On 03/25/2013 12:48 PM, Philipp Richter wrote:
> Hi,
>
> I am trying to do the following:
>
> We have some branch offices at different locations. We want to use one 
> ipa-server with replicas in each branch office. Each branch office should 
> have it's own set of administrators who should be able to 
> create/modify/delete users for its own branch but should not be allowed to 
> change users from other branches.
>
> How could this be accomplished?
>
> i.e.:
>
> ipa group-add branch-at
> ipa group-add admins-at
> ipa group-add-member branch-at --groups=admins-at
>
> ipa group-add branch-us
> ipa group-add admins-us
> ipa group-add-member branch-us --groups=admins-us
>
> ipa user-add admin1at
> ipa group-add-member admins-at --users=admin1at
>
> ipa user-add user1us
> ipa group-add-member branch-us --users=user1us
>
> now,
> every member of admin-at should be forced to create/modify/delete only users 
> in branch-at. The same applies for admin-us/branch-us.
>
> at first, i thought of a combination of (a) new role(s), with write/delete 
> permissions set for the branch-at group, as well as an automember rule but it 
> seems there is no way to filter for the creator of an entry, which would be 
> needed for the group membership..
>
> am i missing anything?
>
> cheers,
> Philipp
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

This might help
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#delegating-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to