On 14/04/16 19:59, Caton, Tina, CYFD wrote:
As a policy we disable accounts, never delete accounts.
We wish to create an Administrator account with Account Creation, Change and
Disable Permissions - No Deletion Permissions. Is that possible? How would one
do it? Thank you.
this can be done.
FreeIPA uses RBAC (role based access control). On the lowest level there
are individual permissions ($ ipa permission-find) which are just 389-ds
ACIs (access control instructions).
Then there are privileges ($ ipa privilege-find) that hold some set of
Another layer consists of roles ($ ipa role-find) that can hold multiple
privileges. Users and groups can be assigned a role ($ ipa
role-add-member <role> [--user <user>] [--group <group>]).
What you need to do is to create a privilege (e.g. "Never delete user
administrator") similar to "User Administrator" with only difference
that it won't have "System: Remove Users" permission and then create a
role very similar to "User Administrator" with privilege "User
Administrator" replaced with "Never delete user administrator".
Then you can give this role to the any user or group (don't forget to
remove the origina "User Administrator" role).
Alternatively, if you're sure that no admin user in your deployment will
ever need to delete user. You can simply remove "System: Remove User"
permission from "User Administrator" privilege ($ ipa
privilege-remove-permission "User Administrators" --permissions "System:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project