[Freeipa-users] Creating roles tutorial/how-to

[Rob Crittenden]

Larry Rosen wrote:
> Are there any tutorials/how to’s to guide how to create roles?  The docs
> simply go through filling out the forms, but is there any resource about
> how roles are generally used and the required relationships?
>
> This is the closest thing I have found:
> http://adam.younglogic.com/2012/02/group-managers-in-freeipa/
>
> I don’t understand how to limit various permissions/privileges to
> specific users or groups.
>
> I want a role to manage only the users of a certain group: i.e. a user
> that can add, modify, delete user accounts and set/reset/unlock
> passwords for one group.

The order of access control looks like permissions -> privileges -> 
roles. The associated privileges provide a set of permissions (actions a 
role can take) to the role.

Users, groups, hosts, hostgroups and services (depending on version of 
IPA) can be members of a role, thus having the capabilities of that role.

You add the privileges you want that role to have, then you add the 
groups you want, and that should do it.

A permission is a low-level "task". A privilege is usually 1-1 to a 
permission. It may contain multiple permissions.

An example of a privilege with multiple permissions is adding a user, 
where you need to be able to write the user and set the password.

For the permissions shipped with IPA there is always an associated 
privilege available for that so you typically don't need to mess with these.

rob