diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-08-24 23:40:32 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-08-27 13:31:04 -0400 |
commit | 4b6b710ba6ce75ffcb9ced43acee0d55adb6163c (patch) | |
tree | 021fc409342115f1a5cbc1978ee5f67069934c4f /ipalib/plugins/rolegroup.py | |
parent | ea76d8c59af338f6a79ec87d7a931d2c8643e747 (diff) | |
download | freeipa-4b6b710ba6ce75ffcb9ced43acee0d55adb6163c.tar.gz freeipa-4b6b710ba6ce75ffcb9ced43acee0d55adb6163c.tar.xz freeipa-4b6b710ba6ce75ffcb9ced43acee0d55adb6163c.zip |
Update command documentation based on feedback from docs team.
ticket #158
Diffstat (limited to 'ipalib/plugins/rolegroup.py')
-rw-r--r-- | ipalib/plugins/rolegroup.py | 45 |
1 files changed, 25 insertions, 20 deletions
diff --git a/ipalib/plugins/rolegroup.py b/ipalib/plugins/rolegroup.py index 9ff3ef775..99560c46c 100644 --- a/ipalib/plugins/rolegroup.py +++ b/ipalib/plugins/rolegroup.py @@ -20,36 +20,41 @@ """ Rolegroups -A rolegroup is used for fine-grained delegation. Access control rules (ACIs) -grant permission to performa a given task (add user, modify group, etc) to -task groups. Role groups are members of task groups, giving them permission -to perform the task. +A rolegroup is used for fine-grained delegation. Access control rules +(ACIs) grant permission to perform given tasks (add a user, modify a group, +etc.), to task groups. Rolegroups are members of taskgroups, giving them +permission to perform the task. -The logic looks like this: +The logic behind ACIs and rolegroups proceeds as follows: - ACI grants permission to taskgroup + ACIs grants permission to taskgroup rolegroups are members of taskgroups - users, groups, hosts and hostgroups are members of role groups + users, groups, hosts and hostgroups are members of rolegroups -A host/hostgroup may be members because you may want to perform +Rolegroups can contain both hosts and hostgroups, enabling operations using the host service principal associated with a machine. -A rolegroup may not be members of other rolegroups. +Rolegroups can not contain other rolegroups. EXAMPLES: - Create a new role group: - ipa rolegroup-add --desc="Junion level admin" junioradmin + Add a new rolegroup: + ipa rolegroup-add --desc="Junior-level admin" junioradmin - Add this role to some tasks + Add this role to some tasks: ipa taskgroup-add-member --rolegroups=junioradmin addusers ipa taskgroup-add-member --rolegroups=junioradmin change_password ipa taskgroup-add-member --rolegroups=junioradmin add_user_to_default_group + Yes, this can seem backwards. The taskgroup is the entry that is granted + permissions by the ACIs. By adding a rolegroup as a member of a taskgroup + it inherits those permissions. + Add a group of users to this role: - ipa rolegroup-add-member --groups=junioradmins junioradmin + ipa group-add --desc="User admins" useradmins + ipa rolegroup-add-member --groups=useradmins junioradmin - Display this role group: + Display information about a rolegroup: ipa rolegroup-show junioradmin """ @@ -104,7 +109,7 @@ api.register(rolegroup) class rolegroup_add(LDAPCreate): """ - Create new rolegroup. + Add a new rolegroup. """ msg_summary = _('Added rolegroup "%(value)s"') @@ -114,7 +119,7 @@ api.register(rolegroup_add) class rolegroup_del(LDAPDelete): """ - Delete rolegroup. + Delete a rolegroup. """ msg_summary = _('Deleted rolegroup "%(value)s"') @@ -124,7 +129,7 @@ api.register(rolegroup_del) class rolegroup_mod(LDAPUpdate): """ - Edit rolegroup. + Modify a rolegroup. """ msg_summary = _('Modified rolegroup "%(value)s"') @@ -146,7 +151,7 @@ api.register(rolegroup_find) class rolegroup_show(LDAPRetrieve): """ - Display rolegroup. + Display information about a rolegroup. """ api.register(rolegroup_show) @@ -154,7 +159,7 @@ api.register(rolegroup_show) class rolegroup_add_member(LDAPAddMember): """ - Add member to rolegroup. + Add members to a rolegroup. """ api.register(rolegroup_add_member) @@ -162,7 +167,7 @@ api.register(rolegroup_add_member) class rolegroup_remove_member(LDAPRemoveMember): """ - Remove member from rolegroup. + Remove members from a rolegroup. """ api.register(rolegroup_remove_member) |