A very common use case is for an administrator to create a group, and then wants to delegate to another user the ability to manage the membership of that group. Currently, this is a long process: create a role, create a privilege, add the privilege to the role, and then create a permission, an add it to the privileged. The user needs to know about the LDAP underpinnings in order to create the permission correctly. For example, in order to create a privilidge that allows a user to add and delete hosts from a host group, the ipa call looks like:
ipa permission-add 'mod_myhost_group' --permissions=write --attrs=memberUser --filter='(cn=myhosts && objectclass=ipahostgroup )'
The one for a netgroup is even more complicated. This is a partial:
ipa permission-add 'mod_my_netgroup' --permissions=write --attrs=memberUser,externalHost --filter='(cn=mynetgroup && objectclass=ipanisnetgroup )'
A possible API is
ipa netgroup-add-manager --user --groups
which would implicitly create the management role, privilege, and permission, and assign that role to the specified users and/or groups. Deleting the role can either be done manually, or automatically when the group is deleted.
Metadata Update from @admiyo: - Issue assigned to rcritten - Issue set to the milestone: Tickets Deferred
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.