Oliver Northam wrote:
> Hi Rob,
>
> Thanks!
>
> I see that I have the ability to delete those internal groups. If I
> remove one (editor for example) and recreate it with the same name, will
> it retain the same edit permissions?

I believe admins is the only special group and IIRC it prevents itself
from being deleted.

Pretty much deleting any entry will result in permissions will be dropped.

editors have no special permissions by default though. It is mostly a
legacy group from the original UI though it is used by AD trust to
ensure that the SID generation was successful.

rob

>
> Thanks
>
> On 9 Feb 2018 1:47 pm, "Rob Crittenden" <rcritten@redhat.com

> <mailto:rcritten@redhat.com>> wrote:
>
>     Oliver Northam via FreeIPA-users wrote:
>     > Hello! 
>     >
>     > I'd love to use FreeIPA for all of our auth needs (wifi, samba,
>     backups
>     > etc) but I'm a little lost on the configuration of the default
>     groups. 
>     >
>     > I have my admin user in the 'admins' group and my test user in the
>     > 'ipausers' group, but I can't see any permissions or roles or policies
>     > that define permissions in those groups. Logged in as the admin
>     user, I
>     > can change all settings but as my test user, I cannot change anything.
>     >
>     > I also see 'editors' but can't see exactly what permissions this
>     group has. 
>     >
>     > Am I missing something or somewhere where I can change these
>     permissions?
>
>     admins is treated as a special case and doesn't have explicit roles.
>
>     To add permissions for other users/groups add them to a role. A role has
>     certain privileges and privileges have permissions (atomic rights).
>
>     rob
>