[Freeipa-users] Access differentiation in group policy
Rob Crittenden
rcritten at redhat.com
Fri Nov 8 15:46:29 UTC 2013
Исаев Виталий Анатольевич wrote:
> Dear colleagues, we faced with an issue of access differentiation for
> junior IPA admins. Our idea was to create several (say, three – group1,
> group2, group3) isolated groups with one junior admin per group.
>
> The group isolation means that admin of group1 is not able to add to his
> group neither users nor subgroups – members of other global groups (i.e.
> group2, group3)
>
> We have attempted to accomplish this by RBAC for every junior admin. It
> was pointed out, that the admin can modify the objects (users,
> subgroups) belonging to his group only. However, every user enrolled to
> IPA can see all the other objects by default, therefore any junior admin
> can add users and subgroups FROM THE OTHER isolated group to his group
> with no restrictions.
>
> So the question is – how to implement (the specified) group “isolation”
> in IPA?
>
> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.
You need to create some custom permissions that limit the capabilities
by memberof.
I set up a simple system with a couple of users:
kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1
ipa user-add --first=group2 --last=user1 g2u1
ipa group-add-member --users g1u1 g1
ipa group-add-member --users g2u1 g2
ipa user-add --first=group1 --last=admin1 g1a1
ipa group-add-member --users g1a1 g1
ipa passwd g1a1
g1a1 is going to be my junior admin
Next I created a permission so junior admins can manage the telephone
number. This permission allows the phone number attribute to be written
only for members of the group g1.
ipa permission-add --attrs=telephonenumber --memberof=g1
--permissions=write g1_modify_members
ipa privilege-add g1_junior_admin --desc='Group 1 junior admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin
ipa role-add --desc='Group 1 junior admin' group1
ipa role-add-privilege --privileges=g1_junior_admin group1
ipa role-add-member --users=g1a1 group1
So members of the group1 role can modify the telephonenumber attribute
of its members.
Let's see it in action:
kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1
--------------------
Modified user "g1u1"
--------------------
User login: g1u1
First name: group1
Last name: user1
Home directory: /home/g1u1
Login shell: /bin/sh
Email address: g1u1 at example.com
UID: 1197000004
GID: 1197000004
Telephone Number: 410-555-1212
Account disabled: False
Password: False
Member of groups: ipausers, g1
Kerberos keys available: False
Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'facsimileTelephoneNumber' attribute of entry
'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.
Change the phone number of a non-member of the group and it also fails
as expected:
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'telephoneNumber' attribute of entry
'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.
rob
More information about the Freeipa-users
mailing list