"certificate issuer" roles will need write access to users' userCertificate attribute, so it should be possible to assign this permission to a role. Currently there is only a "Modify Users" permission that allows all attributes to be written.
Note that a similar permission already exists for hosts: "System: Manage Host Certificates"
master:
ipa-4-2:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1254637
Metadata Update from @ftweedal: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.