Re: [Freeipa-users] Role to add users fails - IPA Error 2100: ACIError

2016-07-11 Thread Justin Stephenson 
A Role encompasses multiple privileges and privileges will normally have 
permissions linked to it, these three things are interconnected to form 
RBAC in IPA


There are already a number of defaults that may work for you instead of 
creating your own, for example by default there is a role called 'User 
Administrator' which is assigned the privileges 'User Administrators, 
Group Administrators, and Stage User Administrators'.


/# ipa role-show 'User Administrator'//
//  Role name: User Administrator//
//  Description: Responsible for creating Users and Groups//
//  Privileges: User Administrators, Group Administrators, Stage User 
Administrators/


- The User Administrators privilege has the following permissions:

/# ipa privilege-show 'User Administrators'/
/  Privilege name: User Administrators/
/  Description: User Administrators/
/  Permissions: System: Add User to default group, System: Add Users, 
System: Change User password, System: Manage User SSH Public Keys, 
System: Modify Users, System: Read UPG Definition, System: Read User 
Kerberos Login Attributes,/
/   System: Remove Users, System: Unlock User, System: 
Manage User Certificates/

/  Granting privilege to roles: User Administrator/

- The Permissions are what manipulate the underlying directory server 
ACI's to grant and restrict access controls.


I would say use the pre-built in roles if you can by linking an IPA 
group to a specific role then testing. On the CLI or WebUI you can 
modify the custom roles as you see fit. Red Hat documentation on RBAC below:


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html

Kind regards,

Justin Stephenson

  Privilege:
On 07/11/2016 03:47 PM, Larry Rosen wrote:

Will creating a role to add users work?
I created a permission to create users, but it will not allow the user to do 
it.  I have disabled UPG Definition plugin.

IPA Error 2100: ACIError
Insufficient access: Could not read UPG Definition originfilter. Check your 
permissions.



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Role to add users fails - IPA Error 2100: ACIError

2016-07-11 Thread Larry Rosen 
Will creating a role to add users work?
I created a permission to create users, but it will not allow the user to do 
it.  I have disabled UPG Definition plugin.

IPA Error 2100: ACIError
Insufficient access: Could not read UPG Definition originfilter. Check your 
permissions.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project