[Freeipa-users] Access differentiation in group policy
Исаев Виталий Анатольевич
isaev at fintech.ru
Fri Nov 8 15:22:57 UTC 2013
Dear colleagues, we faced with an issue of access differentiation for junior IPA admins. Our idea was to create several (say, three - group1, group2, group3) isolated groups with one junior admin per group.
The group isolation means that admin of group1 is not able to add to his group neither users nor subgroups - members of other global groups (i.e. group2, group3)
We have attempted to accomplish this by RBAC for every junior admin. It was pointed out, that the admin can modify the objects (users, subgroups) belonging to his group only. However, every user enrolled to IPA can see all the other objects by default, therefore any junior admin can add users and subgroups FROM THE OTHER isolated group to his group with no restrictions.
So the question is - how to implement (the specified) group "isolation" in IPA?
We're running on the RHEL 6.4 with IPA 3.0. Thank you.
Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131108/88823f88/attachment.htm>
More information about the Freeipa-users
mailing list