Steven Jones wrote:

I want to set a group of admin level users admin rights to select user
and host groups, can this be done in IPA?


So they need to be able to add users from the general pool to specific
groups and add specific hosts to specific groups only, can these be done?

It depends on how many groups and hostgroups you're talking about. The approach will differ depending on the answer.

This is going to be hard to do using the IPA cli tools. You'll probably have to restort to creating an aci by hand to do this. The permission module limits the types of rules that can be mixed together, something that a raw aci isn't restricted by.

This is a start, for example. It grants the 'modify specific group membership' permission the ability to write groups g2, g3 and g4.

aci: (targetattr = "member")(targetfilter = "(|(cn=g2)(cn=g3)(cn=g4))")(version 3.0;acl "permission:Modify specific group membership";allow (write) groupdn = "ldap:///cn=modify specific group membership,cn=permissions,cn=pbac,dc=example,dc=com";)

The twist is depending on where this aci is installed it could affect anything with cn=g2, g3 or g4. You'll also want a (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=example,dc=com";). This will limit it to just user groups.

We install acis in $SUFFIX which is why target is needed.

You'd then create a privilege and assign the permission to it, create a role and add the privilege to it. Then you'd add your group to the role and members of that group should be able to manage the members of just g2, g3 and g4.

Or, using the cli, you could create a series of permissions to manage one group at a time, add those all to one privilege, add that one privilege to a role, etc. Like I said, it depends on the number of groups you want to manage and how hairy you're willing to let things get.


Freeipa-users mailing list

Reply via email to