On 03/26/2013 12:39 AM, Dmitri Pal wrote:

I am trying to do the following:

We have some branch offices at different locations. We want to use one 
ipa-server with replicas in each branch office. Each branch office should have 
it's own set of administrators who should be able to create/modify/delete users 
for its own branch but should not be allowed to change users from other 
branches.
every member of admin-at should be forced to create/modify/delete only users in 
branch-at. The same applies for admin-us/branch-us.

at first, i thought of a combination of (a) new role(s), with write/delete 
permissions set for the branch-at group, as well as an automember rule but it 
seems there is no way to filter for the creator of an entry, which would be 
needed for the group membership..

am i missing anything?
>
This might help
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#delegating-users

Yes, I read the whole document but as far as I understand delegates are only helpful for editing existing records. I want admins of one branch to be able the also create users, but only in the assigned branch.

Currently we use standard openldap with different ou's for the branches. Each branch admin has full ldap permissions for it's own ou-subtree.

--
: Philipp Richter
: LINBIT | Your Way to High Availability
: Tel: +43-1-8178292-51, Fax: +43-1-8178292-82
:
: http://www.linbit.com

DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to