On 07/03/2015 05:45 PM, nat...@nathanpeters.com wrote: > I have been trying to create accounts in FreeIPA that have the same level > of permission as the built-in administrator account. Basically, I want to > do the equivalent of what you can do in Active Directory by adding someone > to the Domain Administrators group. > > We need this because it is not an acceptable security model in our > enterprise to share the built-in admin password between many > administrators.
Very much understandable. > What is the proper way to do this? > > I notice that the built-in roles are DNS Administrator, IT Security > Specialist, IT Specialist, Security Architect, User Administrator, and > helpdesk. If I give a user all 6 of these roles will they have the > equivalent level of permissions as the admin user or are there things they > still won't be able to do ? If you want to have user with "admin" powers, all you need to do is to add the user to "admins" group as this is the group with the real powers. If you want to create less privileged administrators, you can use the RBAC model and create your custom roles with the chosen selection of privileges. If you want to do even more fine-grained permission control, you can even create own privileges based on the permissions, which is the lowest level of permission available in FreeIPA. More info on this topic should be in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project