3:52 a.m.
Hello!
I'd love to use FreeIPA for all of our auth needs (wifi, samba, backups
etc) but I'm a little lost on the configuration of the default groups.
I have my admin user in the 'admins' group and my test user in the
'ipausers' group, but I can't see any permissions or roles or policies that
define permissions in those groups. Logged in as the admin user, I can
change all settings but as my test user, I cannot change anything.
I also see 'editors' but can't see exactly what permissions this group has.
Am I missing something or somewhere where I can change these permissions?
Thanks,
Oli
7:47 a.m.
Oliver Northam via FreeIPA-users wrote:
Hello!
I'd love to use FreeIPA for all of our auth needs (wifi, samba, backups
etc) but I'm a little lost on the configuration of the default groups.
I have my admin user in the 'admins' group and my test user in the
'ipausers' group, but I can't see any permissions or roles or policies
that define permissions in those groups. Logged in as the admin user, I
can change all settings but as my test user, I cannot change anything.
I also see 'editors' but can't see exactly what permissions this group has.
Am I missing something or somewhere where I can change these permissions?
admins is treated as a special case and doesn't have explicit roles.
To add permissions for other users/groups add them to a role. A role has
certain privileges and privileges have permissions (atomic rights).
rob
9:03 a.m.
Hi Rob,
Thanks!
I see that I have the ability to delete those internal groups. If I remove
one (editor for example) and recreate it with the same name, will it retain
the same edit permissions?
Thanks
On 9 Feb 2018 1:47 pm, "Rob Crittenden" <rcritten(a)redhat.com> wrote:
Oliver Northam via FreeIPA-users wrote:
> Hello!
>
> I'd love to use FreeIPA for all of our auth needs (wifi, samba, backups
> etc) but I'm a little lost on the configuration of the default groups.
>
> I have my admin user in the 'admins' group and my test user in the
> 'ipausers' group, but I can't see any permissions or roles or policies
> that define permissions in those groups. Logged in as the admin user, I
> can change all settings but as my test user, I cannot change anything.
>
> I also see 'editors' but can't see exactly what permissions this group
has.
>
> Am I missing something or somewhere where I can change these permissions?
admins is treated as a special case and doesn't have explicit roles.
To add permissions for other users/groups add them to a role. A role has
certain privileges and privileges have permissions (atomic rights).
rob
9:17 a.m.
Oliver Northam wrote:
Hi Rob,
Thanks!
I see that I have the ability to delete those internal groups. If I
remove one (editor for example) and recreate it with the same name, will
it retain the same edit permissions?
I believe admins is the only special group and IIRC it prevents itself
from being deleted.
Pretty much deleting any entry will result in permissions will be dropped.
editors have no special permissions by default though. It is mostly a
legacy group from the original UI though it is used by AD trust to
ensure that the SID generation was successful.
rob
Thanks
On 9 Feb 2018 1:47 pm, "Rob Crittenden" <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Oliver Northam via FreeIPA-users wrote:
> Hello!
>
> I'd love to use FreeIPA for all of our auth needs (wifi, samba,
backups
> etc) but I'm a little lost on the configuration of the default
groups.
>
> I have my admin user in the 'admins' group and my test user in the
> 'ipausers' group, but I can't see any permissions or roles or
policies
> that define permissions in those groups. Logged in as the admin
user, I
> can change all settings but as my test user, I cannot change anything.
>
> I also see 'editors' but can't see exactly what permissions this
group has.
>
> Am I missing something or somewhere where I can change these
permissions?
admins is treated as a special case and doesn't have explicit roles.
To add permissions for other users/groups add them to a role. A role has
certain privileges and privileges have permissions (atomic rights).
rob
9:27 a.m.
Great! Thanks for your help. I appreciate it.
Oliver Northam
Lead Technical
[image: Si digital] <http://sidigital.co/>
Website: sidigital.co | *DDI*: 02393 190 262 | *Office: *02393 190 260
Twitter: @sidgtl <https://twitter.com/sidgtl> | Facebook: /sidgtl
<https://facebook.com/sidgtl>
Si digital is the trading name of Something Interesting Limited, registered
in England and Wales. Our registered number is 04270457
The information in this email should be considered confidential unless
otherwise stated.
On 9 February 2018 at 15:17, Rob Crittenden <rcritten(a)redhat.com> wrote:
Oliver Northam wrote:
> Hi Rob,
>
> Thanks!
>
> I see that I have the ability to delete those internal groups. If I
> remove one (editor for example) and recreate it with the same name, will
> it retain the same edit permissions?
I believe admins is the only special group and IIRC it prevents itself
from being deleted.
Pretty much deleting any entry will result in permissions will be dropped.
editors have no special permissions by default though. It is mostly a
legacy group from the original UI though it is used by AD trust to
ensure that the SID generation was successful.
rob
>
> Thanks
>
> On 9 Feb 2018 1:47 pm, "Rob Crittenden" <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Oliver Northam via FreeIPA-users wrote:
> > Hello!
> >
> > I'd love to use FreeIPA for all of our auth needs (wifi, samba,
> backups
> > etc) but I'm a little lost on the configuration of the default
> groups.
> >
> > I have my admin user in the 'admins' group and my test user in the
> > 'ipausers' group, but I can't see any permissions or roles or
policies
> > that define permissions in those groups. Logged in as the admin
> user, I
> > can change all settings but as my test user, I cannot change
anything.
> >
> > I also see 'editors' but can't see exactly what permissions
this
> group has.
> >
> > Am I missing something or somewhere where I can change these
> permissions?
>
> admins is treated as a special case and doesn't have explicit roles.
>
> To add permissions for other users/groups add them to a role. A role
has
> certain privileges and privileges have permissions (atomic rights).
>
> rob
>
2259
days inactive
2262
days old
freeipa-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Oliver Northam -
Rob Crittenden