On 20.01.2016 14:26, Yogesh Sharma wrote:

We have created a user with HBAC Admin permission which has below permission (Default as provided by IPA):

System: Add HBAC Rule
System: Add HBAC Service Groups
System: Add HBAC Services
System: Delete HBAC Rule
System: Delete HBAC Service Groups
System: Delete HBAC Services
System: Manage HBAC Rule Membership
System: Manage HBAC Service Group Membership
System: Modify HBAC Rule

When I try add below in a new RBAC, it denied the operation as it is already open for all.

System: Read HBAC Rules
System: Read HBAC Service Groups
System: Read HBAC Services

If we change it to permission, then login is failing.

Please suggest what we need to do so that HBAC admin can search the HBAC rule in FreeIPA rule.

Hello, which version of IPA do you use?

This has been fixed (workaround).

The proper fix requires changes in DS ACI evaluation that should be in RHEL 7.3


/Best Regards,/
/Yogesh Sharma
/Email: yks0...@gmail.com <mailto:yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> /

<https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus>

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to