Remco Kranenburg via FreeIPA-users wrote: > Hi all, > > We received a question from one of our auditors about who has the > permission to do certain actions in FreeIPA itself. This is managed by > the RBAC system: you can for example configure that certain groups are > allowed to manage certain parts of FreeIPA. > > We currently only have two roles: normal users and admins. Normal users > have the default self-service permissions, and admins can do anything > within FreeIPA. However, for that last part we cannot figure out how > this is specified within FreeIPA. There is no RBAC role that gives > admins all permissions. > > Is the admins group maybe special, in that it is hardcoded to be able > to change anything within FreeIPA?
Yes, the admins group is as you describe. It has pretty broad powers (but not to change anything). There are still some direct 389-ds ACIs created to grant power to the admins group. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org