[Freeipa-users] User admins for different groups
Rob Crittenden
rcritten at redhat.com
Tue Mar 26 14:10:00 UTC 2013
Philipp Richter wrote:
> On 03/26/2013 12:39 AM, Dmitri Pal wrote:
>
>>> I am trying to do the following:
>>>
>>> We have some branch offices at different locations. We want to use
>>> one ipa-server with replicas in each branch office. Each branch
>>> office should have it's own set of administrators who should be able
>>> to create/modify/delete users for its own branch but should not be
>>> allowed to change users from other branches.
>>> every member of admin-at should be forced to create/modify/delete
>>> only users in branch-at. The same applies for admin-us/branch-us.
>>>
>>> at first, i thought of a combination of (a) new role(s), with
>>> write/delete permissions set for the branch-at group, as well as an
>>> automember rule but it seems there is no way to filter for the
>>> creator of an entry, which would be needed for the group membership..
>>>
>>> am i missing anything?
> >
>> This might help
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#delegating-users
>>
>
> Yes, I read the whole document but as far as I understand delegates are
> only helpful for editing existing records. I want admins of one branch
> to be able the also create users, but only in the assigned branch.
>
> Currently we use standard openldap with different ou's for the branches.
> Each branch admin has full ldap permissions for it's own ou-subtree.
>
IPA uses a flat DIT so here is no way to control adding users in a given
branch office.
The most you'd be able to do is delegae management (delete/modify) a
subset of users who are members of a group that represents that branch
office. Any new users added would need to be added to the appropriate
branch group by the admin adding them.
rob
More information about the Freeipa-users
mailing list