#= Begin test: l33t-haxor: Set enable-acl =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute  - l33t-haxor: Set enable-acl
+=#=#=#= Begin test: l33t-haxor: Set stonith-enabled =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Set stonith-enabled - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute  - l33t-haxor: Set stonith-enabled
+=#=#=#= Begin test: l33t-haxor: Create a resource =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'l33t-haxor' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - l33t-haxor: Create a resource
 =#=#=#= Begin test: niceguy: Query configuration =#=#=#=
 <cib epoch="7" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
-    <resources/>
+    <resources/>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin       - niceguy: Query configuration
+=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
+Error performing operation: Permission denied
+Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
+=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
+* Passed: crm_attribute  - niceguy: Set enable-acl
+=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources/>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute  - niceguy: Set stonith-enabled
+=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - niceguy: Create a resource
+=#=#=#= Begin test: root: Query configuration =#=#=#=
+<cib epoch="8" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources/>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin       - root: Query configuration
+=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
+=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
+<cib epoch="9" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources/>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
+* Passed: crm_attribute  - root: Set stonith-enabled
+=#=#=#= Begin test: root: Create a resource =#=#=#=
+=#=#=#= Current cib after: root: Create a resource =#=#=#=
+<cib epoch="10" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
+* Passed: cibadmin       - root: Create a resource
+=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource   - l33t-haxor: Create a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource   - l33t-haxor: Query a resource meta attribute
+=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
+Error performing operation: Permission denied
+=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
+* Passed: crm_resource   - l33t-haxor: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl 	trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="11" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource   - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
+unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Stopped
+=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
+<cib epoch="11" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource   - niceguy: Query a resource meta attribute
+=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
+unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
+=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
+<cib epoch="12" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes"/>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource   - niceguy: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
+unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
+unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
+pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
+Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
+=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="13" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+    <acls>
+      <acl_target id="l33t-haxor">
+        <role id="auto-l33t-haxor"/>
+      </acl_target>
+      <acl_role id="auto-l33t-haxor">
+        <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
+      </acl_role>
+      <acl_target id="niceguy">
+        <role id="observer"/>
+      </acl_target>
+      <acl_target id="bob">
+        <role id="admin"/>
+      </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
+      <acl_role id="observer">
+        <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+        <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+      </acl_role>
+      <acl_role id="admin">
+        <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
+        <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
+      <acl_target id="badidea">
+        <role id="auto-badidea"/>
+      </acl_target>
+      <acl_role id="auto-badidea">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource   - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
+<cib>
+  <configuration>
+    <resources>
+      <primitive id="dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+  </configuration>
+</cib>
+=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
+* Passed: cibadmin       - badidea: Query configuration - implied deny
+=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
+<cib>
+  <configuration>
+    <resources>
+      <primitive id="dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+  </configuration>
+</cib>
+=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
+* Passed: cibadmin       - betteridea: Query configuration - explicit deny
+<cib epoch="14" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
+    <constraints/>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - remove acls
+<cib epoch="14" num_updates="0" admin_epoch="0">
+  <configuration>
+    <crm_config>
+      <cluster_property_set id="cib-bootstrap-options">
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+      </cluster_property_set>
+    </crm_config>
+    <nodes/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+      <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
+    </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: niceguy: Query configuration - OK (0) =#=#=#=
-* Passed: cibadmin       - niceguy: Query configuration
-=#=#=#= Begin test: niceguy: Set enable-acl =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
-Error performing operation: Permission denied
-Error setting enable-acl=false (section=crm_config, set=<null>): Permission denied
-=#=#=#= End test: niceguy: Set enable-acl - Insufficient privileges (4) =#=#=#=
-* Passed: crm_attribute  - niceguy: Set enable-acl
-=#=#=#= Begin test: niceguy: Set stonith-enabled =#=#=#=
-=#=#=#= Current cib after: niceguy: Set stonith-enabled =#=#=#=
-<cib epoch="8" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
+pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy2"
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - create resource
+<cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
-        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
-        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
-    <resources/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: niceguy: Set stonith-enabled - OK (0) =#=#=#=
-* Passed: crm_attribute  - niceguy: Set stonith-enabled
-=#=#=#= Begin test: niceguy: Create a resource =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy"
+=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
 Call failed: Permission denied
-=#=#=#= End test: niceguy: Create a resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - niceguy: Create a resource
-=#=#=#= Begin test: root: Query configuration =#=#=#=
-<cib epoch="8" num_updates="0" admin_epoch="0">
+=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
-        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
-        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="false"/>
+        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
-    <resources/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: root: Query configuration - OK (0) =#=#=#=
-* Passed: cibadmin       - root: Query configuration
-=#=#=#= Begin test: root: Set stonith-enabled =#=#=#=
-=#=#=#= Current cib after: root: Set stonith-enabled =#=#=#=
-<cib epoch="9" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
-    <resources/>
+    <resources>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
+    </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: root: Set stonith-enabled - OK (0) =#=#=#=
-* Passed: crm_attribute  - root: Set stonith-enabled
-=#=#=#= Begin test: root: Create a resource =#=#=#=
-=#=#=#= Current cib after: root: Create a resource =#=#=#=
-<cib epoch="10" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
+pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - niceguy: Replace - create attribute (deny)
+<cib epoch="14" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
+        <meta_attributes id="dummy-meta_attributes">
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+        </meta_attributes>
+      </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
-        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
-      </acl_role>
-      <acl_target id="betteridea">
-        <role id="auto-betteridea"/>
-      </acl_target>
-      <acl_role id="auto-betteridea">
-        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
-        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
-      </acl_role>
-    </acls>
-  </configuration>
-  <status/>
-</cib>
-=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
-* Passed: cibadmin       - root: Create a resource
-=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource   - l33t-haxor: Create a resource meta attribute
-=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource   - l33t-haxor: Query a resource meta attribute
-=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
-Error performing operation: Permission denied
-=#=#=#= End test: l33t-haxor: Remove a resource meta attribute - Insufficient privileges (4) =#=#=#=
-* Passed: crm_resource   - l33t-haxor: Remove a resource meta attribute
-=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-pcmk__apply_creation_acl 	trace: Creation of <meta_attributes> scaffolding with id="dummy-meta_attributes" is implicitly allowed
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
-Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Stopped
-=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
-<cib epoch="11" num_updates="0" admin_epoch="0">
+        <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+      <acl_target id="betteridea">
+        <role id="auto-betteridea"/>
+      </acl_target>
+      <acl_role id="auto-betteridea">
+        <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
+        <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
+      </acl_role>
+    </acls>
+  </configuration>
+  <status/>
+</cib>
+=#=#=#= Begin test: bob: Replace - create attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - create attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - create attribute (direct allow)
+<cib epoch="15" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
         <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
+          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
         </meta_attributes>
       </primitive>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource   - niceguy: Create a resource meta attribute
-=#=#=#= Begin test: niceguy: Query a resource meta attribute =#=#=#=
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Stopped
-=#=#=#= Current cib after: niceguy: Query a resource meta attribute =#=#=#=
-<cib epoch="11" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: bob: Replace - modify attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - modify attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - modify attribute (direct allow)
+<cib epoch="16" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Stopped"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: niceguy: Query a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource   - niceguy: Query a resource meta attribute
-=#=#=#= Begin test: niceguy: Remove a resource meta attribute =#=#=#=
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-Deleted 'dummy' option: id=dummy-meta_attributes-target-role name=target-role
-=#=#=#= Current cib after: niceguy: Remove a resource meta attribute =#=#=#=
-<cib epoch="12" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: bob: Replace - delete attribute (direct allow) =#=#=#=
+=#=#=#= End test: bob: Replace - delete attribute (direct allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - bob: Replace - delete attribute (direct allow)
+<cib epoch="17" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes"/>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource   - niceguy: Remove a resource meta attribute
-=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
-unpack_resources 	error: Resource start-up disabled since no STONITH resources have been defined
-unpack_resources 	error: Either configure some or disable STONITH with the stonith-enabled option
-unpack_resources 	error: NOTE: Clusters with shared data need STONITH to ensure data integrity
-pcmk__apply_creation_acl 	trace: ACLs allow creation of <nvpair> with id="dummy-meta_attributes-target-role"
-Set 'dummy' option: id=dummy-meta_attributes-target-role set=dummy-meta_attributes name=target-role value=Started
-=#=#=#= Current cib after: niceguy: Create a resource meta attribute =#=#=#=
-<cib epoch="13" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: joe: Replace - create attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - create attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - joe: Replace - create attribute (inherited allow)
+<cib epoch="18" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
-* Passed: crm_resource   - niceguy: Create a resource meta attribute
-=#=#=#= Begin test: badidea: Query configuration - implied deny =#=#=#=
-<cib>
-  <configuration>
-    <resources>
-      <primitive id="dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
-    </resources>
-  </configuration>
-</cib>
-=#=#=#= End test: badidea: Query configuration - implied deny - OK (0) =#=#=#=
-* Passed: cibadmin       - badidea: Query configuration - implied deny
-=#=#=#= Begin test: betteridea: Query configuration - explicit deny =#=#=#=
-<cib>
-  <configuration>
-    <resources>
-      <primitive id="dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
-    </resources>
-  </configuration>
-</cib>
-=#=#=#= End test: betteridea: Query configuration - explicit deny - OK (0) =#=#=#=
-* Passed: cibadmin       - betteridea: Query configuration - explicit deny
-<cib epoch="14" num_updates="0" admin_epoch="0">
-  <configuration>
-    <crm_config>
-      <cluster_property_set id="cib-bootstrap-options">
-        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
-        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
-        <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
-      </cluster_property_set>
-    </crm_config>
-    <nodes/>
-    <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
-    </resources>
-    <constraints/>
-  </configuration>
-  <status/>
-</cib>
-=#=#=#= Begin test: niceguy: Replace - remove acls =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/acls
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - remove acls - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - remove acls
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: joe: Replace - modify attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - modify attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - joe: Replace - modify attribute (inherited allow)
+<cib epoch="19" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
-      <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - create resource =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy2']
-pcmk__apply_creation_acl 	trace: ACLs disallow creation of <primitive> with id="dummy2"
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create resource - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - create resource
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: joe: Replace - delete attribute (inherited allow) =#=#=#=
+=#=#=#= End test: joe: Replace - delete attribute (inherited allow) - OK (0) =#=#=#=
+* Passed: cibadmin       - joe: Replace - delete attribute (inherited allow)
+<cib epoch="20" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
-        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="false"/>
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - modify attribute (deny) =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl'][@value]
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - modify attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - modify attribute (deny)
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: mike: Replace - create attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - create attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin       - mike: Replace - create attribute (allow overrides deny)
+<cib epoch="21" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
-        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>
+        <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - delete attribute (deny) =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/crm_config/cluster_property_set[@id='cib-bootstrap-options']/nvpair[@id='cib-bootstrap-options-enable-acl']
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - delete attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - delete attribute (deny)
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: mike: Replace - modify attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - modify attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin       - mike: Replace - modify attribute (allow overrides deny)
+<cib epoch="22" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: niceguy: Replace - create attribute (deny) =#=#=#=
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib[@epoch]
-pcmk__check_acl 	trace: Default ACL denies user 'niceguy' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
-Call failed: Permission denied
-=#=#=#= End test: niceguy: Replace - create attribute (deny) - Insufficient privileges (4) =#=#=#=
-* Passed: cibadmin       - niceguy: Replace - create attribute (deny)
-<cib epoch="14" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: mike: Replace - delete attribute (allow overrides deny) =#=#=#=
+=#=#=#= End test: mike: Replace - delete attribute (allow overrides deny) - OK (0) =#=#=#=
+* Passed: cibadmin       - mike: Replace - delete attribute (allow overrides deny)
+<cib epoch="23" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="nothing interesting"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: bob: Replace - create attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - create attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin       - bob: Replace - create attribute (allow)
-<cib epoch="15" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: chris: Replace - create attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - create attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - chris: Replace - create attribute (deny overrides allow)
+<cib epoch="24" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
-      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting">
-        <meta_attributes id="dummy-meta_attributes">
-          <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
-        </meta_attributes>
-      </primitive>
+      <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy" description="something interesting"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: bob: Replace - modify attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - modify attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin       - bob: Replace - modify attribute (allow)
-<cib epoch="16" num_updates="0" admin_epoch="0">
+=#=#=#= Begin test: chris: Replace - modify attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy'][@description]
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - modify attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - chris: Replace - modify attribute (deny overrides allow)
+<cib epoch="25" num_updates="0" admin_epoch="0">
   <configuration>
     <crm_config>
       <cluster_property_set id="cib-bootstrap-options">
         <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
         <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
         <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
       </cluster_property_set>
     </crm_config>
     <nodes/>
     <resources>
       <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>
     </resources>
     <constraints/>
     <acls>
       <acl_target id="l33t-haxor">
         <role id="auto-l33t-haxor"/>
       </acl_target>
       <acl_role id="auto-l33t-haxor">
         <acl_permission id="crook-nothing" kind="deny" xpath="/cib"/>
       </acl_role>
       <acl_target id="niceguy">
         <role id="observer"/>
       </acl_target>
       <acl_target id="bob">
         <role id="admin"/>
       </acl_target>
+      <acl_target id="joe">
+        <role id="super_user"/>
+      </acl_target>
+      <acl_target id="mike">
+        <role id="rsc_writer"/>
+      </acl_target>
+      <acl_target id="chris">
+        <role id="rsc_denied"/>
+      </acl_target>
       <acl_role id="observer">
         <acl_permission id="observer-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="observer-write-1" kind="write" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <acl_permission id="observer-write-2" kind="write" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <acl_permission id="admin-read-1" kind="read" xpath="/cib"/>
         <acl_permission id="admin-write-1" kind="write" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <acl_permission id="super_user-write-1" kind="write" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <acl_permission id="rsc-writer-deny-1" kind="deny" xpath="/cib"/>
+        <acl_permission id="rsc-writer-write-1" kind="write" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <acl_permission id="rsc-denied-write-1" kind="write" xpath="/cib"/>
+        <acl_permission id="rsc-denied-deny-1" kind="deny" xpath="//resources"/>
+      </acl_role>
       <acl_target id="badidea">
         <role id="auto-badidea"/>
       </acl_target>
       <acl_role id="auto-badidea">
         <acl_permission id="badidea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
       <acl_target id="betteridea">
         <role id="auto-betteridea"/>
       </acl_target>
       <acl_role id="auto-betteridea">
         <acl_permission id="betteridea-nothing" kind="deny" xpath="/cib"/>
         <acl_permission id="betteridea-resources" kind="read" xpath="//meta_attributes"/>
       </acl_role>
     </acls>
   </configuration>
   <status/>
 </cib>
-=#=#=#= Begin test: bob: Replace - delete attribute (allow) =#=#=#=
-=#=#=#= End test: bob: Replace - delete attribute (allow) - OK (0) =#=#=#=
-* Passed: cibadmin       - bob: Replace - delete attribute (allow)
+=#=#=#= Begin test: chris: Replace - delete attribute (deny overrides allow) =#=#=#=
+pcmk__check_acl 	trace: Parent ACL denies user 'chris' read/write access to /cib/configuration/resources/primitive[@id='dummy']
+Call failed: Permission denied
+=#=#=#= End test: chris: Replace - delete attribute (deny overrides allow) - Insufficient privileges (4) =#=#=#=
+* Passed: cibadmin       - chris: Replace - delete attribute (deny overrides allow)
diff --git a/cts/cts-cli.in b/cts/cts-cli.in
index 8507d6290d..62e5698a6b 100755
--- a/cts/cts-cli.in
+++ b/cts/cts-cli.in
@@ -1,1394 +1,1510 @@
 #!@BASH_PATH@
 #
 # Copyright 2008-2020 the Pacemaker project contributors
 #
 # The version control history for this file may have further details.
 #
 # This source code is licensed under the GNU General Public License version 2
 # or later (GPLv2+) WITHOUT ANY WARRANTY.
 #
 
