[Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege
Rob Crittenden
rcritten at redhat.com
Fri Jun 19 19:38:16 UTC 2015
nathan at nathanpeters.com wrote:
> FreeIPA server 4.1.3 on CentOS 7
>
> I am trying to create a set of privileges or roles that will allow me to
> create a user who has read-only access to as much of the FreeIPA web UI as
> possible. Basically my manager want the type of view into FreeIPA that
> they have in AD using the 'AD Users and Computers program).
>
> I note that there are quite a few read permission in the permissions list.
> I tried creating a new privilege called Read Only Administrator and
> giving them all the permission that have read only in the name.
>
> For some reason I can add all other system and full access permissions but
> when I try to add a read only permission I get the following error :
> invalid 'permission': cannot add permission "System: Read HBAC Rules" with
> bindtype "all" to a privilege
>
> This applies not just the HBAC rule, but anything that has Read in the name.
>
> How do I create a read only user without getting this error message?
You can't add a rule with bindtype all because this bindtype already
allows all authenticated users the rights granted by the rule, in this
case read access.
rob
More information about the Freeipa-users
mailing list