Yehuda Katz via FreeIPA-users wrote:
Is it possible to create an RBAC rule that includes a userattr
filter?
For example, we added a cn=mailinglists and each mailing list has an `owner` attribute.
We created a rule to allow anonymous reads in this subtree through RBAC.
I know we can create an ACI that would allow the owner to modify the list members:
(targetattr = "mgrpRFC822MailMember")(target =
"ldap:///cn=*,cn=aliases,dc=example,dc=com")(version 3.0;acl "Owner Change
Aliases";allow (add,delete,write) userattr = "owner#USERDN";)
Is there any way to create this ACI (or something that would do the same thing) through
the RBAC system?
The RBAC rules grant access via groups (permission -> privilege -> role).
Off the top of my head I'm not sure if there is a dynamic way to do it
with this model so you'd probably end up with a set of these to manage
members for each list which would be a bit burdensome. Plus one set for
creating/removing lists altogether to separate the access.
The benefit would be that it would grant access via the role so there
could be multiple owners of a list without relying on the owner attribute.
rob