On 2011-12-08 17:36, Rob Crittenden wrote: > Lassi Pölönen wrote: >> On 7.12.2011 21:28, Dmitri Pal wrote: >>>> So I came in to conclusion I just create a role for each customer, e.g >>>> "Customer1" and assign that role to all customer's user groups and >>>> hosts >>>> (too bad it isn't possible to assign a role to a hostgroup) . This >>>> requires an aci to be created for each customer though: >>>>
Actually it seems to be possible to assign roles to host groups as well. Just not from Identity -> Host groups. IPA Server -> RBAC -> Roles has the option though. > Unless you need per-object acis you can probably simplify the filter > to cover the entire DIT by dropping the target and using just the > targetfilter. > > I'd recommend verifying that data doesn't leak via schema compat if > you have that enabled. > > rob Looks like dropping the target prevents a user from logging in, so apparently there's some entries that need to be accessible other than those labeled with memberOf <role>. One additional thing came in to my mind: user private groups probably need to be accessible as well. At least by default there doesn't seem to be a way to assign the same role for those as well. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
