[Freeipa-users] Delegated Administration in IPA
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 8 08:54:23 UTC 2016
On Mon, 08 Aug 2016, Deepak Dimri wrote:
>Hi List,
>I want some help here! i have 100 of linux servers and ec2 instances
>used by various teams/departments. I want to have group wise
>clubbing of these servers so that i can delegate administration access
>to manager of that particular group. For example lets say out of those
>100 servers, 25 servers belongs to engineering team so i want to
>register these 25 servers under engineering group/domain and then
>assign the full administration access to engineering manager to manage
>these 25 servers and there accesses. I am getting a sense that we can
>create DNS subdomains for each team i.e. engineering.<ipa server domain
>name> and then register those 25 servers under engineering.<ipa server
>domain name> but then i am not sure how i can assign the access and do
>rest of the configurations. I would be thankfully if any of you can
>provide with configuration steps to help me
What kind of administration do you want to achieve?
- Managing IPA objects themselves?
- Managing actual machines as in login to them, run sudo, etc?
For the former you'd need to learn how to deal with
permissions/privileges/roles and create separate
permissions/privileges/roles that look like a default one with
additional target filter based on the hostgroup membership.
For the latter you'd use HBAC rules.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list