# Member Manager for group membership ## Overview A member manager is a principal that is able to manage members of a group. Member managers are able to add new members to a group or remove existing members from a group. They cannot modify additional attributes of a group as a part of the member manager role. Member management is implemented for *user groups* and *host groups*. Membership can be managed by users or user groups. Member managers are independent from members. A principal can be a member manager of a group without being a member of a group. ## Use Cases An administrator can use member management feature to delegate some control over user groups and host groups to users. For example a project manager is now able to add new team members to a project group. A NFS admin with member management capability for a host group is able to indirectly influence an HBAC rules and control which hosts can connect to an NFS file share. ## Implementation The user group commands and host group commands are extended to handle member managers. The plugin classes grow two additional sub commands, one for adding and one for removing member managers. The show command prints member manager users and member manager groups. The find command can search by member manager. Member managers are stored in a new LDAP attribute ``memberManager`` with OID 2.16.840.1.113730.3.8.23.1. It is multi-valued and contains DNs of users and groups which can manage members of the group. The attribute can be added to entries with object class ``ipaUserGroup`` or ``ipaHostGroup``. The attribute is indexed and its membership controlled by referential integrity postoperation plugin. New userattr ACIs grant principals with user DN or group DN in ``memberManager`` write permission to the ``member`` attribute of the group. The ``memberManager`` attribute is protected by the generic read and modify permissions for each type of group. It is readable by everybody with ``System: Read Groups`` / ``System: Read Hostgroups`` permission and writable by everybody with ``System: Modify Groups`` / ``System: Modify Hostgroups`` permission. ## Examples Add example user and groups: ``` $ kinit admin $ ipa user-add john --first John --last Doe --random $ ipa user-add tom --first Tom --last Doe --random $ ipa group-add project $ ipa group-add project_admins ``` Make user and group member managers: ``` $ ipa group-add-member-manager project --users=john $ ipa group-add-member-manager project --groups=project_admins ``` Show group: ``` $ ipa group-show project Group name: project GID: 787600003 Membership managed by groups: project_admins Membership managed by users: john ``` Find groups by member managers: ``` $ ipa group-find --membermanager-users=john --------------- 1 group matched --------------- Group name: project GID: 787600003 ---------------------------- Number of entries returned 1 ---------------------------- $ ipa group-find --membermanager-groups=project_admins --------------- 1 group matched --------------- Group name: project GID: 787600003 ---------------------------- Number of entries returned 1 ---------------------------- ``` Use member management capability: ``` $ kinit john $ ipa group-add-member project --users=tom Group name: project GID: 787600003 Member users: tom Membership managed by groups: project_admins Membership managed by users: john ------------------------- Number of members added 1 ------------------------- ``` Remove member management capability: ``` $ kinit admin $ ipa group-remove-member-manager project --groups=project_admins Group name: project GID: 787600003 Member users: tom Membership managed by users: john --------------------------- Number of members removed 1 --------------------------- ```