[Freeipa-users] Creating roles tutorial/how-to
I want a role the user snapmgr belongs to that can add, delete snapon group member users and reset/change their passwords and unlock their accounts When I login as snapmgr and attempt to reset the password of user snaptestuser1 (member of snapon group), it fails with "Insufficient access: Insufficient access rights". What did I miss? What are the minimum permission effective attribs are needed to be checked? OK, so I created: 1) A user snapmgr to the be group manager, able to reset passwords of snapon users (members of the snapon group) 2) A role named snapon-manage, and assigned user snapmgr as the member user 3) A privilege named snapon_management_privileges 4) A permission named snap_user_passwd, assigned to the snapon_management_privileges privilege, which is assigned to the snapon-manage role PERMISSION SETTINGS: Bind rule type: x permission Granted rights: x read x write x add x delete x all TARGET: Type: user Tagret DN: blank Member of group: snapon Effective attributes: x description x ipasshpubkey x homedirectory x userpassword x krbprincipalname x krblastadminunlock Larry Rosen - Linux System Administrator JDR Solutions, Inc 8606 Allisonville Road, Suite 245 Indianapolis, IN 46250 www.jdrsolutions.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating roles tutorial/how-to
Thanks, I had those parts figured out. I have a basic role/user working. My next questions are: When or why would I need to specify a Target DN or Extra target filter? I don't think any are necessary for this role that has this permission to work since I specified the group (member of group) it can target. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, July 01, 2016 6:45 PM To: Larry Rosen <larry.ro...@jdrsolutions.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating roles tutorial/how-to Larry Rosen wrote: > Are there any tutorials/how to's to guide how to create roles? The > docs simply go through filling out the forms, but is there any > resource about how roles are generally used and the required relationships? > > This is the closest thing I have found: > http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ > > I don't understand how to limit various permissions/privileges to > specific users or groups. > > I want a role to manage only the users of a certain group: i.e. a user > that can add, modify, delete user accounts and set/reset/unlock > passwords for one group. The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role. Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role. You add the privileges you want that role to have, then you add the groups you want, and that should do it. A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions. An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password. For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating roles tutorial/how-to
Larry Rosen wrote: Are there any tutorials/how tos to guide how to create roles? The docs simply go through filling out the forms, but is there any resource about how roles are generally used and the required relationships? This is the closest thing I have found: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ I dont understand how to limit various permissions/privileges to specific users or groups. I want a role to manage only the users of a certain group: i.e. a user that can add, modify, delete user accounts and set/reset/unlock passwords for one group. The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role. Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role. You add the privileges you want that role to have, then you add the groups you want, and that should do it. A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions. An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password. For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Creating roles tutorial/how-to
Are there any tutorials/how to's to guide how to create roles? The docs simply go through filling out the forms, but is there any resource about how roles are generally used and the required relationships? This is the closest thing I have found: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ I don't understand how to limit various permissions/privileges to specific users or groups. I want a role to manage only the users of a certain group: i.e. a user that can add, modify, delete user accounts and set/reset/unlock passwords for one group. Larry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
