diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-06-02 14:08:50 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-06-22 13:58:04 -0400 |
| commit | 901ccc1393a7e494f7b1b64eaeb2f7809056aafa (patch) | |
| tree | b9523a814ed72e08ac286134bb45cf07e6e053f4 /ipalib/plugins/rolegroup.py | |
| parent | 8c6c93125f344ca117cc24b2e96c55b1d9ae31bd (diff) | |
| download | freeipa.git-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.tar.gz freeipa.git-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.tar.xz freeipa.git-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.zip | |
First pass at per-command documentation
Diffstat (limited to 'ipalib/plugins/rolegroup.py')
| -rw-r--r-- | ipalib/plugins/rolegroup.py | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/ipalib/plugins/rolegroup.py b/ipalib/plugins/rolegroup.py index 7038e904..9ff3ef77 100644 --- a/ipalib/plugins/rolegroup.py +++ b/ipalib/plugins/rolegroup.py @@ -19,6 +19,38 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA """ Rolegroups + +A rolegroup is used for fine-grained delegation. Access control rules (ACIs) +grant permission to performa a given task (add user, modify group, etc) to +task groups. Role groups are members of task groups, giving them permission +to perform the task. + +The logic looks like this: + + ACI grants permission to taskgroup + rolegroups are members of taskgroups + users, groups, hosts and hostgroups are members of role groups + +A host/hostgroup may be members because you may want to perform +operations using the host service principal associated with a machine. + +A rolegroup may not be members of other rolegroups. + +EXAMPLES: + + Create a new role group: + ipa rolegroup-add --desc="Junion level admin" junioradmin + + Add this role to some tasks + ipa taskgroup-add-member --rolegroups=junioradmin addusers + ipa taskgroup-add-member --rolegroups=junioradmin change_password + ipa taskgroup-add-member --rolegroups=junioradmin add_user_to_default_group + + Add a group of users to this role: + ipa rolegroup-add-member --groups=junioradmins junioradmin + + Display this role group: + ipa rolegroup-show junioradmin """ from ipalib.plugins.baseldap import * |