Thank you for your response,

> As an aside though I wouldn't set the ipausers as a memberof on this ACI.
> What that will do is allow any user to modify any other user. I doubt this
> is what you want.
> You are right, it is not what I want to do. My second command is wrong:
ipa -v aci-mod "Modify Users" --attrs=mail --memberof=ipausers

However, what I want to do is modify "Modify Users" ACI by adding the
attribute "mail" in the targetattr. I do not assimilate yet the syntaxe of
aci commands.

Thanks for help

> Even if you did it would be better to add the ipausers group as a member of
> the "Modify Users" rolegroup.
> rob

Meilleures salutations / Best Regards
Freeipa-users mailing list

Reply via email to