I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he?
On Thu, Aug 17, 2023 at 9:28 PM Chris Cowan via FreeIPA-users < [email protected]> wrote: > Christian, > > I want full admin meaning all group management. (CRUD). Add/remove > group, change attributes, membership, etc... > > Was already aware of the manager members and that I could assign both > users or groups. I have been using that and it works as I would expect. > > So, I will be needing System:{Add Group, Remove Group, Modify Group, and > Modify Group Membership} > > This id will be used behind the curtain with service available with a REST > API, and serve the needs of a storage service. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
