<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <br> <br> <div class="moz-cite-prefix">On 20.01.2016 14:26, Yogesh Sharma wrote:<br> </div> <blockquote cite="mid:CAE2-OsrH_xtv5KU7n0B1=qVqn2qnL-d8z_y_vTLq-OMpE5nv2g@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_default" style="font-family:verdana,sans-serif">Hi,</div> <div class="gmail_default" style="font-family:verdana,sans-serif"><br> </div> <div class="gmail_default" style="font-family:verdana,sans-serif">We have created a user with HBAC Admin permission which has below permission (Default as provided by IPA):</div> <div class="gmail_default" style="font-family:verdana,sans-serif"><br> </div> <div class="gmail_default" style="font-family:verdana,sans-serif"> <div class="gmail_default">System: Add HBAC Rule</div> <div class="gmail_default">System: Add HBAC Service Groups</div> <div class="gmail_default">System: Add HBAC Services</div> <div class="gmail_default">System: Delete HBAC Rule</div> <div class="gmail_default">System: Delete HBAC Service Groups</div> <div class="gmail_default">System: Delete HBAC Services</div> <div class="gmail_default">System: Manage HBAC Rule Membership</div> <div class="gmail_default">System: Manage HBAC Service Group Membership</div> <div class="gmail_default">System: Modify HBAC Rule</div> <div class="gmail_default"><br> </div> <div class="gmail_default">When I try add below in a new RBAC, it denied the operation as it is already open for all.</div> <div class="gmail_default"><br> </div> <div class="gmail_default"> <div class="gmail_default">System: Read HBAC Rules</div> <div class="gmail_default">System: Read HBAC Service Groups</div> <div class="gmail_default">System: Read HBAC Services</div> <div class="gmail_default"><br> </div> <div class="gmail_default"><br> </div> <div class="gmail_default">If we change it to permission, then login is failing.</div> <div class="gmail_default"><br> </div> <div class="gmail_default">Please suggest what we need to do so that HBAC admin can search the HBAC rule in FreeIPA rule.</div> <div class="gmail_default"><br> </div> <div class="gmail_default"><br> </div> </div> </div> </div> </blockquote> Hello, which version of IPA do you use?<br> <br> This has been fixed (workaround).<br> <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5130">https://fedorahosted.org/freeipa/ticket/5130</a><br> <br> The proper fix requires changes in DS ACI evaluation that should be in RHEL 7.3<br> <br> Martin<br> <br> <blockquote cite="mid:CAE2-OsrH_xtv5KU7n0B1=qVqn2qnL-d8z_y_vTLq-OMpE5nv2g@mail.gmail.com" type="cite"> <div dir="ltr"> <div class="gmail_default" style="font-family:verdana,sans-serif"><br> </div> <div> <div class="gmail_signature"> <div dir="ltr"> <div> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"> <div dir="ltr"><i style="font-size:12.8px"><span style="font-family:verdana,sans-serif">Best Regards,</span></i><br> </div> <div dir="ltr"> <div style="font-size:12.8px"> <div><i><span style="font-family:verdana,sans-serif">__________________________________________<br> </span></i></div> <i><span style="font-family:verdana,sans-serif">Yogesh Sharma<br> </span></i></div> <span style="font-size:12.8px;font-family:verdana,sans-serif"><i>Email: <a moz-do-not-send="true" href="mailto:yks0000@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:yks0000@gmail.com">yks0000@gmail.com</a></a> | Web: <span style="color:rgb(0,0,0)"><a moz-do-not-send="true" href="http://www.initd.in/" target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.initd.in">www.initd.in</a></a> </span></i></span><br> </div> <div dir="ltr"><span style="font-size:12.8px;font-family:verdana,sans-serif"><i><span style="color:rgb(0,0,0)"><br> </span></i></span></div> <div><span style="font-size:12.8px;font-family:verdana,sans-serif"><i><span style="color:rgb(0,0,0)">RHCE, VCE-CIA, RACKSPACE CLOUD U Certified</span></i></span></div> <div dir="ltr"><br> </div> <div dir="ltr"><a moz-do-not-send="true" href="https://www.fb.com/yks0000" target="_blank"><img moz-do-not-send="true" src="http://i.imgbox.com/ojTDSuw0.gif" alt=""></a> <a moz-do-not-send="true" href="http://in.linkedin.com/in/yks0000" target="_blank"><img moz-do-not-send="true" src="http://i.imgbox.com/fHLDBlyz.gif"></a> <a moz-do-not-send="true" href="https://twitter.com/checkwithyogesh" target="_blank"><img moz-do-not-send="true" src="http://i.imgbox.com/vTX3eOJ5.gif"></a> <a moz-do-not-send="true" href="http://google.com/+YogeshSharmaOnGooglePlus" target="_blank"><img moz-do-not-send="true" src="http://i.imgbox.com/W2bQouRN.gif"></a></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> </body> </html>