<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 20.01.2016 14:26, Yogesh Sharma
wrote:<br>
</div>
<blockquote
cite="mid:CAE2-OsrH_xtv5KU7n0B1=qVqn2qnL-d8z_y_vTLq-OMpE5nv2g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif">Hi,</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">We have created a user
with HBAC Admin permission which has below permission (Default
as provided by IPA):</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">
<div class="gmail_default">System: Add HBAC Rule</div>
<div class="gmail_default">System: Add HBAC Service Groups</div>
<div class="gmail_default">System: Add HBAC Services</div>
<div class="gmail_default">System: Delete HBAC Rule</div>
<div class="gmail_default">System: Delete HBAC Service Groups</div>
<div class="gmail_default">System: Delete HBAC Services</div>
<div class="gmail_default">System: Manage HBAC Rule Membership</div>
<div class="gmail_default">System: Manage HBAC Service Group
Membership</div>
<div class="gmail_default">System: Modify HBAC Rule</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">When I try add below in a new RBAC,
it denied the operation as it is already open for all.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">
<div class="gmail_default">System: Read HBAC Rules</div>
<div class="gmail_default">System: Read HBAC Service Groups</div>
<div class="gmail_default">System: Read HBAC Services</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">If we change it to permission,
then login is failing.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Please suggest what we need to do
so that HBAC admin can search the HBAC rule in FreeIPA
rule.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default"><br>
</div>
</div>
</div>
</div>
</blockquote>
Hello, which version of IPA do you use?<br>
<br>
This has been fixed (workaround).<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5130">https://fedorahosted.org/freeipa/ticket/5130</a><br>
<br>
The proper fix requires changes in DS ACI evaluation that should be
in RHEL 7.3<br>
<br>
Martin<br>
<br>
<blockquote
cite="mid:CAE2-OsrH_xtv5KU7n0B1=qVqn2qnL-d8z_y_vTLq-OMpE5nv2g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
</div>
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><i style="font-size:12.8px"><span
style="font-family:verdana,sans-serif">Best
Regards,</span></i><br>
</div>
<div dir="ltr">
<div style="font-size:12.8px">
<div><i><span
style="font-family:verdana,sans-serif">__________________________________________<br>
</span></i></div>
<i><span
style="font-family:verdana,sans-serif">Yogesh
Sharma<br>
</span></i></div>
<span
style="font-size:12.8px;font-family:verdana,sans-serif"><i>Email: <a
moz-do-not-send="true"
href="mailto:yks0000@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:yks0000@gmail.com">yks0000@gmail.com</a></a> |
Web: <span style="color:rgb(0,0,0)"><a
moz-do-not-send="true"
href="http://www.initd.in/"
target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.initd.in">www.initd.in</a></a> </span></i></span><br>
</div>
<div dir="ltr"><span
style="font-size:12.8px;font-family:verdana,sans-serif"><i><span
style="color:rgb(0,0,0)"><br>
</span></i></span></div>
<div><span
style="font-size:12.8px;font-family:verdana,sans-serif"><i><span
style="color:rgb(0,0,0)">RHCE, VCE-CIA,
RACKSPACE CLOUD U Certified</span></i></span></div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><a moz-do-not-send="true"
href="https://www.fb.com/yks0000"
target="_blank"><img moz-do-not-send="true"
src="http://i.imgbox.com/ojTDSuw0.gif"
alt=""></a> <a moz-do-not-send="true"
href="http://in.linkedin.com/in/yks0000"
target="_blank"><img moz-do-not-send="true"
src="http://i.imgbox.com/fHLDBlyz.gif"></a> <a
moz-do-not-send="true"
href="https://twitter.com/checkwithyogesh"
target="_blank"><img moz-do-not-send="true"
src="http://i.imgbox.com/vTX3eOJ5.gif"></a> <a
moz-do-not-send="true"
href="http://google.com/+YogeshSharmaOnGooglePlus"
target="_blank"><img moz-do-not-send="true"
src="http://i.imgbox.com/W2bQouRN.gif"></a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>