[Freeipa-users] Allow AD users to manage FreeIPA

I'm reviewing the documentation at https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow members of certain AD groups to login to FreeIPA from the web GUI. Does this documentation only apply to the FreeIPA CLI, or does it also affect access to manage through the web GUI? Let's say we have an AD group named "engineers", and I want those engineers to have admin access over FreeIPA. If the above documentation only affects the CLI, that feels a little bit redundant, because we can of course easily create Sudo / Su rules to allow members of "engineers" to have control over the FreeIPA nodes using HBAC rules and such. (This is already done and working -- members of `engineers` already have CLI admin access over FreeIPA -- I now want them to have GUI admin access). I'm also a little bit confused why the documentation says to add a domain user to the AD "administrators" group (as an ID Override). That feels like a security risk, because I don't want the user to be considered an Active Directory administrator -- I only want the person (well, any members of the `engineers` group) to have admin access over FreeIPA. It sounds like this would have to be done on a user-by-user basis (and is not something we could apply to an entire AD group that already exists)? I ran: `id administrator(a)ad.domain.com` and verified that I do have stdout. But then I ran: `ipa group-show administrator(a)ad.domain.com` and stdout included: ipa: ERROR: administrator(a)ad.domain.com: group not found Is there any way to accomplish what I want? ----- David White Engineer II, Fiber Systems Engineering