nat...@nathanpeters.com wrote:
FreeIPA server 4.1.3 on CentOS 7

I am trying to create a set of privileges or roles that will allow me to
create a user who has read-only access to as much of the FreeIPA web UI as
possible.  Basically my manager want the type of view into FreeIPA that
they have in AD using the 'AD Users and Computers program).

I note that there are quite a few read permission in the permissions list.
  I tried creating a new privilege called Read Only Administrator and
giving them all the permission that have read only in the name.

For some reason I can add all other system and full access permissions but
when I try to add a read only permission I get the following error :
invalid 'permission': cannot add permission "System: Read HBAC Rules" with
bindtype "all" to a privilege

This applies not just the HBAC rule, but anything that has Read in the name.

How do I create a read only user without getting this error message?

You can't add a rule with bindtype all because this bindtype already allows all authenticated users the rights granted by the rule, in this case read access.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to