 #
 # Note on portable usage of sed: GNU/POSIX/*BSD sed have a limited subset of
 # compatible functionality. Do not use the -i option, alternation (\|),
 # \0, or character sequences such as \n or \s.
 #
 
 USAGE_TEXT="Usage: cts-cli [<options>]
 Options:
  --help          Display this text, then exit
  -V, --verbose   Display any differences from expected output
  -t 'TEST [...]' Run only specified tests (default: 'dates tools crm_mon acls validity upgrade rules')
  -p DIR          Look for executables in DIR (may be specified multiple times)
  -v, --valgrind  Run all commands under valgrind
  -s              Save actual output as expected output"
 
 # If readlink supports -e (i.e. GNU), use it
 readlink -e / >/dev/null 2>/dev/null
 if [ $? -eq 0 ]; then
     test_home="$(dirname "$(readlink -e "$0")")"
 else
     test_home="$(dirname "$0")"
 fi
 
 : ${shadow=cts-cli}
 shadow_dir=$(mktemp -d ${TMPDIR:-/tmp}/cts-cli.shadow.XXXXXXXXXX)
 num_errors=0
 num_passed=0
 verbose=0
 tests="dates tools crm_mon acls validity upgrade rules"
 do_save=0
 VALGRIND_CMD=
 VALGRIND_OPTS="
     -q
     --gen-suppressions=all
     --show-reachable=no
     --leak-check=full
     --trace-children=no
     --time-stamp=yes
     --num-callers=20
     --suppressions=$test_home/valgrind-pcmk.suppressions
 "
 
