well, according to the freeipa page https://www.freeipa.org/page/Web_UI

Web UI has two operation modes:

Whats the point of giving an individual "User Administrator" role if he/she can not provision users using the Web UI? And if you want to use the ipa user-* commands then you need to actually create a different user admin role that has a write permission to cn=users,cn=accounts as the built-in “User Administrator” doesn’t have it and thus the ipa user-* commands don’t work.  

Is this a well known bug/limitation? How do you go about providing role assigned principals with means to act upon the privileges they posses?


On Sep 21, 2018, at 4:12 PM, Florence Blanc-Renaud <flo@redhat.com> wrote:

On 9/21/18 2:06 PM, kwtygrys via FreeIPA-users wrote:
I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every time I try to access the Web UI as one of those users I always get the WebUI in self-service mode, ie. I can not take advantage of the privileges/permissions these users have. I only get the WebUI administration mode when logging in as admin.
Is there anything I am missing in terms of configuration?
IIRC a user has access to the whole WebUI administration when he is a member of the "admins" group.


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org