Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1034297
Description of problem:
It would be nice to have a privilege in IPA that would be a high-level match of
what RHEV Self-service portal allows to its users: add hosts and modify/delete
hosts that the respective user have added, without ability to
view/modify/delete hosts that were added by other users with this role (or by
Version-Release number of selected component (if applicable):
RHEL 6.4 / ipa-server-3.0.0-26.el6_4.4.x86_64
Check during 3.4 and create a HowTo wiki page describing the steps.
If there are some issues with the existing ACI system we should probably fix them. We would have to triage then and there after investigation.
Use managedby attribute to control access
See discussion with testing and proposal for API in freeipa-devel list:
The actual implementation won't fit in 4.0 though, thus moving to next version.
The API proposed in comment:4 is just an example, it may be more flexible to just use userattr contents:
# ipa permission-add test --bindtype=userattr --bind-userattr="creatorsname#USERDN"
Documentation for this part of the ACI: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Access_Control-Bind_Rules.html
Moving to 4.3, we are too close to 4.2 deadline to be able to handle stretch RFEs.
Metadata Update from @mkosek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)
to comment on this ticket.