> nat...@nathanpeters.com wrote:
>> FreeIPA server 4.1.3 on CentOS 7
>> I am trying to create a set of privileges or roles that will allow me to
>> create a user who has read-only access to as much of the FreeIPA web UI
>> as
>> possible.  Basically my manager want the type of view into FreeIPA that
>> they have in AD using the 'AD Users and Computers program).
>> I note that there are quite a few read permission in the permissions
>> list.
>>   I tried creating a new privilege called Read Only Administrator and
>> giving them all the permission that have read only in the name.
>> For some reason I can add all other system and full access permissions
>> but
>> when I try to add a read only permission I get the following error :
>> invalid 'permission': cannot add permission "System: Read HBAC Rules"
>> with
>> bindtype "all" to a privilege
>> This applies not just the HBAC rule, but anything that has Read in the
>> name.
>> How do I create a read only user without getting this error message?
> You can't add a rule with bindtype all because this bindtype already
> allows all authenticated users the rights granted by the rule, in this
> case read access.
> rob

That doesn't sound right.  When I login to FreeIPA web ui with a user who
is not part of any group, the only thing he can do is browse other users
and update his own password and SSH key.  He does not get the HBAC menu
and definitely cannot browse HBAC rules.

Also, If I do this step backward and go directly to the RBAC ->
Permissions menu and choose a permission and edit it, I can add it to a
privilege, but if I go to the privilege and try to add the permission it
fails.  This makes zero sense.

I can post screenshots if that helps.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to