On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: > On 06/27/2014 05:10 PM, Simo Sorce wrote: > > On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: > >> Host Administrators could not write to service keytab attribute and > >> thus they could not run the host-disable command. > >> > >> https://fedorahosted.org/freeipa/ticket/4284 > >> > > > > Any reason why Host Administrators are not members of the service > > Administrators group/permission by default ? > > > > Simo. > > > > I assume that the original intent was to allow admins to separate this > privileges. I.e. allow service administrators manage services on hosts but do > not allow them delete or disable the hosts.
Sure, but I asked the opposite question. I understand you may want to have Service Administrators that cannot manage the host object. But is there ever a case where Host Administrator is not also Service Administrator ? > This patch fixes the reported request for Foreman integration, if you have a > better one fixing it as well, we can go different way. I was wondering if a group membership change wouldn't solve a class of problems, instead of fixing this on per permission basis, that's all. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel