A Role encompasses multiple privileges and privileges will normally have
permissions linked to it, these three things are interconnected to form
RBAC in IPA
There are already a number of defaults that may work for you instead of
creating your own, for example by default there is a role called 'User
Administrator' which is assigned the privileges 'User Administrators,
Group Administrators, and Stage User Administrators'.
/# ipa role-show 'User Administrator'//
// Role name: User Administrator//
// Description: Responsible for creating Users and Groups//
// Privileges: User Administrators, Group Administrators, Stage User
Administrators/
- The User Administrators privilege has the following permissions:
/# ipa privilege-show 'User Administrators'/
/ Privilege name: User Administrators/
/ Description: User Administrators/
/ Permissions: System: Add User to default group, System: Add Users,
System: Change User password, System: Manage User SSH Public Keys,
System: Modify Users, System: Read UPG Definition, System: Read User
Kerberos Login Attributes,/
/ System: Remove Users, System: Unlock User, System:
Manage User Certificates/
/ Granting privilege to roles: User Administrator/
- The Permissions are what manipulate the underlying directory server
ACI's to grant and restrict access controls.
I would say use the pre-built in roles if you can by linking an IPA
group to a specific role then testing. On the CLI or WebUI you can
modify the custom roles as you see fit. Red Hat documentation on RBAC below:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html
Kind regards,
Justin Stephenson
Privilege:
On 07/11/2016 03:47 PM, Larry Rosen wrote:
Will creating a role to add users work?
I created a permission to create users, but it will not allow the user to do
it. I have disabled UPG Definition plugin.
IPA Error 2100: ACIError
Insufficient access: Could not read UPG Definition originfilter. Check your
permissions.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project