<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'>Hi Alexander,<div><br></div><div>i did try adding the "member" effective attribute in GUI and also from the command prompt But the error is not going away when i try to delete the host from my taphostgroup. for me it only works if i have (&(cn=taphostgroup)(objectclass=ipaobject)) in the --filter, BUT then the i am allowed access to all the hosts in all the hostgroup :( I am kinda stuck with this issue. Would be great if you can suggest any further headway!</div><div><br></div><div> <p class="p1"><span class="s1"> ipa permission-mod manage-taphostgroup --attrs={'userPassword','description','nshardwareplatform','nsosversion','usercertificate','userclass','macaddress','ipaassignedidview','ipasshpubkey','<b>member</b>'}</span></p> <p class="p1"><span class="s1">-----------------------------------------</span></p> <p class="p1"><span class="s1">Modified permission "manage-taphostgroup"</span></p> <p class="p1"><span class="s1">-----------------------------------------</span></p> <p class="p1"><span class="s1"> Permission name: manage-taphostgroup</span></p> <p class="p1"><span class="s1"> Granted rights: all</span></p> <p class="p1"><span class="s1"> Effective attributes: description, ipaassignedidview, ipasshpubkey, macaddress, member, nshardwareplatform, nsosversion, userPassword, usercertificate, userclass</span></p> <p class="p1"><span class="s1"> Bind rule type: permission</span></p> <p class="p1"><span class="s1"> Subtree: cn=computers,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com</span></p> <p class="p1"><span class="s1"> Extra target filter: (memberOf=cn=taphostgroup,cn=hostgroups,cn=accounts,dc=us-west-2,dc=compute,dc=amazonaws,dc=com)</span></p> <p class="p1"><span class="s1"> Type: host</span></p> <p class="p1"><span class="s1"> Granted to Privilege: tap-hostgroup-privilege</span></p> <p class="p1"><span class="s1"> Indirect Member of roles: taphostgroup-role</span></p></div><div><br></div><div>Many thanks,</div><div>Deepak</div><div><br><div>> Date: Tue, 30 Aug 2016 13:27:59 +0300<br>> From: abokovoy@redhat.com<br>> To: deepak_dimri@hotmail.com<br>> CC: freeipa-users@redhat.com<br>> Subject: Re: [Freeipa-users] Permission not working as expected<br>> <br>> On Tue, 30 Aug 2016, Deepak Dimri wrote:<br>> >I did try the exact steps from the blog but alas still it did not work. getting same error :(<br>> I don't give rights to write to 'member' attribute in the blog. You have<br>> to adopt to your situation, obviously.<br>> <br>> -- <br>> / Alexander Bokovoy<br></div></div> </div></body> </html>