On 06/27/2014 05:16 PM, Simo Sorce wrote: > On Fri, 2014-06-27 at 17:12 +0200, Martin Kosek wrote: >> On 06/27/2014 05:10 PM, Simo Sorce wrote: >>> On Fri, 2014-06-27 at 16:16 +0200, Martin Kosek wrote: >>>> Host Administrators could not write to service keytab attribute and >>>> thus they could not run the host-disable command. >>>> >>>> https://fedorahosted.org/freeipa/ticket/4284 >>>> >>> >>> Any reason why Host Administrators are not members of the service >>> Administrators group/permission by default ? >>> >>> Simo. >>> >> >> I assume that the original intent was to allow admins to separate this >> privileges. I.e. allow service administrators manage services on hosts but do >> not allow them delete or disable the hosts. > > Sure, but I asked the opposite question. I understand you may want to > have Service Administrators that cannot manage the host object. > But is there ever a case where Host Administrator is not also Service > Administrator ? > >> This patch fixes the reported request for Foreman integration, if you have a >> better one fixing it as well, we can go different way. > > I was wondering if a group membership change wouldn't solve a class of > problems, instead of fixing this on per permission basis, that's all. > > Simo. >
Sure, good thinking. I do not think that current framework can make one privilege a member of another one, so this would need to be hacked in. CCing Petr3 to get his view on this. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel