[Freeipa-users] Role to add users fails - IPA Error 2100: ACIError

Justin Stephenson jstephen at redhat.com
Mon Jul 11 20:14:42 UTC 2016 

A Role encompasses multiple privileges and privileges will normally have 
permissions linked to it, these three things are interconnected to form 
RBAC in IPA

There are already a number of defaults that may work for you instead of 
creating your own, for example by default there is a role called 'User 
Administrator' which is assigned the privileges 'User Administrators, 
Group Administrators, and Stage User Administrators'.

/# ipa role-show 'User Administrator'//
//  Role name: User Administrator//
//  Description: Responsible for creating Users and Groups//
//  Privileges: User Administrators, Group Administrators, Stage User 
Administrators/

- The User Administrators privilege has the following permissions:

/# ipa privilege-show 'User Administrators'/
/  Privilege name: User Administrators/
/  Description: User Administrators/
/  Permissions: System: Add User to default group, System: Add Users, 
System: Change User password, System: Manage User SSH Public Keys, 
System: Modify Users, System: Read UPG Definition, System: Read User 
Kerberos Login Attributes,/
/               System: Remove Users, System: Unlock User, System: 
Manage User Certificates/
/  Granting privilege to roles: User Administrator/

- The Permissions are what manipulate the underlying directory server 
ACI's to grant and restrict access controls.

I would say use the pre-built in roles if you can by linking an IPA 
group to a specific role then testing. On the CLI or WebUI you can 
modify the custom roles as you see fit. Red Hat documentation on RBAC below:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html

Kind regards,

Justin Stephenson

   Privilege:
On 07/11/2016 03:47 PM, Larry Rosen wrote:
> Will creating a role to add users work?
> I created a permission to create users, but it will not allow the user to do it.  I have disabled UPG Definition plugin.
>
> IPA Error 2100: ACIError
> Insufficient access: Could not read UPG Definition originfilter. Check your permissions.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160711/ec52ad11/attachment.htm>

More information about the Freeipa-users mailing list