[Freeipa-users] Allow IPA Join and remove only
Rob Crittenden
rcritten at redhat.com
Fri Mar 15 17:51:10 UTC 2013
John Moyer wrote:
> Question:
>
> I am trying to reduce the rights to an account so that it can only add
> and remove machines from the IPA server. It will be used for scripts to
> run as this user to bind machines that are stood up adhoc to the IPA
> server, and then clean them up after they are ready for shutdown.
> However, I don't want users that are allowed this access to be able to
> do much else (like remove my account or any of my engineers accounts).
> I was wondering if anyone had any words of wisdom on how to do this
> before I started doing guess and check research (since a few google
> search have yielded nothing).
See the "Host Enrollment" privilege.
Add that to a role (maybe a new one), add a group of the users you want
to be able to do this to the role, and that should be it.
rob
More information about the Freeipa-users
mailing list