[Freeipa-users] User Roles and access in GUI
Alexander Bokovoy
abokovoy at redhat.com
Mon Apr 15 14:49:35 UTC 2013
On Mon, 15 Apr 2013, Petr Spacek wrote:
>On 15.4.2013 15:39, Rob Crittenden wrote:
>>There is no easy way to do this. We start with granting all authenticated
>>users read access to the tree with the exception of certain attributes (like
>>passwords).
>>
>>You'd have to start by removing that, then one by one granting read access to
>>the various containers based on, well, something.
>
>Would it be possible to create a new role to allow current 'read-all
>access' and add this role to all users by default?
>
>It could be much simpler to change the behaviour with this role, or not? :-)
It would affect service accounts (include host/fqdn at REALM) since roles
cannot be applied to them, if I remember correctly. We would need to
make an exclusive ACI that allows all services to gain read only access...
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list