Dear colleagues, we faced with an issue of access differentiation for junior IPA admins. Our idea was to create several (say, three - group1, group2, group3) isolated groups with one junior admin per group.
The group isolation means that admin of group1 is not able to add to his group neither users nor subgroups - members of other global groups (i.e. group2, group3) We have attempted to accomplish this by RBAC for every junior admin. It was pointed out, that the admin can modify the objects (users, subgroups) belonging to his group only. However, every user enrolled to IPA can see all the other objects by default, therefore any junior admin can add users and subgroups FROM THE OTHER isolated group to his group with no restrictions. So the question is - how to implement (the specified) group "isolation" in IPA? We're running on the RHEL 6.4 with IPA 3.0. Thank you. Vitaly Isaev Software Engineer Information Security Department Fintech JSC
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users