Rob, I apologize, just one more question. We dealt with the editing of 
attributes, but it is still not clear if it is possible to restrict the user 
adding to isolated group in case of the user's membership in other isolated 

-----Original Message-----
From: Rob Crittenden [] 
Sent: Friday, November 08, 2013 7:47 PM
To: Исаев Виталий Анатольевич;
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:
> Dear colleagues, we faced with an issue of access differentiation for 
> junior IPA admins. Our idea was to create several (say, three – 
> group1, group2, group3) isolated groups with one junior admin per group.
> The group isolation means that admin of group1 is not able to add to 
> his group neither users nor subgroups – members of other global groups (i.e.
> group2, group3)
> We have attempted to accomplish this by RBAC for every junior admin.  
> It was pointed out, that the admin can modify the objects (users,
> subgroups) belonging to his group only.  However, every user enrolled 
> to IPA can see all the other objects by default, therefore any junior 
> admin can add users and subgroups FROM THE OTHER isolated group to his 
> group with no restrictions.
> So the question is – how to implement (the specified) group “isolation”
> in IPA?
> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.

You need to create some custom permissions that limit the capabilities by 

I set up a simple system with a couple of users:

kinit admin
ipa group-add --desc=g1 g1
ipa group-add --desc=g2 g2
ipa user-add --first=group1 --last=user1 g1u1 ipa user-add --first=group2 
--last=user1 g2u1 ipa group-add-member --users g1u1 g1 ipa group-add-member 
--users g2u1 g2 ipa user-add --first=group1 --last=admin1 g1a1 ipa 
group-add-member --users g1a1 g1 ipa passwd g1a1

g1a1 is going to be my junior admin

Next I created a permission so junior admins can manage the telephone number. 
This permission allows the phone number attribute to be written only for 
members of the group g1.

ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write 
g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior 
ipa privilege-add-permission --permissions=g1_modify_members g1_junior_admin 
ipa role-add --desc='Group 1 junior admin' group1 ipa role-add-privilege 
--privileges=g1_junior_admin group1 ipa role-add-member --users=g1a1 group1

So members of the group1 role can modify the telephonenumber attribute of its 

Let's see it in action:

kinit g1a1
ipa user-mod --phone=410-555-1212 g1u1
Modified user "g1u1"
   User login: g1u1
   First name: group1
   Last name: user1
   Home directory: /home/g1u1
   Login shell: /bin/sh
   Email address:
   UID: 1197000004
   GID: 1197000004
   Telephone Number: 410-555-1212
   Account disabled: False
   Password: False
   Member of groups: ipausers, g1
   Kerberos keys available: False

Try another attribute and it fails as expected:
ipa user-mod --fax=410-555-1212 g1u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'facsimileTelephoneNumber' attribute of entry 

Change the phone number of a non-member of the group and it also fails as 
ipa user-mod --phone=410-555-1213 g2u1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'telephoneNumber' attribute of entry 


Freeipa-users mailing list

Reply via email to