 # These constants must track crm_exit_t values
 CRM_EX_OK=0
 CRM_EX_ERROR=1
 CRM_EX_INVALID_PARAM=2
 CRM_EX_UNIMPLEMENT_FEATURE=3
 CRM_EX_INSUFFICIENT_PRIV=4
 CRM_EX_USAGE=64
 CRM_EX_CONFIG=78
 CRM_EX_OLD=103
 CRM_EX_DIGEST=104
 CRM_EX_NOSUCH=105
 CRM_EX_UNSAFE=107
 CRM_EX_EXISTS=108
 CRM_EX_MULTIPLE=109
 CRM_EX_EXPIRED=110
 CRM_EX_NOT_YET_IN_EFFECT=111
 
 function test_assert() {
     target=$1; shift
     cib=$1; shift
     app=`echo "$cmd" | sed 's/\ .*//'`
     printf "* Running: $app - $desc\n" 1>&2
 
     printf "=#=#=#= Begin test: $desc =#=#=#=\n"
     eval $VALGRIND_CMD $cmd 2>&1
     rc=$?
 
     if [ x$cib != x0 ]; then
         printf "=#=#=#= Current cib after: $desc =#=#=#=\n"
         CIB_user=root cibadmin -Q
     fi
 
     printf "=#=#=#= End test: $desc - $(crm_error --exit $rc) ($rc) =#=#=#=\n"
 
     if [ $rc -ne $target ]; then
         num_errors=$(( $num_errors + 1 ))
         printf "* Failed (rc=%.3d): %-14s - %s\n" $rc $app "$desc"
         printf "* Failed (rc=%.3d): %-14s - %s\n" $rc $app "$desc (`which $app`)" 1>&2
         return
         exit $CRM_EX_ERROR
     else
         printf "* Passed: %-14s - %s\n" $app "$desc"
         num_passed=$(( $num_passed + 1 ))
     fi
 }
 
 function test_crm_mon() {
     export CIB_file="$test_home/cli/crm_mon.xml"
 
     desc="Basic text output"
     cmd="crm_mon -1"
     test_assert $CRM_EX_OK 0
 
     desc="XML output"
     cmd="crm_mon --output-as=xml"
     test_assert $CRM_EX_OK 0
 
     desc="Basic text output without node section"
     cmd="crm_mon -1 --exclude=nodes"
     test_assert $CRM_EX_OK 0
 
     desc="XML output without the node section"
     cmd="crm_mon --output-as=xml --exclude=nodes"
     test_assert $CRM_EX_OK 0
 
     desc="Text output with only the node section"
     cmd="crm_mon -1 --exclude=all --include=nodes"
     test_assert $CRM_EX_OK 0
 
     # The above test doesn't need to be performed for other output formats.  It's
     # really just a test to make sure that blank lines are correct.
 
     desc="Complete text output"
     cmd="crm_mon -1 --include=all"
     test_assert $CRM_EX_OK 0
 
     # XML includes everything already so there's no need for a complete test
 
     desc="Complete text output with detail"
     cmd="crm_mon -1R --include=all"
     test_assert $CRM_EX_OK 0
 
     # XML includes detailed output already
 
     desc="Complete brief text output"
     cmd="crm_mon -1 --include=all --brief"
     test_assert $CRM_EX_OK 0
 
     desc="Complete text output grouped by node"
     cmd="crm_mon -1 --include=all --group-by-node"
     test_assert $CRM_EX_OK 0
 
     # XML does not have a brief output option
 
     desc="Complete brief text output grouped by node"
     cmd="crm_mon -1 --include=all --group-by-node --brief"
     test_assert $CRM_EX_OK 0
 
     desc="XML output grouped by node"
     cmd="crm_mon -1 --output-as=xml --group-by-node"
     test_assert $CRM_EX_OK 0
 
     desc="Complete text output filtered by node"
     cmd="crm_mon -1 --include=all --node=cluster01"
     test_assert $CRM_EX_OK 0
 
     desc="XML output filtered by node"
     cmd="crm_mon --output-as xml --include=all --node=cluster01"
     test_assert $CRM_EX_OK 0
 
     desc="Complete text output filtered by tag"
     cmd="crm_mon -1 --include=all --node=even-nodes"
     test_assert $CRM_EX_OK 0
 
     desc="XML output filtered by tag"
     cmd="crm_mon --output-as=xml --include=all --node=even-nodes"
     test_assert $CRM_EX_OK 0
 
     desc="Basic text output filtered by node that doesn't exist"
     cmd="crm_mon -1 --node=blah"
     test_assert $CRM_EX_OK 0
 
     desc="XML output filtered by node that doesn't exist"
     cmd="crm_mon --output-as=xml --node=blah"
     test_assert $CRM_EX_OK 0
 
     desc="Basic text output with inactive resources"
     cmd="crm_mon -1 -r"
     test_assert $CRM_EX_OK 0
 
     # XML already includes inactive resources
 
     desc="Basic text output with inactive resources, filtered by node"
     cmd="crm_mon -1 -r --node=cluster02"
     test_assert $CRM_EX_OK 0
 
     # XML already includes inactive resources
 
     unset CIB_file
 
     export CIB_file="$test_home/cli/crm_mon-partial.xml"
 
     desc="Text output of partially active resources"
     cmd="crm_mon -1"
     test_assert $CRM_EX_OK 0
 
     desc="XML output of partially active resources"
     cmd="crm_mon -1 --output-as=xml"
     test_assert $CRM_EX_OK 0
 
     desc="Text output of partially active resources, with inactive resources"
     cmd="crm_mon -1 -r"
     test_assert $CRM_EX_OK 0
 
     # XML already includes inactive resources
 
     desc="Text output of partially active resources, with inactive resources, filtered by node"
     cmd="crm_mon -1 -r --node=cluster01"
     test_assert $CRM_EX_OK 0
 
     desc="Text output of partially active resources, filtered by node"
     cmd="crm_mon -1 --output-as=xml --node=cluster01"
     test_assert $CRM_EX_OK 0
 
     unset CIB_file
 }
 
 function test_tools() {
     local TMPXML
     local TMPORIG
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     TMPORIG=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.existing.xml.XXXXXXXXXX)
     export CIB_shadow_dir="${shadow_dir}"
 
     $VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow  2>&1
     export CIB_shadow=$shadow
 
     desc="Validate CIB"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_OK
 
     desc="Configure something before erasing"
     cmd="crm_attribute -n cluster-delay -v 60s"
     test_assert $CRM_EX_OK
 
     desc="Require --force for CIB erasure"
     cmd="cibadmin -E"
     test_assert $CRM_EX_UNSAFE
 
     desc="Allow CIB erasure with --force"
     cmd="cibadmin -E --force"
     test_assert $CRM_EX_OK
 
     desc="Query CIB"
     cmd="cibadmin -Q > $TMPORIG"
     test_assert $CRM_EX_OK
 
     desc="Set cluster option"
     cmd="crm_attribute -n cluster-delay -v 60s"
     test_assert $CRM_EX_OK
 
     desc="Query new cluster option"
     cmd="cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"
     test_assert $CRM_EX_OK
 
     desc="Query cluster options"
     cmd="cibadmin -Q -o crm_config > $TMPXML"
     test_assert $CRM_EX_OK
 
     desc="Set no-quorum policy"
     cmd="crm_attribute -n no-quorum-policy -v ignore"
     test_assert $CRM_EX_OK
 
     desc="Delete nvpair"
     cmd="cibadmin -D -o crm_config --xml-text '<nvpair id=\"cib-bootstrap-options-cluster-delay\"/>'"
     test_assert $CRM_EX_OK
 
     desc="Create operation should fail"
     cmd="cibadmin -C -o crm_config --xml-file $TMPXML"
     test_assert $CRM_EX_EXISTS
 
     desc="Modify cluster options section"
     cmd="cibadmin -M -o crm_config --xml-file $TMPXML"
     test_assert $CRM_EX_OK
 
     desc="Query updated cluster option"
     cmd="cibadmin -Q -o crm_config | grep cib-bootstrap-options-cluster-delay"
     test_assert $CRM_EX_OK
 
     desc="Set duplicate cluster option"
     cmd="crm_attribute -n cluster-delay -v 40s -s duplicate"
     test_assert $CRM_EX_OK
 
     desc="Setting multiply defined cluster option should fail"
     cmd="crm_attribute -n cluster-delay -v 30s"
     test_assert $CRM_EX_MULTIPLE
 
