<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 27.09.2016 17:16, Prashant Bapat
wrote:<br>
</div>
<blockquote
cite="mid:CAN9aUrgL53rUYkHtk4D5d4qQyrfGnGxgbBdf-ss3K9eGJDLbpg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif">RBAC Role "User Administrator" should have
access to all users OTP tokens. Specifically to remove if some
one has lost their token. We get this a lot. </div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif">I found no permissions that give this access. </div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif">Can someone explain if this can be added easily
either from the WebUI or CLI. </div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif">Thanks.</div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif">--Prashant</div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif"><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Hello,<br>
<br>
OTP related access control is bounded with token owner and token
manager, we don't have any system permission created for that.<br>
<br>
Feel free to open ticket (just for deleting OTP):
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/newticket">https://fedorahosted.org/freeipa/newticket</a><br>
We will see if it is feasible.<br>
<br>
You can create your own permission in RBAC tab in permissions
section and assign this to User Administrator privilege but be
careful with extending permissions related to OTP, it may open an
attack vector.<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/OTP#Permissions">http://www.freeipa.org/page/V4/OTP#Permissions</a><br>
<br>
Martin^2<br>
<br>
<br>
</body>
</html>