[Freeipa-users] Delegation + visibility on users/user groups
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 15 10:51:29 UTC 2017
On ke, 15 helmi 2017, Gerald Zabos wrote:
>Hello all,
>
>after setting up a productive IPA 4.4 environment with eight nodes (master
>+ replicas) on four different locations everything works well. Good job,
>guys.
>
>I am tinkering around with user management and prepared an example setup:
>
>- create one supervisor user (bob)
>- create four team users on bob's team (bridget, betty, bernard, bill)
>- create a user group (b-team) with bob, bridget, betty, bernard, bill as
>active users in that team
>
>Now i want to achieve the following:
>
>- supervisor (bob) can see his team members (bridget, betty, bernard, bill)
>-and only his team members- to handle administrative tasks within his team
>-and only his team- , e.g. reset their password, lock their account, change
>their information.
>
>Use case: external customer gets limited access and MUST NOT see our
>internal users and/or other external customers.
Not seeing other users or objects is no possible with FreeIPA design. It
is also security through obscurity and doesn't really contribute
anything.
You should be looking at proper permissions/roles to confine what bob
and others could actually do, not see.
>Can someone please point me to the right documentation and/or give me hints
>on how to achieve this?
I have practical example in my blog, for hosts, not people:
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list