<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Hi Martin,</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">FreeIPA version 4.1.0</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Will look into the Workaround. Thanks</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><i style="font-size:12.8000001907349px"><span style="font-family:verdana,sans-serif">Best Regards,</span></i><br></div><div dir="ltr"><div style="font-size:12.8000001907349px"><div><i><span style="font-family:verdana,sans-serif">__________________________________________<br></span></i></div><i><span style="font-family:verdana,sans-serif">Yogesh Sharma<br></span></i></div><span style="font-size:12.8000001907349px;font-family:verdana,sans-serif"><i>Email: <a href="mailto:yks0000@gmail.com" target="_blank">yks0000@gmail.com</a> | Web: <span style="color:rgb(0,0,0)"><a href="http://www.initd.in/" target="_blank">www.initd.in</a> </span></i></span><br></div><div dir="ltr"><span style="font-size:12.8000001907349px;font-family:verdana,sans-serif"><i><span style="color:rgb(0,0,0)"><br></span></i></span></div><div><span style="font-size:12.8000001907349px;font-family:verdana,sans-serif"><i><span style="color:rgb(0,0,0)">RHCE, VCE-CIA, RACKSPACE CLOUD U Certified</span></i></span></div><div dir="ltr"><br></div><div dir="ltr"><a href="https://www.fb.com/yks0000" target="_blank"><img src="http://i.imgbox.com/ojTDSuw0.gif" alt=""></a>  <a href="http://in.linkedin.com/in/yks0000" target="_blank"><img src="http://i.imgbox.com/fHLDBlyz.gif"></a>  <a href="https://twitter.com/checkwithyogesh" target="_blank"><img src="http://i.imgbox.com/vTX3eOJ5.gif"></a>  <a href="http://google.com/+YogeshSharmaOnGooglePlus" target="_blank"><img src="http://i.imgbox.com/W2bQouRN.gif"></a></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Jan 20, 2016 at 7:04 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div>On 20.01.2016 14:26, Yogesh Sharma
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:verdana,sans-serif">Hi,</div>
        <div class="gmail_default" style="font-family:verdana,sans-serif"><br>
        </div>
        <div class="gmail_default" style="font-family:verdana,sans-serif">We have created a user
          with HBAC Admin permission which has below permission (Default
          as provided by IPA):</div>
        <div class="gmail_default" style="font-family:verdana,sans-serif"><br>
        </div>
        <div class="gmail_default" style="font-family:verdana,sans-serif">
          <div class="gmail_default">System: Add HBAC Rule</div>
          <div class="gmail_default">System: Add HBAC Service Groups</div>
          <div class="gmail_default">System: Add HBAC Services</div>
          <div class="gmail_default">System: Delete HBAC Rule</div>
          <div class="gmail_default">System: Delete HBAC Service Groups</div>
          <div class="gmail_default">System: Delete HBAC Services</div>
          <div class="gmail_default">System: Manage HBAC Rule Membership</div>
          <div class="gmail_default">System: Manage HBAC Service Group
            Membership</div>
          <div class="gmail_default">System: Modify HBAC Rule</div>
          <div class="gmail_default"><br>
          </div>
          <div class="gmail_default">When I try add below in a new RBAC,
            it denied the operation as it is already open for all.</div>
          <div class="gmail_default"><br>
          </div>
          <div class="gmail_default">
            <div class="gmail_default">System: Read HBAC Rules</div>
            <div class="gmail_default">System: Read HBAC Service Groups</div>
            <div class="gmail_default">System: Read HBAC Services</div>
            <div class="gmail_default"><br>
            </div>
            <div class="gmail_default"><br>
            </div>
            <div class="gmail_default">If we change it to permission,
              then login is failing.</div>
            <div class="gmail_default"><br>
            </div>
            <div class="gmail_default">Please suggest what we need to do
              so that HBAC admin can search the HBAC rule in FreeIPA
              rule.</div>
            <div class="gmail_default"><br>
            </div>
            <div class="gmail_default"><br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    Hello, which version of IPA do you use?<br>
    <br>
    This has been fixed (workaround).<br>
    <a href="https://fedorahosted.org/freeipa/ticket/5130" target="_blank">https://fedorahosted.org/freeipa/ticket/5130</a><br>
    <br>
    The proper fix requires changes in DS ACI evaluation that should be
    in RHEL 7.3<br>
    <br>
    Martin<br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:verdana,sans-serif"><br>
        </div>
        <div>
          <div>
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div dir="ltr">
                        <div dir="ltr"><i style="font-size:12.8px"><span style="font-family:verdana,sans-serif">Best
                              Regards,</span></i><br>
                        </div>
                        <div dir="ltr">
                          <div style="font-size:12.8px">
                            <div><i><span style="font-family:verdana,sans-serif">__________________________________________<br>
                                </span></i></div>
                            <i><span style="font-family:verdana,sans-serif">Yogesh
                                Sharma<br>
                              </span></i></div>
                          <span style="font-size:12.8px;font-family:verdana,sans-serif"><i>Email: <a href="mailto:yks0000@gmail.com" target="_blank"></a><a href="mailto:yks0000@gmail.com" target="_blank">yks0000@gmail.com</a> |
                              Web: <span style="color:rgb(0,0,0)"><a href="http://www.initd.in/" target="_blank"></a><a href="http://www.initd.in" target="_blank">www.initd.in</a> </span></i></span><br>
                        </div>
                        <div dir="ltr"><span style="font-size:12.8px;font-family:verdana,sans-serif"><i><span style="color:rgb(0,0,0)"><br>
                              </span></i></span></div>
                        <div><span style="font-size:12.8px;font-family:verdana,sans-serif"><i><span style="color:rgb(0,0,0)">RHCE, VCE-CIA,
                                RACKSPACE CLOUD U Certified</span></i></span></div>
                        <div dir="ltr"><br>
                        </div>
                        <div dir="ltr"><a href="https://www.fb.com/yks0000" target="_blank"><img src="http://i.imgbox.com/ojTDSuw0.gif" alt=""></a>  <a href="http://in.linkedin.com/in/yks0000" target="_blank"><img src="http://i.imgbox.com/fHLDBlyz.gif"></a>  <a href="https://twitter.com/checkwithyogesh" target="_blank"><img src="http://i.imgbox.com/vTX3eOJ5.gif"></a>  <a href="http://google.com/+YogeshSharmaOnGooglePlus" target="_blank"><img src="http://i.imgbox.com/W2bQouRN.gif"></a></div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div>