Thank you, Rob! This example is very useful. 

Vitaly Isaev
Software Engineer
Information Security Department
Fintech JSC

-----Original Message-----
From: Rob Crittenden [] 
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич;
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:
> Dear colleagues, we faced with an issue of access differentiation for 
> junior IPA admins. Our idea was to create several (say, three – 
> group1, group2, group3) isolated groups with one junior admin per group.
> The group isolation means that admin of group1 is not able to add to 
> his group neither users nor subgroups – members of other global groups (i.e.
> group2, group3)
> We have attempted to accomplish this by RBAC for every junior admin.  
> It was pointed out, that the admin can modify the objects (users,
> subgroups) belonging to his group only.  However, every user enrolled 
> to IPA can see all the other objects by default, therefore any junior 
> admin can add users and subgroups FROM THE OTHER isolated group to his 
> group with no restrictions.
> So the question is – how to implement (the specified) group “isolation”
> in IPA?
> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.

You need to create some custom permissions that limit the capabilities by 

I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 
--last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member 
--users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa 
group-add-member --users g1a1 g1 ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone number. 
This permission allows the phone number attribute to be written only for 
members of the group g1.

ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write 
g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior 
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin 
ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege 
--privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute of its 

Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1
Modified user "g1u1"
   User login: g1u1
   First name: group1
   Last name: user1
   Home directory: /home/g1u1
   Login shell: /bin/sh
   Email address:
   UID: 1197000004
   GID: 1197000004
   Telephone Number: 410-555-1212
   Account disabled: False
   Password: False
   Member of groups: ipausers, g1
   Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'facsimileTelephoneNumber' attribute of entry 

Change the phone number of a non-member of the group and it also fails as 
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'telephoneNumber' attribute of entry 


Freeipa-users mailing list

Reply via email to