Dear colleagues, we faced with an issue of access differentiation for junior
IPA admins. Our idea was to create several (say, three - group1, group2,
group3) isolated groups with one junior admin per group.
The group isolation means that admin of group1 is not able to add to his group
neither users nor subgroups - members of other global groups (i.e. group2,
We have attempted to accomplish this by RBAC for every junior admin. It was
pointed out, that the admin can modify the objects (users, subgroups) belonging
to his group only. However, every user enrolled to IPA can see all the other
objects by default, therefore any junior admin can add users and subgroups FROM
THE OTHER isolated group to his group with no restrictions.
So the question is - how to implement (the specified) group "isolation" in IPA?
We're running on the RHEL 6.4 with IPA 3.0. Thank you.
Information Security Department
Freeipa-users mailing list