On to, 19 loka 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
We have an absurdly complex multi-domain/multi-child AD forrest tied
together on AWS via FreeIPA.
I'm spending a lot of time debugging login issues and the "ipa
hbactest" command is fantastic at "proving" out if something should or
should not work.
I currently "kinit admin" before running these commands but would like
to be able to pass this 'power' on to other people, including project
managers and other folks that I would not trust with direct IPA
privileges that would let them accidentally do dangerous things :)
Has anyone set up an IPA user with read-only access or otherwise set
up a locked down role so that a user can only run "ipa hbactest ..."
type commands? Looking for sensible tips and guidance on spreading
some IPA powers around to people that I would not normally want having
higher level privileges.
Look at
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for
inspiration and potential issues to deal with.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
