Ok i got it now. Let me try this with role + privilege having three set of 
permissions 1) memberOf hostgroup to manage the permissions to the hosts 2) 
permission on cn=hostgroup to manage the hosts membership with in the given 
group 3) permission for "member attribute" to allow add/delation of hosts 
membership based on the "member attribute" value.I need to go through the link 
you shared in the meanwhile a quick question can i add a custom attribute 
something like AWS EC2 resource tag as the member attribute of an host? i am 
just wondering what all/else could be an member attribute other than AWS EC2 
instance name...

Best Regards,Deepak
> Date: Tue, 30 Aug 2016 18:36:21 +0300
> From: aboko...@redhat.com
> To: deepak_di...@hotmail.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Permission not working as expected
> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >Hi Alexander,
> >
> >Since i do not want myadmin1 to be able to add or remove the host from
> >other xyzhostgroups into myhostgroup membership.  Is it possible that
> >myadmin1 only sees objects i specifically given the permissions to  and
> >not any other hosts outside of myhostgroup?  That way he cannot add the
> >host he is not supposed to manage within myhostgroup
> OK, now I get it. An easiest way to solve this problem, no surprise, is
> organizational: do not give host group admin rights to include hosts to
> the hostgroup or delete them, only allow them to manage what's in the
> host group.
> You then need to create a separate permission for 'add'/'del' rights
> against 'member' attribute that would allow to include/remove hosts.
> That's easy but it would not allow you to limit *what* hosts could be
> added/removed from the host group.
> Unfortunately, to make that possible, permission-add/permission-mod
> should be extended to allow specifying target attribute's values like 
> described in the RHDS Administration Guide:
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Defining_Targets-Targeting_Attribute_Values_Using_LDAP_Filters
> Even then to define something like this, you need to have specific
> naming of hosts to be able to specify a pattern as a 'member' attribute
> value. Not sure how this is going to work for you in AWS, though, so
> this is why I'm saying it is an organizational issue, not really a
> technical one.
> >Thanks for your great support!
> >regards,Deepak
> >
> >From: deepak_di...@hotmail.com
> >To: aboko...@redhat.com
> >CC: freeipa-users@redhat.com
> >Subject: RE: [Freeipa-users] Permission not working as expected
> >Date: Tue, 30 Aug 2016 09:54:38 -0400
> >
> >
> >
> >
> >Let me try summarize it!
> >I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the 
> >xyzhostgroup  - which means he should be able to delete/ add/ modify the 
> >hosts under xyzhostgroup .  This is what i currently  have in the role :  
> >myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group 
> >where i have added the hosts) --> my-hostgroup-privilege --> 
> >my-hostgroup-permission
> >The problem is that the moment i add memberOf =cn=.... in the target filter 
> >then myadmin1 cannot add/delete the hosts with in myhostgroup and any other 
> >hosts in other hostgroups. However if i assign the role permission with with 
> >subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as  
> >(&(cn=myhostgroup)(objectclass=ipahostgroup)) and member attribute added 
> >then myadmin1 gets the expected access to manage the hosts within 
> >myhostgroup but then he also gets access to delete and manage other hosts 
> >outside of myhostgroup which i dont want!
> >
> >Thanks & Regards,Deepak
> >> Date: Tue, 30 Aug 2016 16:10:00 +0300
> >> From: aboko...@redhat.com
> >> To: deepak_di...@hotmail.com
> >> CC: freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] Permission not working as expected
> >>
> >> On Tue, 30 Aug 2016, Deepak Dimri wrote:
> >> >Hi Alexander,
> >> >i did try adding the "member" effective attribute in GUI and also from
> >> >the command prompt But the error is not going away when i try to delete
> >> >the host from my taphostgroup. for me it only works if i have
> >> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then
> >> >the i am allowed access to all the hosts in all the hostgroup :( I am
> >> >kinda stuck with this issue.  Would be great if you can suggest any
> >> >further headway!
> >> Isn't this is what you wanted: a user has ability to manage all hosts in
> >> the host group but not other hosts.
> >>
> >> --
> >> / Alexander Bokovoy
> >                                                                             
> -- 
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to