[Freeipa-users] Roles and permissions
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Feb 7 20:54:13 UTC 2012
Hi,
"Users in group A can manage the membership of group B
Users in group A can manage this small set of attributes of members of
group B"
Yes, I can see that delegating is going to be very hard to do securely / properly.....at least with [my] limited knowledge....My problem is that I have a central IT department but many schools who want to be as autonomous as possible (totally if they can achieve it). I also have managers who only understand AD somewhat....and they think this can all be done without themselves understanding what is to be done, so they make/have requirements that might seem reasonable but really are not but I dont know enough to say so. So it could well be on a case by case basis I have to design such a delegation.....looks like I will need a good level of understanding which I obviously lack.....I mean I cant even get across to you what I mean!!! doh.....
Having briefly chatted to an AD guy this problem isnt just faced by IPA...
:(
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Tuesday, 7 February 2012 4:32 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Roles and permissions
Steven Jones wrote:
> Hi,
>
> Trying to get my head around these....is it possible to create a group administrator say "engineering team administrator" and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...?
Need a little more to go on. It is that "how to specify" question that
really matters. How DO you distinguish between users? You can add extra
attributes to break them into groups, or you can literally put them into
extra groups and manage them that way (easiest). But you definitely need
a way to distinguish them.
Creating this type of permission would require a bit of LDAP knowledge,
mostly just knowing which attributes to use. It all depends on what
responsibility you are delegating.
I'm not entirely sure what you're after so I don't want to guess and end
up down a deep rabbit hole, but it is probably going to be easiest to
break the permissions into smaller components like:
Users in group A can manage the membership of group B
Users in group A can manage this small set of attributes of members of
group B
Both of these are relatively straightforward. I can provide examples if
you can give me some more guidance on what you're looking for.
> I dont find that section of the manual very easy to understand....I'd like examples or more explanation....
>
> Also if such a say (bad) "engineering team administrator" could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user password............the user then effectively owns the IPA system...?
Yes, it would be a problem if you granted password change permission to
a bad admin. That is true in any system.
Given that we've got a ticket open to limit those who can change the
password of those in the admins group to those in the admins group, so
helpdesk can change user's passwords but not admins. That is currently
possible.
regards
rob
More information about the Freeipa-users
mailing list