[Freeipa-users] Creating roles tutorial/how-to

Larry Rosen larry.rosen at JDRSolutions.com
Fri Jul 8 17:50:06 UTC 2016 

Thanks, I had those parts figured out.

I have a basic role/user working.

My next questions are:

When or why would I need to specify a Target DN or Extra target filter?  I don't think any are necessary for this role that has this permission to work since I specified the group (member of group) it can target.


-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Friday, July 01, 2016 6:45 PM
To: Larry Rosen <larry.rosen at JDRSolutions.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Creating roles tutorial/how-to

Larry Rosen wrote:
> Are there any tutorials/how to's to guide how to create roles?  The 
> docs simply go through filling out the forms, but is there any 
> resource about how roles are generally used and the required relationships?
>
> This is the closest thing I have found:
> http://adam.younglogic.com/2012/02/group-managers-in-freeipa/
>
> I don't understand how to limit various permissions/privileges to 
> specific users or groups.
>
> I want a role to manage only the users of a certain group: i.e. a user 
> that can add, modify, delete user accounts and set/reset/unlock 
> passwords for one group.

The order of access control looks like permissions -> privileges -> roles. The associated privileges provide a set of permissions (actions a role can take) to the role.

Users, groups, hosts, hostgroups and services (depending on version of
IPA) can be members of a role, thus having the capabilities of that role.

You add the privileges you want that role to have, then you add the groups you want, and that should do it.

A permission is a low-level "task". A privilege is usually 1-1 to a permission. It may contain multiple permissions.

An example of a privilege with multiple permissions is adding a user, where you need to be able to write the user and set the password.

For the permissions shipped with IPA there is always an associated privilege available for that so you typically don't need to mess with these.

rob

More information about the Freeipa-users mailing list