One of the features of IPAv2 is it is much easier to delegate
permissions to perform tasks (add, delete, modify, etc).
This delegation is broken out into three pieces:
A permission is a very low-level object that says who can do what to
whom. These permissions are grouped together into permissions so one can
perform a whole task. This is needed for something like adding a user
which requires a couple of different permission such as actually writing
the user entry, adding the user to the default group and setting the
A role is a collection of privileges and the users/groups that are
granted those privileges.
Right now we are defining a single role, helpdesk, and have assigned no
privileges to that yet. I was thinking about just assigning it the
ability to reset passwords.
But what other roles do we need? The mind boggles and rather than
dictating what the initial ones will be I'm looking for some
Freeipa-devel mailing list