Dear colleagues, we faced with an issue of access differentiation for junior 
IPA admins. Our idea was to create several (say, three - group1, group2, 
group3) isolated groups with one junior admin per group.

The group isolation means that admin of group1 is not able to add to his group 
neither users nor subgroups - members of other global groups (i.e. group2, 

We have attempted to accomplish this by RBAC for every junior admin.  It was 
pointed out, that the admin can modify the objects (users, subgroups) belonging 
to his group only.  However, every user enrolled to IPA can see all the other 
objects by default, therefore any junior admin can add users and subgroups FROM 
THE OTHER isolated group to his group with no restrictions.

So the question is - how to implement (the specified) group "isolation" in IPA?

We're running on the RHEL 6.4 with IPA 3.0. Thank you.

Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC

Freeipa-users mailing list

Reply via email to