I think controlling Visibility of tabs would be the best option, if
possible, based on Roles as mentioned by Rob. As long as other entries are
not visible in UI, even though they have read only access with command
line, should be enough.
On Monday, April 15, 2013, Alexander Bokovoy wrote:
> On Mon, 15 Apr 2013, Petr Spacek wrote:
>> On 15.4.2013 15:39, Rob Crittenden wrote:
>>> There is no easy way to do this. We start with granting all authenticated
>>> users read access to the tree with the exception of certain attributes
>>> You'd have to start by removing that, then one by one granting read
>>> access to
>>> the various containers based on, well, something.
>> Would it be possible to create a new role to allow current 'read-all
>> access' and add this role to all users by default?
>> It could be much simpler to change the behaviour with this role, or not?
> It would affect service accounts (include host/fqdn@REALM) since roles
> cannot be applied to them, if I remember correctly. We would need to
> make an exclusive ACI that allows all services to gain read only access...
> / Alexander Bokovoy
> Freeipa-users mailing list
Freeipa-users mailing list