Thank you, Rob! This example is very useful.
Vitaly Isaev Software Engineer Information Security Department Fintech JSC -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, November 08, 2013 7:47 PM To: Исаев Виталий Анатольевич; firstname.lastname@example.org Subject: Re: [Freeipa-users] Access differentiation in group policy Исаев Виталий Анатольевич wrote: > Dear colleagues, we faced with an issue of access differentiation for > junior IPA admins. Our idea was to create several (say, three – > group1, group2, group3) isolated groups with one junior admin per group. > > The group isolation means that admin of group1 is not able to add to > his group neither users nor subgroups – members of other global groups (i.e. > group2, group3) > > We have attempted to accomplish this by RBAC for every junior admin. > It was pointed out, that the admin can modify the objects (users, > subgroups) belonging to his group only. However, every user enrolled > to IPA can see all the other objects by default, therefore any junior > admin can add users and subgroups FROM THE OTHER isolated group to his > group with no restrictions. > > So the question is – how to implement (the specified) group “isolation” > in IPA? > > We’re running on the RHEL 6.4 with IPA 3.0. Thank you. You need to create some custom permissions that limit the capabilities by memberof. I set up a simple system with a couple of users: kinit admin ipa group-add --desc=g1 g1 ipa group-add --desc=g2 g2 ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 --last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member --users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa group-add-member --users g1a1 g1 ipa passwd g1a1 g1a1 is going to be my junior admin Next I created a permission so junior admins can manage the telephone number. This permission allows the phone number attribute to be written only for members of the group g1. ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior admin' ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege --privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1 So members of the group1 role can modify the telephonenumber attribute of its members. Let's see it in action: kinit g1a1 ipa user-mod --phone=410-555-1212 g1u1 -------------------- Modified user "g1u1" -------------------- User login: g1u1 First name: group1 Last name: user1 Home directory: /home/g1u1 Login shell: /bin/sh Email address: g...@example.com UID: 1197000004 GID: 1197000004 Telephone Number: 410-555-1212 Account disabled: False Password: False Member of groups: ipausers, g1 Kerberos keys available: False Try another attribute and it fails as expected: ipa user-mod --fax=410-555-1212 g1u1 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'facsimileTelephoneNumber' attribute of entry 'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'. Change the phone number of a non-member of the group and it also fails as expected: ipa user-mod --phone=410-555-1213 g2u1 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'telephoneNumber' attribute of entry 'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'. rob _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users