Steven Jones wrote:
Hi,
I want to set a group of admin level users admin rights to select user
and host groups, can this be done in IPA?
How?
So they need to be able to add users from the general pool to specific
groups and add specific hosts to specific groups only, can these be done?
It depends on how many groups and hostgroups you're talking about. The
approach will differ depending on the answer.
This is going to be hard to do using the IPA cli tools. You'll probably
have to restort to creating an aci by hand to do this. The permission
module limits the types of rules that can be mixed together, something
that a raw aci isn't restricted by.
This is a start, for example. It grants the 'modify specific group
membership' permission the ability to write groups g2, g3 and g4.
aci: (targetattr = "member")(targetfilter =
"(|(cn=g2)(cn=g3)(cn=g4))")(version 3.0;acl "permission:Modify specific
group membership";allow (write) groupdn = "ldap:///cn=modify specific
group membership,cn=permissions,cn=pbac,dc=example,dc=com";)
The twist is depending on where this aci is installed it could affect
anything with cn=g2, g3 or g4. You'll also want a (target =
"ldap:///cn=*,cn=groups,cn=accounts,dc=example,dc=com";). This will limit
it to just user groups.
We install acis in $SUFFIX which is why target is needed.
You'd then create a privilege and assign the permission to it, create a
role and add the privilege to it. Then you'd add your group to the role
and members of that group should be able to manage the members of just
g2, g3 and g4.
Or, using the cli, you could create a series of permissions to manage
one group at a time, add those all to one privilege, add that one
privilege to a role, etc. Like I said, it depends on the number of
groups you want to manage and how hairy you're willing to let things get.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
