Re: [Freeipa-users] Delegated Administration in IPA

Mon, 29 Aug 2016 10:36:06 -0700 

**adding FreeIPA-Users***




Hi Alexander,
I was referring to you below reply regarding managing the access ( adding and 
deleting etc) for only those hosts which are part of a particular hostgroup - 
you mentioned i can do that using "additional target filter based on the 
hostgroup membership." in the freeIPA permission. What would be the 
attribute/DN i should be giving in the target filter to achieve this?
obviously default host group membership allow the admin to add and delete any 
hosts. Which i dont want. I want management restricted to only those host which 
are part of the hostgroup
Thanks in advance
Best Regards,Deepak


> Date: Mon, 8 Aug 2016 11:54:23 +0300
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [Freeipa-users] Delegated Administration in IPA
> 
> On Mon, 08 Aug 2016, Deepak Dimri wrote:
> >Hi List,
> >I want some help here! i have 100 of linux servers and ec2 instances
> >used by various teams/departments.   I want to have group wise
> >clubbing of these servers so that i can delegate administration access
> >to manager of  that particular group. For example lets say out of those
> >100 servers, 25 servers belongs to engineering team so i want to
> >register these 25 servers under engineering group/domain and then
> >assign the full administration access to engineering manager to manage
> >these 25 servers and there accesses.  I am getting a sense that we can
> >create DNS subdomains for each team i.e. engineering.<ipa server domain
> >name> and then register those 25 servers under engineering.<ipa server
> >domain name> but then i am not sure how i can assign the access and do
> >rest of the configurations.  I would be thankfully if any of you can
> >provide with configuration steps to help me
> What kind of administration do you want to achieve?
> 
> - Managing IPA objects themselves?
> - Managing actual machines as in login to them, run sudo, etc?
> 
> For the former you'd need to learn how to deal with
> permissions/privileges/roles and create separate
> permissions/privileges/roles that look like a default one with
> additional target filter based on the hostgroup membership.
> 
> For the latter you'd use HBAC rules.
> 
> -- 
> / Alexander Bokovoy
                                                                                
                                          
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to