On Mon, 08 Aug 2016, Deepak Dimri wrote:
Thanks Alexander,
Please do not reply directly, always reply to the list.

Basically i want full administration capability given to a user to
manage the everything for certain hosts.  I was thinking of creating
hierarchal domain and subdomains structure ( with root domain being
main IPA server) and subdomains being the department/teams.  Based on
your response below it seems i just need to create a hostgroup and
assign admin role permissions to that hostgroup and add admin user to
it.  No need to create hierarchal domain like structure?
You don't need to create hierarchical domains.

You need to create additional permissions because the default one
applies to every object of a certain type.

Thanks,Deepak


Date: Mon, 8 Aug 2016 11:54:23 +0300
From: aboko...@redhat.com
To: deepak_di...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Delegated Administration in IPA

On Mon, 08 Aug 2016, Deepak Dimri wrote:
>Hi List,
>I want some help here! i have 100 of linux servers and ec2 instances
>used by various teams/departments.   I want to have group wise
>clubbing of these servers so that i can delegate administration access
>to manager of  that particular group. For example lets say out of those
>100 servers, 25 servers belongs to engineering team so i want to
>register these 25 servers under engineering group/domain and then
>assign the full administration access to engineering manager to manage
>these 25 servers and there accesses.  I am getting a sense that we can
>create DNS subdomains for each team i.e. engineering.<ipa server domain
>name> and then register those 25 servers under engineering.<ipa server
>domain name> but then i am not sure how i can assign the access and do
>rest of the configurations.  I would be thankfully if any of you can
>provide with configuration steps to help me
What kind of administration do you want to achieve?

- Managing IPA objects themselves?
- Managing actual machines as in login to them, run sudo, etc?

For the former you'd need to learn how to deal with
permissions/privileges/roles and create separate
permissions/privileges/roles that look like a default one with
additional target filter based on the hostgroup membership.

For the latter you'd use HBAC rules.

--
/ Alexander Bokovoy
                                        

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to