More specifics would help. How did it not work as expected? What is the full ACI you came up with?
The idea is that this is granted to all authenticated users EXCEPT those in the, in your case, iam-managed-users and admins groups. rob Ronald Wimmer via FreeIPA-users wrote: > I modified the attribute ipapermtargetfilter of > > DN: cn=System: Change User > password,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at > to > (&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))) > > > but it did not work as expected. Do I have to explicitly assign this > particular permission to a users group? (I thought that every users in > IPA has this particular perm by default?) > > Cheers > Ron > > On 12.02.25 16:02, Ronald Wimmer via FreeIPA-users wrote: >> On 12.02.25 14:34, Rob Crittenden via FreeIPA-users wrote: >>> Ronald Wimmer via FreeIPA-users wrote: >>>> On 21.01.25 11:54, Ronald Wimmer via FreeIPA-users wrote: >>>>> On 14.01.25 13:06, Ronald Wimmer via FreeIPA-users wrote: >>>>>> What would be the best way to do this? >>>>> >>>>> Remove >>>>> "System: Change User >>>>> password" permissions? >>>> >>>> The plan I had in my mind was to add a usergroup and remove this exact >>>> permission for this group. But it seems like that only adding >>>> permissions is possible for a user group. >>> >>> Correct. You can only add access, not take it away. Doing deny ACLs >>> becomes very complicated very fast and troubleshooting it requires a >>> wizard. >>> >>>> How could I accomplish removing "System: Change user password" >>>> permissions for a specific user group? Or is there an alternative >>>> approach to do that? >>> >>> You can try excluding the group from the permission via targetfilter. >>> Something like this using the --filter or --rawfilter options: >>> >>> (targetfilter = >>> "(&(!(memberOf=cn=no_passwords,cn=groups,cn=accounts,dc=example,dc=test)))" >>> >>> >>> See System: Remove Users as an example. In this ACI you can't delegate a >>> user to be able to delete an admin. >>> >>> If you run ipa permission-show with the --raw option you can see the >>> actual ACI produced. >> >> Thanks! Got it! >> -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
