Hi all,
We received a question from one of our auditors about who has the permission to do certain actions in FreeIPA itself. This is managed by the RBAC system: you can for example configure that certain groups are allowed to manage certain parts of FreeIPA.
We currently only have two roles: normal users and admins. Normal users have the default self-service permissions, and admins can do anything within FreeIPA. However, for that last part we cannot figure out how this is specified within FreeIPA. There is no RBAC role that gives admins all permissions.
Is the admins group maybe special, in that it is hardcoded to be able to change anything within FreeIPA?
-- Remco Kranenburg
Remco Kranenburg via FreeIPA-users wrote:
Hi all,
We received a question from one of our auditors about who has the permission to do certain actions in FreeIPA itself. This is managed by the RBAC system: you can for example configure that certain groups are allowed to manage certain parts of FreeIPA.
We currently only have two roles: normal users and admins. Normal users have the default self-service permissions, and admins can do anything within FreeIPA. However, for that last part we cannot figure out how this is specified within FreeIPA. There is no RBAC role that gives admins all permissions.
Is the admins group maybe special, in that it is hardcoded to be able to change anything within FreeIPA?
Yes, the admins group is as you describe. It has pretty broad powers (but not to change anything).
There are still some direct 389-ds ACIs created to grant power to the admins group.
rob
freeipa-users@lists.fedorahosted.org