     desc="Set cluster option with -s"
     cmd="crm_attribute -n cluster-delay -v 30s -s duplicate"
     test_assert $CRM_EX_OK
 
     desc="Delete cluster option with -i"
     cmd="crm_attribute -n cluster-delay -D -i cib-bootstrap-options-cluster-delay"
     test_assert $CRM_EX_OK
 
     desc="Create node1 and bring it online"
     cmd="crm_simulate --live-check --in-place --node-up=node1"
     test_assert $CRM_EX_OK
 
     desc="Create node attribute"
     cmd="crm_attribute -n ram -v 1024M -N node1 -t nodes"
     test_assert $CRM_EX_OK
 
     desc="Query new node attribute"
     cmd="cibadmin -Q -o nodes | grep node1-ram"
     test_assert $CRM_EX_OK
 
     desc="Set a transient (fail-count) node attribute"
     cmd="crm_attribute -n fail-count-foo -v 3 -N node1 -t status"
     test_assert $CRM_EX_OK
 
     desc="Query a fail count"
     cmd="crm_failcount --query -r foo -N node1"
     test_assert $CRM_EX_OK
 
     desc="Delete a transient (fail-count) node attribute"
     cmd="crm_attribute -n fail-count-foo -D -N node1 -t status"
     test_assert $CRM_EX_OK
 
     desc="Digest calculation"
     cmd="cibadmin -Q | cibadmin -5 -p 2>&1 > /dev/null"
     test_assert $CRM_EX_OK
 
     # This update will fail because it has version numbers
     desc="Replace operation should fail"
     cmd="cibadmin -R --xml-file $TMPORIG"
     test_assert $CRM_EX_OLD
 
     desc="Default standby value"
     cmd="crm_standby -N node1 -G"
     test_assert $CRM_EX_OK
  
     desc="Set standby status"
     cmd="crm_standby -N node1 -v true"
     test_assert $CRM_EX_OK
  
     desc="Query standby value"
     cmd="crm_standby -N node1 -G"
     test_assert $CRM_EX_OK
  
     desc="Delete standby value"
     cmd="crm_standby -N node1 -D"
     test_assert $CRM_EX_OK
 
     desc="Create a resource"
     cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
     test_assert $CRM_EX_OK
 
     desc="Create a resource meta attribute"
     cmd="crm_resource -r dummy --meta -p is-managed -v false"
     test_assert $CRM_EX_OK
 
     desc="Query a resource meta attribute"
     cmd="crm_resource -r dummy --meta -g is-managed"
     test_assert $CRM_EX_OK
 
     desc="Remove a resource meta attribute"
     cmd="crm_resource -r dummy --meta -d is-managed"
     test_assert $CRM_EX_OK
 
     desc="Create another resource meta attribute"
     cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
     test_assert $CRM_EX_OK 0
 
     desc="Show why a resource is not running"
     cmd="crm_resource -Y -r dummy"
     test_assert $CRM_EX_OK 0
 
     desc="Remove another resource meta attribute"
     cmd="crm_resource -r dummy --meta -d target-role"
     test_assert $CRM_EX_OK 0
 
     desc="Create a resource attribute"
     cmd="crm_resource -r dummy -p delay -v 10s"
     test_assert $CRM_EX_OK
 
     desc="List the configured resources"
     cmd="crm_resource -L"
     test_assert $CRM_EX_OK
 
     desc="List IDs of instantiated resources"
     cmd="crm_resource -l"
     test_assert $CRM_EX_OK 0
 
     desc="Show XML configuration of resource"
     cmd="crm_resource -q -r dummy"
     test_assert $CRM_EX_OK 0
 
     desc="Require a destination when migrating a resource that is stopped"
     cmd="crm_resource -r dummy -M"
     test_assert $CRM_EX_USAGE
 
     desc="Don't support migration to non-existent locations"
     cmd="crm_resource -r dummy -M -N i.do.not.exist"
     test_assert $CRM_EX_NOSUCH
 
     desc="Create a fencing resource"
     cmd="cibadmin -C -o resources --xml-text '<primitive id=\"Fence\" class=\"stonith\" type=\"fence_true\"/>'"
     test_assert $CRM_EX_OK
 
     desc="Bring resources online"
     cmd="crm_simulate --live-check --in-place -S"
     test_assert $CRM_EX_OK
 
     desc="Try to move a resource to its existing location"
     cmd="crm_resource -r dummy --move --node node1"
     test_assert $CRM_EX_EXISTS
 
     desc="Move a resource from its existing location"
     cmd="crm_resource -r dummy --move"
     test_assert $CRM_EX_OK
 
     desc="Clear out constraints generated by --move"
     cmd="crm_resource -r dummy --clear"
     test_assert $CRM_EX_OK
 
     desc="Default ticket granted state"
     cmd="crm_ticket -t ticketA -G granted -d false"
     test_assert $CRM_EX_OK
 
     desc="Set ticket granted state"
     cmd="crm_ticket -t ticketA -r --force"
     test_assert $CRM_EX_OK
 
     desc="Query ticket granted state"
     cmd="crm_ticket -t ticketA -G granted"
     test_assert $CRM_EX_OK
 
     desc="Delete ticket granted state"
     cmd="crm_ticket -t ticketA -D granted --force"
     test_assert $CRM_EX_OK
 
     desc="Make a ticket standby"
     cmd="crm_ticket -t ticketA -s"
     test_assert $CRM_EX_OK
 
     desc="Query ticket standby state"
     cmd="crm_ticket -t ticketA -G standby"
     test_assert $CRM_EX_OK
 
     desc="Activate a ticket"
     cmd="crm_ticket -t ticketA -a"
     test_assert $CRM_EX_OK
 
     desc="Delete ticket standby state"
     cmd="crm_ticket -t ticketA -D standby"
     test_assert $CRM_EX_OK
 
     desc="Ban a resource on unknown node"
     cmd="crm_resource -r dummy -B -N host1"
     test_assert $CRM_EX_NOSUCH
 
     desc="Create two more nodes and bring them online"
     cmd="crm_simulate --live-check --in-place --node-up=node2 --node-up=node3"
     test_assert $CRM_EX_OK
 
     desc="Ban dummy from node1"
     cmd="crm_resource -r dummy -B -N node1"
     test_assert $CRM_EX_OK
 
     desc="Show where a resource is running"
     cmd="crm_resource -r dummy -W"
     test_assert $CRM_EX_OK 0
 
     desc="Show constraints on a resource"
     cmd="crm_resource -a -r dummy"
     test_assert $CRM_EX_OK 0
 
     desc="Ban dummy from node2"
     cmd="crm_resource -r dummy -B -N node2"
     test_assert $CRM_EX_OK
 
     desc="Relocate resources due to ban"
     cmd="crm_simulate --live-check --in-place -S"
     test_assert $CRM_EX_OK
 
     desc="Move dummy to node1"
     cmd="crm_resource -r dummy -M -N node1"
     test_assert $CRM_EX_OK
 
     desc="Clear implicit constraints for dummy on node2"
     cmd="crm_resource -r dummy -U -N node2"
     test_assert $CRM_EX_OK
 
     desc="Drop the status section"
     cmd="cibadmin -R -o status --xml-text '<status/>'"
     test_assert $CRM_EX_OK 0
     
     desc="Create a clone"
     cmd="cibadmin -C -o resources --xml-text '<clone id=\"test-clone\"><primitive id=\"test-primitive\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/></clone>'"
     test_assert $CRM_EX_OK 0
 
     desc="Create a resource meta attribute"
     cmd="crm_resource -r test-primitive --meta -p is-managed -v false"
     test_assert $CRM_EX_OK
 
     desc="Create a resource meta attribute in the primitive"
     cmd="crm_resource -r test-primitive --meta -p is-managed -v false --force"
     test_assert $CRM_EX_OK
 
     desc="Update resource meta attribute with duplicates"
     cmd="crm_resource -r test-clone --meta -p is-managed -v true"
     test_assert $CRM_EX_OK
 
     desc="Update resource meta attribute with duplicates (force clone)"
     cmd="crm_resource -r test-clone --meta -p is-managed -v true --force"
     test_assert $CRM_EX_OK
 
     desc="Update child resource meta attribute with duplicates"
     cmd="crm_resource -r test-primitive --meta -p is-managed -v false"
     test_assert $CRM_EX_OK
 
     desc="Delete resource meta attribute with duplicates"
     cmd="crm_resource -r test-clone --meta -d is-managed"
     test_assert $CRM_EX_OK
 
     desc="Delete resource meta attribute in parent"
     cmd="crm_resource -r test-primitive --meta -d is-managed"
     test_assert $CRM_EX_OK
 
     desc="Create a resource meta attribute in the primitive"
     cmd="crm_resource -r test-primitive --meta -p is-managed -v false --force"
     test_assert $CRM_EX_OK
 
