[Freeipa-users] Delegation + visibility on users/user groups
Michael Ströder
michael at stroeder.com
Wed Feb 15 14:47:21 UTC 2017
On 2017-02-15 11:51, Alexander Bokovoy wrote:
> On ke, 15 helmi 2017, Gerald Zabos wrote:
>> Use case: external customer gets limited access and MUST NOT see our
>> internal users and/or other external customers.
>
> Not seeing other users or objects is no possible with FreeIPA design.
> It
> is also security through obscurity and doesn't really contribute
> anything.
IMHO such a use-case is a valid security requirement for preventing
social engineering threats.
Anyway customer accounts are critical regarding _confidentiality_:
1. Customers must not see internal users and their contact data
for not being able to circumvent controlled support processes.
2. Customers must not see other customers (competitors) because this
could cause business trouble.
IMHO dealing with customer accounts is very tricky because a normal
user management is optimizied for collaboration and not for
multi-tenant confidentiality.
Ciao, Michael.
More information about the Freeipa-users
mailing list