[Freeipa-users] admin users for groups

[Rob Crittenden]

Steven Jones wrote:
> Hi,
>
> I want to set a group of admin level users admin rights to select user
> and host groups, can this be done in IPA?
>
> How?
>
> So they need to be able to add users from the general pool to specific
> groups and add specific hosts to specific groups only, can these be done?

It depends on how many groups and hostgroups you're talking about. The 
approach will differ depending on the answer.

This is going to be hard to do using the IPA cli tools. You'll probably 
have to restort to creating an aci by hand to do this. The permission 
module limits the types of rules that can be mixed together, something 
that a raw aci isn't restricted by.

This is a start, for example. It grants the 'modify specific group 
membership' permission the ability to write groups g2, g3 and g4.

aci: (targetattr = "member")(targetfilter = 
"(|(cn=g2)(cn=g3)(cn=g4))")(version 3.0;acl "permission:Modify specific 
group membership";allow (write) groupdn = "ldap:///cn=modify specific 
group membership,cn=permissions,cn=pbac,dc=example,dc=com";)

The twist is depending on where this aci is installed it could affect 
anything with cn=g2, g3 or g4. You'll also want a (target = 
"ldap:///cn=*,cn=groups,cn=accounts,dc=example,dc=com"). This will limit 
it to just user groups.

We install acis in $SUFFIX which is why target is needed.

You'd then create a privilege and assign the permission to it, create a 
role and add the privilege to it. Then you'd add your group to the role 
and members of that group should be able to manage the members of just 
g2, g3 and g4.

Or, using the cli, you could create a series of permissions to manage 
one group at a time, add those all to one privilege, add that one 
privilege to a role, etc. Like I said, it depends on the number of 
groups you want to manage and how hairy you're willing to let things get.

rob