[Freeipa-users] How To: Create Admin Account with all Permissions but the ability to Delete?
David Kupka
dkupka at redhat.com
Fri Apr 15 06:30:51 UTC 2016
On 14/04/16 19:59, Caton, Tina, CYFD wrote:
> As a policy we disable accounts, never delete accounts.
>
> We wish to create an Administrator account with Account Creation, Change and
> Disable Permissions - No Deletion Permissions. Is that possible? How would one
> do it? Thank you.
>
> Regards,
> Tina Caton
>
>
>
Hello Tina,
this can be done.
FreeIPA uses RBAC (role based access control). On the lowest level there
are individual permissions ($ ipa permission-find) which are just 389-ds
ACIs (access control instructions).
Then there are privileges ($ ipa privilege-find) that hold some set of
permissions.
Another layer consists of roles ($ ipa role-find) that can hold multiple
privileges. Users and groups can be assigned a role ($ ipa
role-add-member <role> [--user <user>] [--group <group>]).
What you need to do is to create a privilege (e.g. "Never delete user
administrator") similar to "User Administrator" with only difference
that it won't have "System: Remove Users" permission and then create a
role very similar to "User Administrator" with privilege "User
Administrator" replaced with "Never delete user administrator".
Then you can give this role to the any user or group (don't forget to
remove the origina "User Administrator" role).
Alternatively, if you're sure that no admin user in your deployment will
ever need to delete user. You can simply remove "System: Remove User"
permission from "User Administrator" privilege ($ ipa
privilege-remove-permission "User Administrators" --permissions "System:
Remove Users").
HTH,
--
David Kupka
More information about the Freeipa-users
mailing list