[Freeipa-users] Re: FreeIPA Role Management

[Alexander Bokovoy via FreeIPA-users]

On to, 03 syys 2020, John Burns via FreeIPA-users wrote:

What exactly should be granted to enable a user to view /edit freeIPA roles?
Specifically, what enables a user to view anything under "IPA Server" > "Role-Based 
Access Control?"

Context: roles, privileges, permissions are all populated for one non-"admin" 
login but not for another.

$ ipa privilege-show 'Delegation Administrator'
  Privilege name: Delegation Administrator
  Description: Role administration
  Permissions: System: Modify Privilege Membership, System: Add Privileges, 
System: Modify Privileges, System: Remove Privileges, System: Add Roles, 
System: Modify Role Membership, System: Modify Roles, System: Remove Roles
  Granting privilege to roles: Security Architect

Note that IPA's access control model is not to segregate administration
tasks, it is to account access to privileged operations. If you are
administering roles, you are administrator anyway, just not a faceless
'admin'.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org