     desc="Update existing resource meta attribute"
     cmd="crm_resource -r test-clone --meta -p is-managed -v true"
     test_assert $CRM_EX_OK
     
     desc="Create a resource meta attribute in the parent"
     cmd="crm_resource -r test-clone --meta -p is-managed -v true --force"
     test_assert $CRM_EX_OK
 
     desc="Copy resources"
     cmd="cibadmin -Q -o resources > $TMPXML"
     test_assert $CRM_EX_OK 0
 
     desc="Delete resource parent meta attribute (force)"
     cmd="crm_resource -r test-clone --meta -d is-managed --force"
     test_assert $CRM_EX_OK
 
     desc="Restore duplicates"
     cmd="cibadmin -R -o resources --xml-file $TMPXML"
     test_assert $CRM_EX_OK
 
     desc="Delete resource child meta attribute"
     cmd="crm_resource -r test-primitive --meta -d is-managed"
     test_assert $CRM_EX_OK
 
     cibadmin -C -o resources --xml-text '<group id="dummy-group"> \
         <primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"\/> \
         <primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"\/> \
       </group>'
 
     desc="Create a resource meta attribute in dummy1"
     cmd="crm_resource -r dummy1 --meta -p is-managed -v true"
     test_assert $CRM_EX_OK
 
     desc="Create a resource meta attribute in dummy-group"
     cmd="crm_resource -r dummy-group --meta -p is-managed -v false"
     test_assert $CRM_EX_OK
 
     cibadmin -D -o resource --xml-text '<group id="dummy-group">'
 
     desc="Specify a lifetime when moving a resource"
     cmd="crm_resource -r dummy --move --node node2 --lifetime=PT1H"
     test_assert $CRM_EX_OK
 
     desc="Try to move a resource previously moved with a lifetime"
     cmd="crm_resource -r dummy --move --node node1"
     test_assert $CRM_EX_OK
 
     desc="Ban dummy from node1 for a short time"
     cmd="crm_resource -r dummy -B -N node1 --lifetime=PT1S"
     test_assert $CRM_EX_OK
 
     desc="Remove expired constraints"
     sleep 2
     cmd="crm_resource --clear --expired"
     test_assert $CRM_EX_OK
 
     # Clear has already been tested elsewhere, but we need to get rid of the
     # constraints so testing delete works.  It won't delete if there's still
     # a reference to the resource somewhere.
     desc="Clear all implicit constraints for dummy"
     cmd="crm_resource -r dummy -U"
     test_assert $CRM_EX_OK
 
     desc="Delete a resource"
     cmd="crm_resource -D -r dummy -t primitive"
     test_assert $CRM_EX_OK
 
     unset CIB_shadow
     unset CIB_shadow_dir
     rm -f "$TMPXML" "$TMPORIG"
 
     desc="Create an XML patchset"
     cmd="crm_diff -o $test_home/cli/crm_diff_old.xml -n $test_home/cli/crm_diff_new.xml"
     test_assert $CRM_EX_ERROR 0
 }
 
 INVALID_PERIODS=(
     "2019-01-01 00:00:00Z"              # Start with no end
     "2019-01-01 00:00:00Z/"             # Start with only a trailing slash
     "PT2S/P1M"                          # Two durations
     "2019-13-01 00:00:00Z/P1M"          # Out-of-range month
     "20191077T15/P1M"                   # Out-of-range day
     "2019-10-01T25:00:00Z/P1M"          # Out-of-range hour
     "2019-10-01T24:00:01Z/P1M"          # Hour 24 with anything but :00:00
     "PT5H/20191001T007000Z"             # Out-of-range minute
     "2019-10-01 00:00:80Z/P1M"          # Out-of-range second
     "2019-10-01 00:00:10 +25:00/P1M"    # Out-of-range offset hour
     "20191001T000010 -00:61/P1M"        # Out-of-range offset minute
     "P1Y/2019-02-29 00:00:00Z"          # Feb. 29 in non-leap-year
     "2019-01-01 00:00:00Z/P"            # Duration with no values
     "P1Z/2019-02-20 00:00:00Z"          # Invalid duration unit
     "P1YM/2019-02-20 00:00:00Z"         # No number for duration unit
 )
         
 function test_dates() {
     # Ensure invalid period specifications are rejected
     for spec in '' "${INVALID_PERIODS[@]}"; do
         desc="Invalid period - [$spec]"
         cmd="iso8601 -p \"$spec\""
         test_assert $CRM_EX_INVALID_PARAM 0
     done
 
     desc="2014-01-01 00:30:00 - 1 Hour"
     cmd="iso8601 -d '2014-01-01 00:30:00Z' -D P-1H -E '2013-12-31 23:30:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="Valid date - Feb 29 in leap year"
     cmd="iso8601 -d '2020-02-29 00:00:00Z' -E '2020-02-29 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="Valid date - using 'T' and offset"
     cmd="iso8601 -d '20191201T131211 -05:00' -E '2019-12-01 18:12:11Z'"
     test_assert $CRM_EX_OK 0
 
     desc="24:00:00 equivalent to 00:00:00 of next day"
     cmd="iso8601 -d '2019-12-31 24:00:00Z' -E '2020-01-01 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     for y in 06 07 08 09 10 11 12 13 14 15 16 17 18 40; do
         desc="20$y-W01-7"
         cmd="iso8601 -d '20$y-W01-7 00Z'"
         test_assert $CRM_EX_OK 0
 
         desc="20$y-W01-7 - round-trip"
         cmd="iso8601 -d '20$y-W01-7 00Z' -W -E '20$y-W01-7 00:00:00Z'"
         test_assert $CRM_EX_OK 0
 
         desc="20$y-W01-1"
         cmd="iso8601 -d '20$y-W01-1 00Z'"
         test_assert $CRM_EX_OK 0
 
         desc="20$y-W01-1 - round-trip"
         cmd="iso8601 -d '20$y-W01-1 00Z' -W -E '20$y-W01-1 00:00:00Z'"
         test_assert $CRM_EX_OK 0
     done
 
     desc="2009-W53-07"
     cmd="iso8601 -d '2009-W53-7 00:00:00Z' -W -E '2009-W53-7 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="epoch + 2 Years 5 Months 6 Minutes"
     cmd="iso8601 -d 'epoch' -D P2Y5MT6M -E '1972-06-01 00:06:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="2009-01-31 + 1 Month"
     cmd="iso8601 -d '20090131T000000Z' -D P1M -E '2009-02-28 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="2009-01-31 + 2 Months"
     cmd="iso8601 -d '2009-01-31 00:00:00Z' -D P2M -E '2009-03-31 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="2009-01-31 + 3 Months"
     cmd="iso8601 -d '2009-01-31 00:00:00Z' -D P3M -E '2009-04-30 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="2009-03-31 - 1 Month"
     cmd="iso8601 -d '2009-03-31 01:00:00 +01:00' -D P-1M -E '2009-02-28 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 
     desc="2038-01-01 + 3 Months"
     cmd="iso8601 -d '2038-01-01 00:00:00Z' -D P3M -E '2038-04-01 00:00:00Z'"
     test_assert $CRM_EX_OK 0
 }
 
 function test_acl_loop() {
     local TMPXML
 
     TMPXML="$1"
 
     # Make sure we're rejecting things for the right reasons
     export PCMK_trace_functions=pcmk__check_acl,pcmk__apply_creation_acl
     export PCMK_stderr=1
 
     CIB_user=root cibadmin --replace --xml-text '<resources/>'
 
+    ### no ACL ###
     export CIB_user=unknownguy
     desc="$CIB_user: Query configuration"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Set enable-acl"
     cmd="crm_attribute -n enable-acl -v false"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Set stonith-enabled"
     cmd="crm_attribute -n stonith-enabled -v false"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Create a resource"
     cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
+    ### deny /cib permission ###
     export CIB_user=l33t-haxor
     desc="$CIB_user: Query configuration"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Set enable-acl"
     cmd="crm_attribute -n enable-acl -v false"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Set stonith-enabled"
     cmd="crm_attribute -n stonith-enabled -v false"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Create a resource"
     cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
+    ### observer role ###
     export CIB_user=niceguy
     desc="$CIB_user: Query configuration"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_OK 0
 
     desc="$CIB_user: Set enable-acl"
     cmd="crm_attribute -n enable-acl -v false"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Set stonith-enabled"
     cmd="crm_attribute -n stonith-enabled -v false"
     test_assert $CRM_EX_OK
 
     desc="$CIB_user: Create a resource"
     cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     export CIB_user=root
     desc="$CIB_user: Query configuration"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_OK 0
 
     desc="$CIB_user: Set stonith-enabled"
     cmd="crm_attribute -n stonith-enabled -v true"
     test_assert $CRM_EX_OK
 
     desc="$CIB_user: Create a resource"
     cmd="cibadmin -C -o resources --xml-text '<primitive id=\"dummy\" class=\"ocf\" provider=\"pacemaker\" type=\"Dummy\"/>'"
     test_assert $CRM_EX_OK
 
