[Freeipa-users] User admins for different groups
Philipp Richter
philipp.richter at linbit.com
Mon Mar 25 16:48:34 UTC 2013
Hi,
I am trying to do the following:
We have some branch offices at different locations. We want to use one ipa-server with replicas in each branch office. Each branch office should have it's own set of administrators who should be able to create/modify/delete users for its own branch but should not be allowed to change users from other branches.
How could this be accomplished?
i.e.:
ipa group-add branch-at
ipa group-add admins-at
ipa group-add-member branch-at --groups=admins-at
ipa group-add branch-us
ipa group-add admins-us
ipa group-add-member branch-us --groups=admins-us
ipa user-add admin1at
ipa group-add-member admins-at --users=admin1at
ipa user-add user1us
ipa group-add-member branch-us --users=user1us
now,
every member of admin-at should be forced to create/modify/delete only users in branch-at. The same applies for admin-us/branch-us.
at first, i thought of a combination of (a) new role(s), with write/delete permissions set for the branch-at group, as well as an automember rule but it seems there is no way to filter for the creator of an entry, which would be needed for the group membership..
am i missing anything?
cheers,
Philipp
More information about the Freeipa-users
mailing list