<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'><div>Let me try summarize it!</div><div><br></div>I want xyzadmin of xyzhostgroup be able to mange all the hosts with in the xyzhostgroup - which means he should be able to delete/ add/ modify the hosts under xyzhostgroup . This is what i currently have in the role : myhostgroup-role (role)--> myadmin1 (admin user)--> myhostgroup (host group where i have added the hosts) --> my-hostgroup-privilege --> my-hostgroup-permission<div><br></div><div>The problem is that the moment i add <b>memberOf</b> =cn=.... in the target filter then myadmin1 cannot add/delete the hosts with in myhostgroup and any other hosts in other hostgroups. However if i assign the role permission with with subtree=dc=us-west-2,dc=compute,dc=amazonaws,dc=com and filter as (&(cn=myhostgroup)(objectclass=ipahostgroup)) and <b>member</b> attribute added then myadmin1 gets the expected access to manage the hosts within myhostgroup but then he also gets access to delete and manage other hosts outside of myhostgroup which i dont want!</div><div><br></div><div><br></div><div>Thanks & Regards,</div><div>Deepak</div><div><br><div><div>> Date: Tue, 30 Aug 2016 16:10:00 +0300<br>> From: abokovoy@redhat.com<br>> To: deepak_dimri@hotmail.com<br>> CC: freeipa-users@redhat.com<br>> Subject: Re: [Freeipa-users] Permission not working as expected<br>> <br>> On Tue, 30 Aug 2016, Deepak Dimri wrote:<br>> >Hi Alexander,<br>> >i did try adding the "member" effective attribute in GUI and also from<br>> >the command prompt But the error is not going away when i try to delete<br>> >the host from my taphostgroup. for me it only works if i have<br>> >(&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then<br>> >the i am allowed access to all the hosts in all the hostgroup :( I am<br>> >kinda stuck with this issue. Would be great if you can suggest any<br>> >further headway!<br>> Isn't this is what you wanted: a user has ability to manage all hosts in<br>> the host group but not other hosts.<br>> <br>> -- <br>> / Alexander Bokovoy<br></div></div></div> </div></body> </html>