Ah I see now. Adding --raw to the end of the privilege-show CLI command shows me that the admins group is a member of that privilege.

Thank you!

On Thu, Oct 10, 2019 at 10:36 AM Rob Crittenden <rcritten@redhat.com> wrote:
Russell Jones via FreeIPA-users wrote:
> Hi all,
>
> I am still exploring my default setup, and have noticed that while the
> "admin" user is a part of the admins and trust admins group, neither the
> user nor those groups have any roles defined on them that I can see.
>
> Where is this special username getting its permissions from?
>
>
> Thanks for the help!

The group is a direct member of a couple of privileges:

Host Enrollment
Replication Administrators

Most of the powers are granted by separate ACIs for the admins group,
notably:

Admin can manage any entry
Admins can write passwords
Admins can write password policies
...
and a bunch more.

rob

>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>