+    ### deny /cib permission ###
     export CIB_user=l33t-haxor
 
     desc="$CIB_user: Create a resource meta attribute"
     cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Query a resource meta attribute"
     cmd="crm_resource -r dummy --meta -g target-role"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     desc="$CIB_user: Remove a resource meta attribute"
     cmd="crm_resource -r dummy --meta -d target-role"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
+    ### observer role ###
     export CIB_user=niceguy
 
     desc="$CIB_user: Create a resource meta attribute"
     cmd="crm_resource -r dummy --meta -p target-role -v Stopped"
     test_assert $CRM_EX_OK
 
     desc="$CIB_user: Query a resource meta attribute"
     cmd="crm_resource -r dummy --meta -g target-role"
     test_assert $CRM_EX_OK
 
     desc="$CIB_user: Remove a resource meta attribute"
     cmd="crm_resource -r dummy --meta -d target-role"
     test_assert $CRM_EX_OK
 
     desc="$CIB_user: Create a resource meta attribute"
     cmd="crm_resource -r dummy --meta -p target-role -v Started"
     test_assert $CRM_EX_OK
 
+    ### read //meta_attributes ###
     export CIB_user=badidea
     desc="$CIB_user: Query configuration - implied deny"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_OK 0
 
+    ### deny /cib, read //meta_attributes ###
     export CIB_user=betteridea
     desc="$CIB_user: Query configuration - explicit deny"
     cmd="cibadmin -Q"
     test_assert $CRM_EX_OK 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --delete --xml-text '<acls/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
+    ### observer role ###
     export CIB_user=niceguy
     desc="$CIB_user: Replace - remove acls"
     cmd="cibadmin --replace --xml-file $TMPXML"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
     desc="$CIB_user: Replace - create resource"
     cmd="cibadmin --replace --xml-file $TMPXML"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" crm_attribute -n enable-acl -v false
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
     desc="$CIB_user: Replace - modify attribute (deny)"
     cmd="cibadmin --replace --xml-file $TMPXML"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace --xml-text '<nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl"/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
     desc="$CIB_user: Replace - delete attribute (deny)"
     cmd="cibadmin --replace --xml-file $TMPXML"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
     desc="$CIB_user: Replace - create attribute (deny)"
     cmd="cibadmin --replace --xml-file $TMPXML"
     test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 
+    ### admin role ###
     CIB_user=bob
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
-    desc="$CIB_user: Replace - create attribute (allow)"
+    desc="$CIB_user: Replace - create attribute (direct allow)"
     cmd="cibadmin --replace -o resources --xml-file $TMPXML"
     test_assert $CRM_EX_OK 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
-    desc="$CIB_user: Replace - modify attribute (allow)"
+    desc="$CIB_user: Replace - modify attribute (direct allow)"
     cmd="cibadmin --replace -o resources --xml-file $TMPXML"
     test_assert $CRM_EX_OK 0
 
     CIB_user=root cibadmin -Q > "$TMPXML"
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
     CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
 
-    desc="$CIB_user: Replace - delete attribute (allow)"
+    desc="$CIB_user: Replace - delete attribute (direct allow)"
     cmd="cibadmin --replace -o resources --xml-file $TMPXML"
     test_assert $CRM_EX_OK 0
+
+    ### super_user role ###
+    export CIB_user=joe
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - create attribute (inherited allow)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_OK 0
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - modify attribute (inherited allow)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_OK 0
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - delete attribute (inherited allow)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_OK 0
+
+    ### rsc_writer role ###
+    export CIB_user=mike
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - create attribute (allow overrides deny)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_OK 0
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - modify attribute (allow overrides deny)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_OK 0
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - delete attribute (allow overrides deny)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_OK 0
+
+    ### rsc_denied role ###
+    export CIB_user=chris
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - create attribute (deny overrides allow)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+
+    # Set as root since setting as chris failed
+    CIB_user=root cibadmin --modify --xml-text '<primitive id="dummy" description="nothing interesting"/>'
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - modify attribute (deny overrides allow)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_INSUFFICIENT_PRIV 0
+
+    # Set as root since setting as chris failed
+    CIB_user=root cibadmin --modify --xml-text '<primitive id="dummy" description="something interesting"/>'
+
+    CIB_user=root cibadmin -Q > "$TMPXML"
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin --replace -o resources --xml-text '<primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy"/>'
+    CIB_user=root CIB_file="$TMPXML" CIB_shadow="" cibadmin -Ql
+
+    desc="$CIB_user: Replace - delete attribute (deny overrides allow)"
+    cmd="cibadmin --replace -o resources --xml-file $TMPXML"
+    test_assert $CRM_EX_INSUFFICIENT_PRIV 0
 }
 
 function test_acls() {
     local SHADOWPATH
     local TMPXML
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.acls.xml.XXXXXXXXXX)
     export CIB_shadow_dir="${shadow_dir}"
 
     $VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-1.3 2>&1
     export CIB_shadow=$shadow
 
     cat <<EOF > "$TMPXML"
     <acls>
       <acl_user id="l33t-haxor">
         <deny id="crook-nothing" xpath="/cib"/>
       </acl_user>
       <acl_user id="niceguy">
         <role_ref id="observer"/>
       </acl_user>
       <acl_user id="bob">
         <role_ref id="admin"/>
       </acl_user>
+      <acl_user id="joe">
+        <role_ref id="super_user"/>
+      </acl_user>
+      <acl_user id="mike">
+        <role_ref id="rsc_writer"/>
+      </acl_user>
+      <acl_user id="chris">
+        <role_ref id="rsc_denied"/>
+      </acl_user>
       <acl_role id="observer">
         <read id="observer-read-1" xpath="/cib"/>
         <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
         <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
       </acl_role>
       <acl_role id="admin">
         <read id="admin-read-1" xpath="/cib"/>
         <write id="admin-write-1" xpath="//resources"/>
       </acl_role>
+      <acl_role id="super_user">
+        <write id="super_user-write-1" xpath="/cib"/>
+      </acl_role>
+      <acl_role id="rsc_writer">
+        <deny id="rsc-writer-deny-1" xpath="/cib"/>
+        <write id="rsc-writer-write-1" xpath="//resources"/>
+      </acl_role>
+      <acl_role id="rsc_denied">
+        <write id="rsc-denied-write-1" xpath="/cib"/>
+        <deny id="rsc-denied-deny-1" xpath="//resources"/>
+      </acl_role>
     </acls>
 EOF
 
     desc="Configure some ACLs"
     cmd="cibadmin -M -o acls --xml-file $TMPXML"
     test_assert $CRM_EX_OK
 
     desc="Enable ACLs"
     cmd="crm_attribute -n enable-acl -v true"
     test_assert $CRM_EX_OK
 
     desc="Set cluster option"
     cmd="crm_attribute -n no-quorum-policy -v ignore"
     test_assert $CRM_EX_OK
 
     desc="New ACL"
     cmd="cibadmin --create -o acls --xml-text '<acl_user id=\"badidea\"><read id=\"badidea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
     test_assert $CRM_EX_OK
 
     desc="Another ACL"
     cmd="cibadmin --create -o acls --xml-text '<acl_user id=\"betteridea\"><read id=\"betteridea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
     test_assert $CRM_EX_OK
 
     desc="Updated ACL"
     cmd="cibadmin --replace -o acls --xml-text '<acl_user id=\"betteridea\"><deny id=\"betteridea-nothing\" xpath=\"/cib\"/><read id=\"betteridea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
     test_assert $CRM_EX_OK
 
     test_acl_loop "$TMPXML"
 
     printf "\n\n    !#!#!#!#! Upgrading to latest CIB schema and re-testing !#!#!#!#!\n"
     printf "\nUpgrading to latest CIB schema and re-testing\n" 1>&2
 
     export CIB_user=root
     desc="$CIB_user: Upgrade to latest CIB schema"
     cmd="cibadmin --upgrade --force -V"
     test_assert $CRM_EX_OK
 
