[Freeipa-users] Trying to get my head around Delegating admin permissions and groups

Tue, 27 Mar 2012 13:39:34 -0700 

Hi,

I want to have 2 trees of user (and, or? host?) groups, one server branch and 
one desktop as the desktop admins differ from the server admins and have to be 
kept separate......so that seems to be a high level thing....

So reading the delegation section its unclear if I am in the right place or 
what permission to give....so for a top level admin I give the manager 
attribute? to the top group or simply all? or what?  looking down the 
attributes I see things like "cn" so I see nothing that helps me 
understand.....yep Im lost.....

What I need to do is give the desktop admins control over desktops and desktop 
users but not any over servers and server users and the the server admins the 
opposite.

There are also going to be at least two password policies, one for staff and 
one for students.  After a bit I will have passync from AD for staff so that 
policy needs to be disabled...also the requirement to reset their password on 
first login as that's done via AD

So is the best way to make a top level group for each of the two trees,  
delegate this to each admin branch (manager?) to that? and then under that have 
two groups where I attach each of the password policies?  seems logical, but 
who knows....

Say a group labeled 1 is the top for the server tree with 2 under it for staff 
server passwords and 3 for student server passwords.

Say a group labeled A  is the top for the desktop tree with B under it for 
staff server passwords and C for student server passwords...

hope my asci art works....

       2
 1<
      3

      b
a<
      c

So a staff password policy is attached to 2 and B and a student password policy 
is attached to 3 and C?

:/

Is this clear?  

The next Q is doing the nesting, I get confused on which way it goes........1 
goes into group 2 and 3 while a goes into b and c?

That way 1 has "control over" 2 and 3?  which is what I want....

or do 2 and 3 go into 1?  cant see taht as 2 and 3 would have the same level as 
1?

I then have to repeat something similar for the hosts/clients?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to