Thanks, I had those parts figured out.

I have a basic role/user working.

My next questions are:

When or why would I need to specify a Target DN or Extra target filter?  I 
don't think any are necessary for this role that has this permission to work 
since I specified the group (member of group) it can target.

-----Original Message-----
From: Rob Crittenden [] 
Sent: Friday, July 01, 2016 6:45 PM
To: Larry Rosen <>;
Subject: Re: [Freeipa-users] Creating roles tutorial/how-to

Larry Rosen wrote:
> Are there any tutorials/how to's to guide how to create roles?  The 
> docs simply go through filling out the forms, but is there any 
> resource about how roles are generally used and the required relationships?
> This is the closest thing I have found:
> I don't understand how to limit various permissions/privileges to 
> specific users or groups.
> I want a role to manage only the users of a certain group: i.e. a user 
> that can add, modify, delete user accounts and set/reset/unlock 
> passwords for one group.

The order of access control looks like permissions -> privileges -> roles. The 
associated privileges provide a set of permissions (actions a role can take) to 
the role.

Users, groups, hosts, hostgroups and services (depending on version of
IPA) can be members of a role, thus having the capabilities of that role.

You add the privileges you want that role to have, then you add the groups you 
want, and that should do it.

A permission is a low-level "task". A privilege is usually 1-1 to a permission. 
It may contain multiple permissions.

An example of a privilege with multiple permissions is adding a user, where you 
need to be able to write the user and set the password.

For the permissions shipped with IPA there is always an associated privilege 
available for that so you typically don't need to mess with these.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to