On 14/04/16 19:59, Caton, Tina, CYFD wrote:
As a policy we disable accounts, never delete accounts.

We wish to create an Administrator account with Account Creation, Change and
Disable Permissions - No Deletion Permissions. Is that possible? How would one
do it? Thank you.

Tina Caton

Hello Tina,

this can be done.

FreeIPA uses RBAC (role based access control). On the lowest level there are individual permissions ($ ipa permission-find) which are just 389-ds ACIs (access control instructions). Then there are privileges ($ ipa privilege-find) that hold some set of permissions. Another layer consists of roles ($ ipa role-find) that can hold multiple privileges. Users and groups can be assigned a role ($ ipa role-add-member <role> [--user <user>] [--group <group>]).

What you need to do is to create a privilege (e.g. "Never delete user administrator") similar to "User Administrator" with only difference that it won't have "System: Remove Users" permission and then create a role very similar to "User Administrator" with privilege "User Administrator" replaced with "Never delete user administrator". Then you can give this role to the any user or group (don't forget to remove the origina "User Administrator" role).

Alternatively, if you're sure that no admin user in your deployment will ever need to delete user. You can simply remove "System: Remove User" permission from "User Administrator" privilege ($ ipa privilege-remove-permission "User Administrators" --permissions "System: Remove Users").

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to