28.2. Creating a delegation rule using IdM CLI

Prerequisites

• You are logged in as a member of the admins group.

Procedure

• Enter the ipa delegation-add command. Specify the following options:

  • --group: the group who is being granted permissions to the entries of users in the user group.
  • --membergroup: the group whose entries can be edited by members of the delegation group.
  • --permissions: whether users will have the right to view the given attributes (read) and add or change the given attributes (write). If you do not specify permissions, only the write permission will be added.

  • --attrs: the attributes which users in the member group are allowed to view or edit.

    For example:

  $ ipa delegation-add "basic manager attributes" --permissions=read --permissions=write --attrs=businesscategory --attrs=departmentnumber --attrs=employeetype --attrs=employeenumber --group=managers --membergroup=employees
  -------------------------------------------
  Added delegation "basic manager attributes"
  -------------------------------------------
    Delegation name: basic manager attributes
    Permissions: read, write
    Attributes: businesscategory, departmentnumber, employeetype, employeenumber
    Member user group: employees
    User group: managers