Hello! I encountered a problem with differentiating user rights in the FreeIPA.
Example 1: I have two user groups, for example: "Priveledge Users" and "Minimal rights" For example, I'd like to remove the ability for a user from a group "Minimal rights" to see the section of created Services. I need to set "Bind rule type" in RBAC - "System: Read Services" from "all" to "permission", and then I add this permission for every pre-defined Privileges (there are no Privileges linked to usergroup "Minimal rights"). Than, when I connected from user in group "Minimal rights" I can't see any service, in this case all works good. But when next time I send request for create/delete certificate of Service (tested only with ipa-getcert) - I get status "CA Unreachable". When I switch back "System: Read Services" bind type to "all" - ipa-getcert works correctly, but users from group "Minimal rights" again can see Services So I have a question: how to correctly set the permission “System: Reading Services” so that the user from the group does not see the Services, and the ipa-getcert works correctly ____ Example 2: Similar example, but now with sshd authentication. For example, now I'd like to remove the ability for a user from a group "Minimal rights" to see the section of usergroups. If I set permission "System: Read User Membership" - than user from group "Minimal rights" can't see any usergroups, but than I can't authenticate at host by ssh (I have created HBAC Rule, which grant access one group of users to group of hosts). How can I set this permission correctly: so that the user from the group does not see the usergroups and HBAC still works correctly? -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
