Larry Rosen wrote:
Are there any tutorials/how to’s to guide how to create roles?  The docs
simply go through filling out the forms, but is there any resource about
how roles are generally used and the required relationships?

This is the closest thing I have found:
http://adam.younglogic.com/2012/02/group-managers-in-freeipa/

I don’t understand how to limit various permissions/privileges to
specific users or groups.

I want a role to manage only the users of a certain group: i.e. a user
that can add, modify, delete user accounts and set/reset/unlock
passwords for one group.

The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role.

Users, groups, hosts, hostgroups and services (depending on version of IPA) can be members of a role, thus having the capabilities of that role.

You add the privileges you want that role to have, then you add the groups you want, and that should do it.

A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions.

An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password.

For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to