[Freeipa-users] Delegated Administration in IPA

Deepak Dimri deepak_dimri at hotmail.com
Mon Aug 29 17:31:09 UTC 2016 

**adding FreeIPA-Users***




Hi Alexander,
I was referring to you below reply regarding managing the access ( adding and deleting etc) for only those hosts which are part of a particular hostgroup - you mentioned i can do that using "additional target filter based on the hostgroup membership." in the freeIPA permission. What would be the attribute/DN i should be giving in the target filter to achieve this?
obviously default host group membership allow the admin to add and delete any hosts. Which i dont want. I want management restricted to only those host which are part of the hostgroup
Thanks in advance
Best Regards,Deepak


> Date: Mon, 8 Aug 2016 11:54:23 +0300
> From: abokovoy at redhat.com
> To: deepak_dimri at hotmail.com
> CC: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Delegated Administration in IPA
> 
> On Mon, 08 Aug 2016, Deepak Dimri wrote:
> >Hi List,
> >I want some help here! i have 100 of linux servers and ec2 instances
> >used by various teams/departments.   I want to have group wise
> >clubbing of these servers so that i can delegate administration access
> >to manager of  that particular group. For example lets say out of those
> >100 servers, 25 servers belongs to engineering team so i want to
> >register these 25 servers under engineering group/domain and then
> >assign the full administration access to engineering manager to manage
> >these 25 servers and there accesses.  I am getting a sense that we can
> >create DNS subdomains for each team i.e. engineering.<ipa server domain
> >name> and then register those 25 servers under engineering.<ipa server
> >domain name> but then i am not sure how i can assign the access and do
> >rest of the configurations.  I would be thankfully if any of you can
> >provide with configuration steps to help me
> What kind of administration do you want to achieve?
> 
> - Managing IPA objects themselves?
> - Managing actual machines as in login to them, run sudo, etc?
> 
> For the former you'd need to learn how to deal with
> permissions/privileges/roles and create separate
> permissions/privileges/roles that look like a default one with
> additional target filter based on the hostgroup membership.
> 
> For the latter you'd use HBAC rules.
> 
> -- 
> / Alexander Bokovoy
 		 	   		   		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160829/ee6f3fcb/attachment.htm>

More information about the Freeipa-users mailing list