Yehuda Katz via FreeIPA-users wrote: > Is it possible to create an RBAC rule that includes a userattr filter? > > For example, we added a cn=mailinglists and each mailing list has an `owner` > attribute. We created a rule to allow anonymous reads in this subtree through > RBAC. > I know we can create an ACI that would allow the owner to modify the list > members: > (targetattr = "mgrpRFC822MailMember")(target = > "ldap:///cn=*,cn=aliases,dc=example,dc=com";)(version 3.0;acl "Owner Change > Aliases";allow (add,delete,write) userattr = "owner#USERDN";) > > Is there any way to create this ACI (or something that would do the same > thing) through the RBAC system?
The RBAC rules grant access via groups (permission -> privilege -> role). Off the top of my head I'm not sure if there is a dynamic way to do it with this model so you'd probably end up with a set of these to manage members for each list which would be a bit burdensome. Plus one set for creating/removing lists altogether to separate the access. The benefit would be that it would grant access via the role so there could be multiple owners of a list without relying on the owner attribute. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
