[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

On 20/09/2023 16.01, Chris Cowan via FreeIPA-users wrote: Christian, Rereading this, I'm wondering if besides the "admin" user and "admins" group if there are any other special users or groups with FreeIPA? From my reading so far, I think the answer is no, but want to be sure. The "ipaserv

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

Christian, Rereading this, I'm wondering if besides the "admin" user and "admins" group if there are any other special users or groups with FreeIPA? From my reading so far, I think the answer is no, but want to be sure. ___ FreeIPA-users mailing list

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

On 19/08/2023 19.18, DFIRob via FreeIPA-users wrote: I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he? No, they can only add/remove groups and modify group mem

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

After re-reading Christian's reply, I was worried it might be able to mess with the private groups. I just checked, and I can not detach or delete. So, this will work for my needs ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

> I might be missing something here, but if an account can manage all > posixGroup objects then he's, from a attacker point of view, as privileged > as a member of the admin group, isn't he? > Which is precisely why I created a new role limited to POSIX Groups only. After reading Christian's p

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he? On Thu, Aug 17, 2023 at 9:28 PM Chris Cowan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > C

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

Christian, I want full admin meaning all group management. (CRUD). Add/remove group, change attributes, membership, etc... Was already aware of the manager members and that I could assign both users or groups. I have been using that and it works as I would expect. So, I will be needin

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

On 17/08/2023 18.31, Chris Cowan via FreeIPA-users wrote: Reading through the docs carefully, but I'm just wondering if anyone else has done this, and if there are any "gotchas" I have to worry about? FreeIPA has role-based access control that lets you define fine-grained permissions, privile

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

Chris Cowan via FreeIPA-users wrote: > Reading through the docs carefully, but I'm just wondering if anyone else has > done this, and if there are any "gotchas" I have to worry about? It depends on what you mean by manage. There are two privileges for group management by default: Group Administr