A Role encompasses multiple privileges and privileges will normally have permissions linked to it, these three things are interconnected to form RBAC in IPA

There are already a number of defaults that may work for you instead of creating your own, for example by default there is a role called 'User Administrator' which is assigned the privileges 'User Administrators, Group Administrators, and Stage User Administrators'.

/# ipa role-show 'User Administrator'//
//  Role name: User Administrator//
//  Description: Responsible for creating Users and Groups//
// Privileges: User Administrators, Group Administrators, Stage User Administrators/

- The User Administrators privilege has the following permissions:

/# ipa privilege-show 'User Administrators'/
/  Privilege name: User Administrators/
/  Description: User Administrators/
/ Permissions: System: Add User to default group, System: Add Users, System: Change User password, System: Manage User SSH Public Keys, System: Modify Users, System: Read UPG Definition, System: Read User Kerberos Login Attributes,/ / System: Remove Users, System: Unlock User, System: Manage User Certificates/
/  Granting privilege to roles: User Administrator/

- The Permissions are what manipulate the underlying directory server ACI's to grant and restrict access controls.

I would say use the pre-built in roles if you can by linking an IPA group to a specific role then testing. On the CLI or WebUI you can modify the custom roles as you see fit. Red Hat documentation on RBAC below:


Kind regards,

Justin Stephenson

On 07/11/2016 03:47 PM, Larry Rosen wrote:
Will creating a role to add users work?
I created a permission to create users, but it will not allow the user to do 
it.  I have disabled UPG Definition plugin.

IPA Error 2100: ACIError
Insufficient access: Could not read UPG Definition originfilter. Check your 

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to