<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>A Role encompasses multiple privileges and privileges will
normally have permissions linked to it, these three things are
interconnected to form RBAC in IPA<br>
</p>
<p>There are already a number of defaults that may work for you
instead of creating your own, for example by default there is a
role called 'User Administrator' which is assigned the privileges
'User Administrators, Group Administrators, and Stage User
Administrators'. <br>
</p>
<p><i># ipa role-show 'User Administrator'</i><i><br>
</i><i> Role name: User Administrator</i><i><br>
</i><i> Description: Responsible for creating Users and Groups</i><i><br>
</i><i> Privileges: User Administrators, Group Administrators,
Stage User Administrators</i><br>
</p>
<p>- The User Administrators privilege has the following
permissions:<br>
</p>
<p><i># ipa privilege-show 'User Administrators'</i><br>
<i> Privilege name: User Administrators</i><br>
<i> Description: User Administrators</i><br>
<i> Permissions: System: Add User to default group, System: Add
Users, System: Change User password, System: Manage User SSH
Public Keys, System: Modify Users, System: Read UPG Definition,
System: Read User Kerberos Login Attributes,</i><br>
<i> System: Remove Users, System: Unlock User,
System: Manage User Certificates</i><br>
<i> Granting privilege to roles: User Administrator</i><br>
</p>
<p>- The Permissions are what manipulate the underlying directory
server ACI's to grant and restrict access controls.<br>
</p>
<p>I would say use the pre-built in roles if you can by linking an
IPA group to a specific role then testing. On the CLI or WebUI you
can modify the custom roles as you see fit. Red Hat documentation
on RBAC below:<br>
</p>
<p><a
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html"><a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html</a></a><br>
</p>
<p>Kind regards,</p>
<p>Justin Stephenson<br>
</p>
Privilege: <br>
<div class="moz-cite-prefix">On 07/11/2016 03:47 PM, Larry Rosen
wrote:<br>
</div>
<blockquote
cite="mid:79B7CEE400C91A4C9FD8BF082D82260720BFA7@JDRPDC.JDRSolutions.local"
type="cite">
<pre wrap="">Will creating a role to add users work?
I created a permission to create users, but it will not allow the user to do it. I have disabled UPG Definition plugin.
IPA Error 2100: ACIError
Insufficient access: Could not read UPG Definition originfilter. Check your permissions.
</pre>
</blockquote>
<br>
</body>
</html>