[Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич isaev at fintech.ru
Fri Nov 8 15:53:10 UTC 2013 

Thank you, Rob! This example is very useful. 


Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:
> Dear colleagues, we faced with an issue of access differentiation for 
> junior IPA admins. Our idea was to create several (say, three – 
> group1, group2, group3) isolated groups with one junior admin per group.
>
> The group isolation means that admin of group1 is not able to add to 
> his group neither users nor subgroups – members of other global groups (i.e.
> group2, group3)
>
> We have attempted to accomplish this by RBAC for every junior admin.  
> It was pointed out, that the admin can modify the objects (users,
> subgroups) belonging to his group only.  However, every user enrolled 
> to IPA can see all the other objects by default, therefore any junior 
> admin can add users and subgroups FROM THE OTHER isolated group to his 
> group with no restrictions.
>
> So the question is – how to implement (the specified) group “isolation”
> in IPA?
>
> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.

You need to create some custom permissions that limit the capabilities by memberof.

I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 --last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member --users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa group-add-member --users g1a1 g1 ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone number. This permission allows the phone number attribute to be written only for members of the group g1.

ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior admin'
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege --privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute of its members.

Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1
--------------------
Modified user "g1u1"
--------------------
   User login: g1u1
   First name: group1
   Last name: user1
   Home directory: /home/g1u1
   Login shell: /bin/sh
   Email address: g1u1 at example.com
   UID: 1197000004
   GID: 1197000004
   Telephone Number: 410-555-1212
   Account disabled: False
   Password: False
   Member of groups: ipausers, g1
   Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'facsimileTelephoneNumber' attribute of entry 'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.

Change the phone number of a non-member of the group and it also fails as expected:
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'telephoneNumber' attribute of entry 'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.

rob

More information about the Freeipa-users mailing list