On to, 03 syys 2020, John Burns via FreeIPA-users wrote:
What exactly should be granted to enable a user to view /edit freeIPA
roles?
Specifically, what enables a user to view anything under "IPA Server" >
"Role-Based Access Control?"
Context: roles, privileges, permissions are all populated for one non-"admin"
login but not for another.
$ ipa privilege-show 'Delegation Administrator'
Privilege name: Delegation Administrator
Description: Role administration
Permissions: System: Modify Privilege Membership, System: Add Privileges, System:
Modify Privileges, System: Remove Privileges, System: Add Roles, System: Modify Role
Membership, System: Modify Roles, System: Remove Roles
Granting privilege to roles: Security Architect
Note that IPA's access control model is not to segregate administration
tasks, it is to account access to privileged operations. If you are
administering roles, you are administrator anyway, just not a faceless
'admin'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland