<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'><div>**adding FreeIPA-Users***<br><br> <style></style> <div dir="ltr">Hi Alexander,<div><br></div><div>I was referring to you below reply regarding managing the access ( adding and deleting etc) for only those hosts which are part of a particular hostgroup - you mentioned i can do that using "<span style="color:rgb(68, 68, 68);font-size:15px;line-height:21.3px;background-color:rgb(255, 255, 255);">additional target filter based on the hostgroup membership." in the freeIPA permission. </span></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;">What would be the attribute/DN i should be giving in the target filter to achieve this?</span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;"><br></span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;">obviously default host group membership allow the admin to add and delete any hosts. Which i dont want. I want management restricted to only those host which are part of the hostgroup</span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;"><br></span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;">Thanks in advance</span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;"><br></span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;">Best Regards,</span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;">Deepak</span></font></div><div><font color="#444444"><span style="font-size:15px;line-height:21.3px;"><br></span></font><br><div><hr id="ecxstopSpelling"><div dir="ltr"><div><div><br><div>> Date: Mon, 8 Aug 2016 11:54:23 +0300<br>> From: abokovoy@redhat.com<br>> To: deepak_dimri@hotmail.com<br>> CC: freeipa-users@redhat.com<br>> Subject: Re: [Freeipa-users] Delegated Administration in IPA<br>> <br>> On Mon, 08 Aug 2016, Deepak Dimri wrote:<br>> >Hi List,<br>> >I want some help here! i have 100 of linux servers and ec2 instances<br>> >used by various teams/departments. I want to have group wise<br>> >clubbing of these servers so that i can delegate administration access<br>> >to manager of that particular group. For example lets say out of those<br>> >100 servers, 25 servers belongs to engineering team so i want to<br>> >register these 25 servers under engineering group/domain and then<br>> >assign the full administration access to engineering manager to manage<br>> >these 25 servers and there accesses. I am getting a sense that we can<br>> >create DNS subdomains for each team i.e. engineering.<ipa server domain<br>> >name> and then register those 25 servers under engineering.<ipa server<br>> >domain name> but then i am not sure how i can assign the access and do<br>> >rest of the configurations. I would be thankfully if any of you can<br>> >provide with configuration steps to help me<br>> What kind of administration do you want to achieve?<br>> <br>> - Managing IPA objects themselves?<br>> - Managing actual machines as in login to them, run sudo, etc?<br>> <br>> For the former you'd need to learn how to deal with<br>> permissions/privileges/roles and create separate<br>> permissions/privileges/roles that look like a default one with<br>> additional target filter based on the hostgroup membership.<br>> <br>> For the latter you'd use HBAC rules.<br>> <br>> -- <br>> / Alexander Bokovoy<br></div></div></div> </div></div></div><style></style> </div></div> </div></body> </html>