What exactly should be granted to enable a user to view /edit freeIPA roles? Specifically, what enables a user to view anything under "IPA Server" > "Role-Based Access Control?"
Context: roles, privileges, permissions are all populated for one non-"admin" login but not for another.
On to, 03 syys 2020, John Burns via FreeIPA-users wrote:
What exactly should be granted to enable a user to view /edit freeIPA roles? Specifically, what enables a user to view anything under "IPA Server" > "Role-Based Access Control?"
Context: roles, privileges, permissions are all populated for one non-"admin" login but not for another.
$ ipa privilege-show 'Delegation Administrator' Privilege name: Delegation Administrator Description: Role administration Permissions: System: Modify Privilege Membership, System: Add Privileges, System: Modify Privileges, System: Remove Privileges, System: Add Roles, System: Modify Role Membership, System: Modify Roles, System: Remove Roles Granting privilege to roles: Security Architect
Note that IPA's access control model is not to segregate administration tasks, it is to account access to privileged operations. If you are administering roles, you are administrator anyway, just not a faceless 'admin'.
freeipa-users@lists.fedorahosted.org