     SHADOWPATH="$(crm_shadow --file)"
     # sed -i isn't portable :-(
     cp -p "$SHADOWPATH" "${SHADOWPATH}.$$" # to keep permissions
     sed -e 's/epoch=.2/epoch=\"6/g' -e 's/admin_epoch=.1/admin_epoch=\"0/g' \
         "$SHADOWPATH" > "${SHADOWPATH}.$$"
     mv -- "${SHADOWPATH}.$$" "$SHADOWPATH"
 
     test_acl_loop "$TMPXML"
 
     unset CIB_shadow_dir
     rm -f "$TMPXML"
 }
 
 function test_validity() {
     local TMPGOOD
     local TMPBAD
 
     TMPGOOD=$(mktemp ${TMPDIR:-/tmp}/cts-cli.validity.good.xml.XXXXXXXXXX)
     TMPBAD=$(mktemp ${TMPDIR:-/tmp}/cts-cli.validity.bad.xml.XXXXXXXXXX)
     export CIB_shadow_dir="${shadow_dir}"
 
     $VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-1.2 2>&1
     export CIB_shadow=$shadow
     export PCMK_trace_functions=apply_upgrade,update_validation,cli_config_update
     export PCMK_stderr=1
 
     cibadmin -C -o resources --xml-text '<primitive id="dummy1" class="ocf" provider="pacemaker" type="Dummy"/>'
     cibadmin -C -o resources --xml-text '<primitive id="dummy2" class="ocf" provider="pacemaker" type="Dummy"/>'
     cibadmin -C -o constraints --xml-text '<rsc_order id="ord_1-2" first="dummy1" first-action="start" then="dummy2"/>'
     cibadmin -Q > "$TMPGOOD"
 
 
     desc="Try to make resulting CIB invalid (enum violation)"
     cmd="cibadmin -M -o constraints --xml-text '<rsc_order id=\"ord_1-2\" first=\"dummy1\" first-action=\"break\" then=\"dummy2\"/>'"
     test_assert $CRM_EX_CONFIG
 
     sed 's|"start"|"break"|' "$TMPGOOD" > "$TMPBAD"
     desc="Run crm_simulate with invalid CIB (enum violation)"
     cmd="crm_simulate -x $TMPBAD -S"
     test_assert $CRM_EX_CONFIG 0
 
 
     desc="Try to make resulting CIB invalid (unrecognized validate-with)"
     cmd="cibadmin -M --xml-text '<cib validate-with=\"pacemaker-9999.0\"/>'"
     test_assert $CRM_EX_CONFIG
 
     sed 's|"pacemaker-1.2"|"pacemaker-9999.0"|' "$TMPGOOD" > "$TMPBAD"
     desc="Run crm_simulate with invalid CIB (unrecognized validate-with)"
     cmd="crm_simulate -x $TMPBAD -S"
     test_assert $CRM_EX_CONFIG 0
 
 
     desc="Try to make resulting CIB invalid, but possibly recoverable (valid with X.Y+1)"
     cmd="cibadmin -C -o configuration --xml-text '<tags/>'"
     test_assert $CRM_EX_CONFIG
 
     sed 's|</configuration>|<tags/></configuration>|' "$TMPGOOD" > "$TMPBAD"
     desc="Run crm_simulate with invalid, but possibly recoverable CIB (valid with X.Y+1)"
     cmd="crm_simulate -x $TMPBAD -S"
     test_assert $CRM_EX_OK 0
 
 
     sed 's|[ 	][ 	]*validate-with="[^"]*"||' "$TMPGOOD" > "$TMPBAD"
     desc="Make resulting CIB valid, although without validate-with attribute"
     cmd="cibadmin -R --xml-file $TMPBAD"
     test_assert $CRM_EX_OK
 
     desc="Run crm_simulate with valid CIB, but without validate-with attribute"
     cmd="crm_simulate -x $TMPBAD -S"
     test_assert $CRM_EX_OK 0
 
 
     # this will just disable validation and accept the config, outputting
     # validation errors
     sed -e 's|[ 	][ 	]*validate-with="[^"]*"||' \
         -e 's|\([ 	][ 	]*epoch="[^"]*\)"|\10"|' -e 's|"start"|"break"|' \
         "$TMPGOOD" > "$TMPBAD"
     desc="Make resulting CIB invalid, and without validate-with attribute"
     cmd="cibadmin -R --xml-file $TMPBAD"
     test_assert $CRM_EX_OK
 
     desc="Run crm_simulate with invalid CIB, also without validate-with attribute"
     cmd="crm_simulate -x $TMPBAD -S"
     test_assert $CRM_EX_OK 0
 
     unset CIB_shadow_dir
     rm -f "$TMPGOOD" "$TMPBAD"
 }
 
 test_upgrade() {
     local TMPXML
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     export CIB_shadow_dir="${shadow_dir}"
 
     $VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow --validate-with pacemaker-2.10 2>&1
     export CIB_shadow=$shadow
 
     desc="Set stonith-enabled=false"
     cmd="crm_attribute -n stonith-enabled -v false"
     test_assert $CRM_EX_OK
 
     cat <<EOF > "$TMPXML"
     <resources>
       <primitive id="mySmartFuse" class="ocf" provider="experiment" type="SmartFuse">
         <operations>
           <op id="mySmartFuse-start" name="start" interval="0" timeout="40s"/>
           <op id="mySmartFuse-monitor-inputpower" name="monitor" interval="30s">
             <instance_attributes id="mySmartFuse-inputpower-instanceparams">
               <nvpair id="mySmartFuse-inputpower-requires" name="requires" value="inputpower"/>
             </instance_attributes>
           </op>
           <op id="mySmartFuse-monitor-outputpower" name="monitor" interval="2s">
             <instance_attributes id="mySmartFuse-outputpower-instanceparams">
               <nvpair id="mySmartFuse-outputpower-requires" name="requires" value="outputpower"/>
             </instance_attributes>
           </op>
         </operations>
         <instance_attributes id="mySmartFuse-params">
           <nvpair id="mySmartFuse-params-ip" name="ip" value="192.0.2.10"/>
         </instance_attributes>
 	<!-- a bit hairy but valid -->
         <instance_attributes id-ref="mySmartFuse-outputpower-instanceparams"/>
       </primitive>
     </resources>
 EOF
 
     desc="Configure the initial resource"
     cmd="cibadmin -M -o resources --xml-file $TMPXML"
     test_assert $CRM_EX_OK
 
     desc="Upgrade to latest CIB schema (trigger 2.10.xsl + the wrapping)"
     cmd="cibadmin --upgrade --force -V -V"
     test_assert $CRM_EX_OK
 
     desc="Query a resource instance attribute (shall survive)"
     cmd="crm_resource -r mySmartFuse -g requires"
     test_assert $CRM_EX_OK
 
     unset CIB_shadow_dir
     rm -f "$TMPXML"
 }
 
 test_rules() {
     local TMPXML
 
     export CIB_shadow_dir="${shadow_dir}"
     $VALGRIND_CMD crm_shadow --batch --force --create-empty $shadow 2>&1
     export CIB_shadow=$shadow
 
     cibadmin -C -o resources   --xml-text '<primitive class="ocf" id="dummy" provider="heartbeat" type="Dummy" />'
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-too-many-date-expressions" rsc="dummy">
   <rule id="cli-rule-too-many-date-expressions" score="INFINITY" boolean-op="or">
     <date_expression id="cli-date-expression-1" operation="gt" start="2020-01-01 01:00:00 -0500"/>
     <date_expression id="cli-date-expression-2" operation="lt" end="2019-01-01 01:00:00 -0500"/>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-prefer-dummy-expired" rsc="dummy">
   <rule id="cli-prefer-rule-dummy-expired" score="INFINITY">
     <date_expression id="cli-prefer-lifetime-end-dummy-expired" operation="lt" end="2019-01-01 12:00:00 -05:00"/>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     if [ "$(uname)" == "FreeBSD" ]; then
         tomorrow=$(date -v+1d +"%F %T %z")
     else
         tomorrow=$(date --date=tomorrow +"%F %T %z")
     fi
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-prefer-dummy-not-yet" rsc="dummy">
   <rule id="cli-prefer-rule-dummy-not-yet" score="INFINITY">
     <date_expression id="cli-prefer-lifetime-end-dummy-not-yet" operation="gt" start="${tomorrow}"/>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-prefer-dummy-date_spec-only-years" rsc="dummy">
   <rule id="cli-prefer-rule-dummy-date_spec-only-years" score="INFINITY">
     <date_expression id="cli-prefer-dummy-date_spec-only-years-expr" operation="date_spec">
       <date_spec id="cli-prefer-dummy-date_spec-only-years-spec" years="2019"/>
     </date_expression>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-prefer-dummy-date_spec-without-years" rsc="dummy">
   <rule id="cli-prefer-rule-dummy-date_spec-without-years" score="INFINITY">
     <date_expression id="cli-prefer-dummy-date_spec-without-years-expr" operation="date_spec">
       <date_spec id="cli-prefer-dummy-date_spec-without-years-spec" hours="20" months="1,3,5,7"/>
     </date_expression>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-prefer-dummy-date_spec-years-moon" rsc="dummy">
   <rule id="cli-prefer-rule-dummy-date_spec-years-moon" score="INFINITY">
     <date_expression id="cli-prefer-dummy-date_spec-years-moon-expr" operation="date_spec">
       <date_spec id="cli-prefer-dummy-date_spec-years-moon-spec" years="2019" moon="1"/>
     </date_expression>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     TMPXML=$(mktemp ${TMPDIR:-/tmp}/cts-cli.tools.xml.XXXXXXXXXX)
     cat <<EOF > "$TMPXML"
 <rsc_location id="cli-no-date_expression" rsc="dummy">
   <rule id="cli-no-date_expression-rule" score="INFINITY">
     <expression id="ban-apache-expr" attribute="#uname" operation="eq" value="node3"/>
   </rule>
 </rsc_location>
 EOF
 
