On 17/08/2023 18.31, Chris Cowan via FreeIPA-users wrote:
Reading through the docs carefully, but I'm just wondering if anyone else has done this,
and if there are any "gotchas" I have to worry about?
FreeIPA has role-based access control that lets you define fine-grained
permissions, privileges, and roles. RBACs can be created in the web UI
in the "IPA Server" tab. The system permissions for group management
already come with filters for the admins group and some other internal
groups.
To create a least privilege admin that can manage POSIX groups, you have to:
- Create two new permissions based on "System: Modify Group" and
"System: Modify Group Membership" with an additional extra target filter
(objectClass=posixGroup)
- Create a new privilege with your two new permissions
- Create a role with your new privilege
- Assign the role to your least privileged admin user
The user will be able to modify group settings and add/remove members.
If you want to include group creation and deletion, you also have to
create custom permissions based on "System: Add group" and "System:
Remove group".
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
