Let me try summarize it!
I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the
xyzhostgroup - which means he should be able to delete/ add/ modify the hosts
under xyzhostgroup . This is what i currently have in the role :
myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group
where i have added the hosts) --> my-hostgroup-privilege -->
my-hostgroup-permission
The problem is that the moment i add memberOf =cn=.... in the target filter
then myadmin1 cannot add/delete the hosts with in myhostgroup and any other
hosts in other hostgroups. However if i assign the role permission with with
subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as
(&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added then
myadmin1 gets the expected access to manage the hosts within myhostgroup but
then he also gets access to delete and manage other hosts outside of
myhostgroup which i dont want!
Thanks & Regards,Deepak
> Date: Tue, 30 Aug 2016 16:10:00 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
>
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >Hi Alexander,
> >i did try adding the "member" effective attribute in GUI and also from
> >the command prompt But the error is not going away when i try to delete
> >the host from my taphostgroup. for me it only works if i have
> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then
> >the i am allowed access to all the hosts in all the hostgroup :( I am
> >kinda stuck with this issue. Would be great if you can suggest any
> >further headway!
> Isn't this is what you wanted: a user has ability to manage all hosts in
> the host group but not other hosts.
>
> --
> / Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