     cibadmin -C -o constraints -x "$TMPXML"
     rm -f "$TMPXML"
 
     desc="Try to check a rule that doesn't exist"
     cmd="crm_rule -c -r blahblah"
     test_assert $CRM_EX_NOSUCH
 
     desc="Try to check a rule that has too many date_expressions"
     cmd="crm_rule -c -r cli-rule-too-many-date-expressions"
     test_assert $CRM_EX_UNIMPLEMENT_FEATURE
 
     desc="Verify basic rule is expired"
     cmd="crm_rule -c -r cli-prefer-rule-dummy-expired"
     test_assert $CRM_EX_EXPIRED
 
     desc="Verify basic rule worked in the past"
     cmd="crm_rule -c -r cli-prefer-rule-dummy-expired -d 20180101"
     test_assert $CRM_EX_OK
 
     desc="Verify basic rule is not yet in effect"
     cmd="crm_rule -c -r cli-prefer-rule-dummy-not-yet"
     test_assert $CRM_EX_NOT_YET_IN_EFFECT
 
     desc="Verify date_spec rule with years has expired"
     cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years"
     test_assert $CRM_EX_EXPIRED
 
     desc="Verify date_spec rule with years is in effect"
     cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-only-years -d 20190201"
     test_assert $CRM_EX_OK
 
     desc="Try to check a rule whose date_spec does not contain years="
     cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-without-years"
     test_assert $CRM_EX_NOSUCH
 
     desc="Try to check a rule whose date_spec contains years= and moon="
     cmd="crm_rule -c -r cli-prefer-rule-dummy-date_spec-years-moon"
     test_assert $CRM_EX_NOSUCH
 
     desc="Try to check a rule with no date_expression"
     cmd="crm_rule -c -r cli-no-date_expression-rule"
     test_assert $CRM_EX_UNIMPLEMENT_FEATURE
 
     unset CIB_shadow_dir
 }
 
 # Process command-line arguments
 while [ $# -gt 0 ]; do
     case "$1" in
         -t)
             tests="$2"
             shift 2
             ;;
         -V|--verbose)
             verbose=1
             shift
             ;;
         -v|--valgrind)
             export G_SLICE=always-malloc
             VALGRIND_CMD="valgrind $VALGRIND_OPTS"
             shift
             ;;
         -s)
             do_save=1
             shift
             ;;
         -p)
             export PATH="$2:$PATH"
             shift
             ;;
         --help)
             echo "$USAGE_TEXT"
             exit $CRM_EX_OK
             ;;
         *)
             echo "error: unknown option $1"
             echo
             echo "$USAGE_TEXT"
             exit $CRM_EX_USAGE
             ;;
     esac
 done
 
 for t in $tests; do
     case "$t" in
         dates) ;;
         tools) ;;
         acls) ;;
         validity) ;;
         upgrade) ;;
         rules) ;;
         crm_mon) ;;
         *)
             echo "error: unknown test $t"
             echo
             echo "$USAGE_TEXT"
             exit $CRM_EX_USAGE
             ;;
     esac
 done
 
 # Check whether we're running from source directory
 SRCDIR=$(dirname $test_home)
 if [ -x "$SRCDIR/tools/crm_simulate" ]; then
     export PATH="$SRCDIR/tools:$PATH"
     echo "Using local binaries from: $SRCDIR/tools"
 
     if [ -x "$SRCDIR/xml" ]; then
         export PCMK_schema_directory="$SRCDIR/xml"
         echo "Using local schemas from: $PCMK_schema_directory"
     fi
 fi
 
 for t in $tests; do
     echo "Testing $t"
     TMPFILE=$(mktemp ${TMPDIR:-/tmp}/cts-cli.$t.XXXXXXXXXX)
     eval TMPFILE_$t="$TMPFILE"
     test_$t > "$TMPFILE"
 
     # last-run= and last-rc-change= are always numeric in the CIB.  However,
     # for the crm_mon test we also need to compare against the XML output of
     # the crm_mon program.  There, these are shown as human readable strings
     # (like the output of the `date` command).
     sed -e 's/cib-last-written.*>/>/'\
         -e 's/ last-run=\"[A-Za-z0-9: ]*\"//'\
         -e 's/Last updated: .*/Last updated:/' \
         -e 's/Last change: .*/Last change:/' \
         -e 's/(version .*)/(version)/' \
         -e 's/last_update time=\".*\"/last_update time=\"\"/' \
         -e 's/last_change time=\".*\"/last_change time=\"\"/' \
         -e 's/ version=\".*\" / version=\"\" /' \
         -e 's/request=\".*crm_mon/request=\"crm_mon/' \
         -e 's/crm_feature_set="[^"]*" //'\
         -e 's/validate-with="[^"]*" //'\
         -e 's/Created new pacemaker-.* configuration/Created new pacemaker configuration/'\
         -e 's/.*\(pcmk__.*\)@.*\.c:[0-9][0-9]*)/\1/g' \
         -e 's/.*\(unpack_.*\)@.*\.c:[0-9][0-9]*)/\1/g' \
         -e 's/.*\(update_validation\)@.*\.c:[0-9][0-9]*)/\1/g' \
         -e 's/.*\(apply_upgrade\)@.*\.c:[0-9][0-9]*)/\1/g' \
         -e 's/ last-rc-change=\"[A-Za-z0-9: ]*\"//'\
         -e 's|^/tmp/cts-cli\.validity\.bad.xml\.[^:]*:|validity.bad.xml:|'\
         -e 's/^Entity: line [0-9][0-9]*: //'\
         -e 's/\(validation ([0-9][0-9]* of \)[0-9][0-9]*\().*\)/\1X\2/' \
         -e 's/^Migration will take effect until: .*/Migration will take effect until:/' \
         -e 's/ end=\"[0-9][-+: 0-9]*Z*\"/ end=\"\"/' \
         -e 's/ start=\"[0-9][-+: 0-9]*Z*\"/ start=\"\"/' \
         -e 's/^Error checking rule: Device not configured/Error checking rule: No such device or address/' \
         "$TMPFILE" > "${TMPFILE}.$$"
     mv -- "${TMPFILE}.$$" "$TMPFILE"
 
     if [ $do_save -eq 1 ]; then
         cp "$TMPFILE" $test_home/cli/regression.$t.exp
     fi
 done
 
 rm -rf "${shadow_dir}"
     
 failed=0
 
 if [ $verbose -eq 1 ]; then
     echo -e "\n\nResults"
 fi
 for t in $tests; do
     eval TMPFILE="\$TMPFILE_$t"
     if [ $verbose -eq 1 ]; then
         diff -wu $test_home/cli/regression.$t.exp "$TMPFILE"
     else
         diff -w $test_home/cli/regression.$t.exp "$TMPFILE" >/dev/null 2>&1
     fi
     if [ $? -ne 0 ]; then
         failed=1
     fi
 done
 
 echo -e "\n\nSummary"
 for t in $tests; do
     eval TMPFILE="\$TMPFILE_$t"
     grep -e '^\* \(Passed\|Failed\)' "$TMPFILE"
 done
 
 if [ $num_errors -ne 0 ]; then
     echo "$num_errors tests failed; see output in:"
     for t in $tests; do
         eval TMPFILE="\$TMPFILE_$t"
         echo "    $TMPFILE"
     done
     exit $CRM_EX_ERROR
 
 elif [ $failed -eq 1 ]; then
     echo "$num_passed tests passed but output was unexpected; see output in:"
     for t in $tests; do
         eval TMPFILE="\$TMPFILE_$t"
         echo "    $TMPFILE"
     done
     exit $CRM_EX_DIGEST
 
 else
     echo $num_passed tests passed
     for t in $tests; do
         eval TMPFILE="\$TMPFILE_$t"
         rm -f "$TMPFILE"
     done
     crm_shadow --force --delete $shadow >/dev/null 2>&1
     exit $CRM_EX_OK
 fi