Ok i got it now. Let me try this with role + privilege having three set of permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) permission on cn=hostgroup to manage the hosts membership with in the given group 3) permission for "member attribute" to allow add/delation of hosts membership based on the "member attribute" value.I need to go through the link you shared in the meanwhile a quick question can i add a custom attribute something like AWS EC2 resource tag as the member attribute of an host? i am just wondering what all/else could be an member attribute other than AWS EC2 instance name...
Best Regards,Deepak > Date: Tue, 30 Aug 2016 18:36:21 +0300 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >Hi Alexander, > > > >Since i do not want myadmin1 to be able to add or remove the host from > >other xyzhostgroups into myhostgroup membership. Is it possible that > >myadmin1 only sees objects i specifically given the permissions to and > >not any other hosts outside of myhostgroup? That way he cannot add the > >host he is not supposed to manage within myhostgroup > OK, now I get it. An easiest way to solve this problem, no surprise, is > organizational: do not give host group admin rights to include hosts to > the hostgroup or delete them, only allow them to manage what's in the > host group. > > You then need to create a separate permission for 'add'/'del' rights > against 'member' attribute that would allow to include/remove hosts. > That's easy but it would not allow you to limit *what* hosts could be > added/removed from the host group. > > Unfortunately, to make that possible, permission-add/permission-mod > should be extended to allow specifying target attribute's values like > described in the RHDS Administration Guide: > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters > > Even then to define something like this, you need to have specific > naming of hosts to be able to specify a pattern as a 'member' attribute > value. Not sure how this is going to work for you in AWS, though, so > this is why I'm saying it is an organizational issue, not really a > technical one. > > > > >Thanks for your great support! > >regards,Deepak > > > >From: [email protected] > >To: [email protected] > >CC: [email protected] > >Subject: RE: [Freeipa-users] Permission not working as expected > >Date: Tue, 30 Aug 2016 09:54:38 -0400 > > > > > > > > > >Let me try summarize it! > >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the > >xyzhostgroup - which means he should be able to delete/ add/ modify the > >hosts under xyzhostgroup . This is what i currently have in the role : > >myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group > >where i have added the hosts) --> my-hostgroup-privilege --> > >my-hostgroup-permission > >The problem is that the moment i add memberOf =cn=.... in the target filter > >then myadmin1 cannot add/delete the hosts with in myhostgroup and any other > >hosts in other hostgroups. However if i assign the role permission with with > >subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as > >(&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added > >then myadmin1 gets the expected access to manage the hosts within > >myhostgroup but then he also gets access to delete and manage other hosts > >outside of myhostgroup which i dont want! > > > >Thanks & Regards,Deepak > >> Date: Tue, 30 Aug 2016 16:10:00 +0300 > >> From: [email protected] > >> To: [email protected] > >> CC: [email protected] > >> Subject: Re: [Freeipa-users] Permission not working as expected > >> > >> On Tue, 30 Aug 2016, Deepak Dimri wrote: > >> >Hi Alexander, > >> >i did try adding the "member" effective attribute in GUI and also from > >> >the command prompt But the error is not going away when i try to delete > >> >the host from my taphostgroup. for me it only works if i have > >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then > >> >the i am allowed access to all the hosts in all the hostgroup :( I am > >> >kinda stuck with this issue. Would be great if you can suggest any > >> >further headway! > >> Isn't this is what you wanted: a user has ability to manage all hosts in > >> the host group but not other hosts. > >> > >> -- > >> / Alexander Bokovoy > > > > -- > / Alexander Bokovoy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
