Aditya kamat via FreeIPA-users wrote: > I am configuring RBAC in my current FreeIPA setup. There is a requirement > wherein each host can only belong to a particular host group. If a host is > already a part of some host group, a particular role which I create should > not be able to add it to any other host group. > > Let me clarify this with an example: > > Let us say host1 is a part of hostgroup1. There is a role which has modify > access to hostgroup2 (i.e he can add or delete hosts from this group). Can I > restrict this role from being able to add hosts which already belong to some > other hostgroup?
That is going to be tricky to do. An IPA permission is basically a 389-ds ACI. I'd start by manually trying to create such an ACI using targetfilter (see https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/defining_targets) Without a specific permission for every hostgroup I'm not sure you can achieve this. I could be wrong. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
