On 9/21/18 5:25 PM, kwtygrys via FreeIPA-users wrote:
well, according to the freeipa page https://www.freeipa.org/page/Web_UI
Web UI has two operation modes:
* self-service
o used for regular users
o limited interface - only information about users
o default page: user's profile
o use cases: change or view own information and reset password
* administration
o *used for members of 'admins' group and users with a role assigned*
o complete interface available
Hi,
I stand corrected, if the user is assigned a role he should see the
administration console. This is confirmed by the code (see [1]).
I tried on RHEL 7.5 (ipa 4.5.4) and see the expected behavior: a user
with User Administrator, IT Specialist and IT Security Specialist roles
is able to see the admin console, and create new users.
Whats the point of giving an individual "User Administrator" role if
he/she can not provision users using the Web UI? And if you want to use
the ipa user-* commands then you need to actually create a different
user admin role that has a write permission to cn=users,cn=accounts as
the built-in “User Administrator” doesn’t have it and thus the ipa
user-* commands don’t work.
"User Administrator" role has "User Administrators" privilege, which
contains the permission "System: Add Users" and should grant add access
to create a user.
Are you seeing the above role/privilege/permission in your setup?
flo
[1]
https://github.com/freeipa/freeipa/blob/master/install/ui/src/freeipa/Application_controller.js#L241
Is this a well known bug/limitation? How do you go about providing role
assigned principals with means to act upon the privileges they posses?
Regards
Kristof
On Sep 21, 2018, at 4:12 PM, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>> wrote:
On 9/21/18 2:06 PM, kwtygrys via FreeIPA-users wrote:
Hi
I am running Freeipa 4.5.4 on Centos 7 server. I created a few users
hradmin, itadmin, secadmin and assigned them to the built-in special
roles User Administrator, IT Specialist and IT Security Specialist
respectively. However every time I try to access the Web UI as one of
those users I always get the WebUI in self-service mode, ie. I can
not take advantage of the privileges/permissions these users have. I
only get the WebUI administration mode when logging in as admin.
Is there anything I am missing in terms of configuration?
Hi,
IIRC a user has access to the whole WebUI administration when he is a
member of the "admins" group.
flo
Regards
Kristof
_______________________________________________
FreeIPA-users mailing list -- [email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
