[Freeipa-users] Roles and permissions

Adam Young ayoung at redhat.com
Sat Feb 11 03:26:54 UTC 2012 

On 02/07/2012 03:54 PM, Steven Jones wrote:
> Hi,
>
> "Users in group A can manage the membership of group B
> Users in group A can manage this small set of attributes of members of
> group B"
>
> Yes, I can see that delegating is going to be very hard to do securely / properly.....at least with [my] limited knowledge....My problem is that I have a central IT department but many schools who want to be as autonomous as possible (totally if they can achieve it). I also have managers who only understand AD somewhat....and they think this can all be done without themselves understanding what is to be done, so they make/have requirements that might seem reasonable but really are not but I dont know enough to say so. So it could well be on a case by case basis I have to design such a delegation.....looks like I will need a good level of understanding which I obviously lack.....I mean I cant even get across to you what I mean!!!   doh.....
>
> Having briefly chatted to an AD guy this problem isnt just faced by IPA...
>
> :(
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 7 February 2012 4:32 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Roles and permissions
>
> Steven Jones wrote:
>> Hi,
>>
>> Trying to get my head around these....is it possible to create a group administrator say "engineering team administrator"  and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...?
> Need a little more to go on. It is that "how to specify" question that
> really matters. How DO you distinguish between users? You can add extra
> attributes to break them into groups, or you can literally put them into
> extra groups and manage them that way (easiest). But you definitely need
> a way to distinguish them.
>
> Creating this type of permission would require a bit of LDAP knowledge,
> mostly just knowing which attributes to use. It all depends on what
> responsibility you are delegating.
>
> I'm not entirely sure what you're after so I don't want to guess and end
> up down a deep rabbit hole, but it is probably going to be easiest to
> break the permissions into smaller components like:
>
> Users in group A can manage the membership of group B
> Users in group A can manage this small set of attributes of members of
> group B
>
> Both of these are relatively straightforward. I can provide examples if
> you can give me some more guidance on what you're looking for.
>
>> I dont find that section of the manual very easy to understand....I'd like examples or more explanation....
>>
>> Also if such a say (bad) "engineering team administrator" could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user password............the user then effectively owns the IPA system...?
> Yes, it would be a problem if you granted password change permission to
> a bad admin. That is true in any system.
>
> Given that we've got a ticket open to limit those who can change the
> password of those in the admins group to those in the admins group, so
> helpdesk can change user's passwords but not admins. That is currently
> possible.
>
> regards
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Does this answer your question:


http://adam.younglogic.com/2012/02/group-managers-in-freeipa/

More information about the Freeipa-users mailing list