Hi
I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every time I try to access the Web UI as one of those users I always get the WebUI in self-service mode, ie. I can not take advantage of the privileges/permissions these users have. I only get the WebUI administration mode when logging in as admin.
Is there anything I am missing in terms of configuration?
Regards Kristof
On 9/21/18 2:06 PM, kwtygrys via FreeIPA-users wrote:
Hi
I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every time I try to access the Web UI as one of those users I always get the WebUI in self-service mode, ie. I can not take advantage of the privileges/permissions these users have. I only get the WebUI administration mode when logging in as admin.
Is there anything I am missing in terms of configuration?
Hi, IIRC a user has access to the whole WebUI administration when he is a member of the "admins" group.
flo
Regards Kristof _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
well, according to the freeipa page https://www.freeipa.org/page/Web_UI https://www.freeipa.org/page/Web_UI
Web UI has two operation modes:
self-service used for regular users limited interface - only information about users default page: user's profile use cases: change or view own information and reset password administration used for members of 'admins' group and users with a role assigned complete interface available
Whats the point of giving an individual "User Administrator" role if he/she can not provision users using the Web UI? And if you want to use the ipa user-* commands then you need to actually create a different user admin role that has a write permission to cn=users,cn=accounts as the built-in “User Administrator” doesn’t have it and thus the ipa user-* commands don’t work.
Is this a well known bug/limitation? How do you go about providing role assigned principals with means to act upon the privileges they posses?
Regards Kristof
On Sep 21, 2018, at 4:12 PM, Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/18 2:06 PM, kwtygrys via FreeIPA-users wrote:
Hi I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every time I try to access the Web UI as one of those users I always get the WebUI in self-service mode, ie. I can not take advantage of the privileges/permissions these users have. I only get the WebUI administration mode when logging in as admin. Is there anything I am missing in terms of configuration?
Hi, IIRC a user has access to the whole WebUI administration when he is a member of the "admins" group.
flo
Regards Kristof _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 9/21/18 5:25 PM, kwtygrys via FreeIPA-users wrote:
well, according to the freeipa page https://www.freeipa.org/page/Web_UI
Web UI has two operation modes:
- self-service o used for regular users o limited interface - only information about users o default page: user's profile o use cases: change or view own information and reset password
- administration o *used for members of 'admins' group and users with a role assigned* o complete interface available
Hi, I stand corrected, if the user is assigned a role he should see the administration console. This is confirmed by the code (see [1]).
I tried on RHEL 7.5 (ipa 4.5.4) and see the expected behavior: a user with User Administrator, IT Specialist and IT Security Specialist roles is able to see the admin console, and create new users.
Whats the point of giving an individual "User Administrator" role if he/she can not provision users using the Web UI? And if you want to use the ipa user-* commands then you need to actually create a different user admin role that has a write permission to cn=users,cn=accounts as the built-in “User Administrator” doesn’t have it and thus the ipa user-* commands don’t work.
"User Administrator" role has "User Administrators" privilege, which contains the permission "System: Add Users" and should grant add access to create a user. Are you seeing the above role/privilege/permission in your setup? flo
[1] https://github.com/freeipa/freeipa/blob/master/install/ui/src/freeipa/Applic...
Is this a well known bug/limitation? How do you go about providing role assigned principals with means to act upon the privileges they posses?
Regards Kristof
On Sep 21, 2018, at 4:12 PM, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 9/21/18 2:06 PM, kwtygrys via FreeIPA-users wrote:
Hi I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every time I try to access the Web UI as one of those users I always get the WebUI in self-service mode, ie. I can not take advantage of the privileges/permissions these users have. I only get the WebUI administration mode when logging in as admin. Is there anything I am missing in terms of configuration?
Hi, IIRC a user has access to the whole WebUI administration when he is a member of the "admins" group.
flo
Regards Kristof _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org