Here is our attempt to describe the problem in terms of IPA CLI commands:

kinit admin
ipa group-add --desc="Group 1" group1
ipa group-add --desc="Group 2" group2
ipa user-add --first="Admin" --last="Group 1" --password admin_group1
ipa user-add --first="Admin" --last="Group 2" --password admin_group2
ipa user-add --first="User" --last="Group 1" user_group1
ipa user-add --first="User" --last="Group 2" user_group2
ipa group-add-member --users=user_group1 group1
ipa group-add-member --users=admin_group1 group1
ipa group-add-member --users=user_group2 group2
ipa group-add-member --users=admin_group2 --password group2
ipa group-remove-member 
--users=user_group1,admin_group1,user_group2,admin_group2 ipausers
ipa permission-add perm_edit_sn_group1 --permission=write --attrs=sn 
--memberof=group1 --type=user
ipa permission-add perm_edit_member_group1 --permission=write --attrs=member 
--targetgroup=group1
ipa privilege-add priv_group1 --desc="Privilege Group1"
ipa privilege-add-permission priv_group1 
--permissions=perm_edit_sn_group1,perm_edit_member_group1
ipa role-add role_group1 --desc="Role Group1"
ipa role-add-privilege role_group1 --privileges=priv_group1
ipa role-add-member role_group1 --users=admin_group1
kinit admin_group1
ipa user-mod user_group1 --last="Group 1"
// I can't change user_group2's lastname.
ipa user-mod user_group2 --last="Group 1"
// But I can add to group1 any users or user groups existing in IPA. How can I 
disallow the admin_group1 to add users or user groups from other isolated 
groups?
ipa group-add-member --users=user_group2 group1
// And now I can change user_group2's lastname.
ipa user-mod user_group2 --last="Group 1"

Thanks a lot. 

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Friday, November 08, 2013 8:48 PM
To: Исаев Виталий Анатольевич; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Access differentiation in group policy

Исаев Виталий Анатольевич wrote:
> Rob, I apologize, just one more question. We dealt with the editing of 
> attributes, but it is still not clear if it is possible to restrict the user 
> adding to isolated group in case of the user's membership in other isolated 
> group.

I'm not sure I follow. As you can see, this sort of access control can get very 
complex :-) Can you provide an example of what you want to do?

rob

>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Friday, November 08, 2013 7:47 PM
> To: Исаев Виталий Анатольевич; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Access differentiation in group policy
>
> Исаев Виталий Анатольевич wrote:
>> Dear colleagues, we faced with an issue of access differentiation for 
>> junior IPA admins. Our idea was to create several (say, three – 
>> group1, group2, group3) isolated groups with one junior admin per group.
>>
>> The group isolation means that admin of group1 is not able to add to 
>> his group neither users nor subgroups – members of other global groups (i.e.
>> group2, group3)
>>
>> We have attempted to accomplish this by RBAC for every junior admin.
>> It was pointed out, that the admin can modify the objects (users,
>> subgroups) belonging to his group only.  However, every user enrolled 
>> to IPA can see all the other objects by default, therefore any junior 
>> admin can add users and subgroups FROM THE OTHER isolated group to 
>> his group with no restrictions.
>>
>> So the question is – how to implement (the specified) group “isolation”
>> in IPA?
>>
>> We’re running on the RHEL 6.4 with IPA 3.0. Thank you.
>
> You need to create some custom permissions that limit the capabilities by 
> memberof.
>
> I set up a simple system with a couple of users:
>
> kinit admin
> ipa group-add --desc=g1 g1
> ipa group-add --desc=g2 g2
> ipa user-add --first=group1 --last=user1 g1u1 ipa user-add 
> --first=group2 --last=user1 g2u1 ipa group-add-member --users g1u1 g1 
> ipa group-add-member --users g2u1 g2 ipa user-add --first=group1 
> --last=admin1 g1a1 ipa group-add-member --users g1a1 g1 ipa passwd 
> g1a1
>
> g1a1 is going to be my junior admin
>
> Next I created a permission so junior admins can manage the telephone number. 
> This permission allows the phone number attribute to be written only for 
> members of the group g1.
>
> ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write 
> g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior 
> admin'
> ipa privilege-add-permission --permissions=g1_modify_members 
> g1_junior_admin ipa role-add --desc='Group 1 junior admin' group1 ipa 
> role-add-privilege --privileges=g1_junior_admin group1 ipa 
> role-add-member --users=g1a1 group1
>
> So members of the group1 role can modify the telephonenumber attribute of its 
> members.
>
> Let's see it in action:
>
> kinit g1a1
> ipa user-mod --phone=410-555-1212 g1u1
> --------------------
> Modified user "g1u1"
> --------------------
>     User login: g1u1
>     First name: group1
>     Last name: user1
>     Home directory: /home/g1u1
>     Login shell: /bin/sh
>     Email address: g...@example.com
>     UID: 1197000004
>     GID: 1197000004
>     Telephone Number: 410-555-1212
>     Account disabled: False
>     Password: False
>     Member of groups: ipausers, g1
>     Kerberos keys available: False
>
> Try another attribute and it fails as expected:
> ipa user-mod --fax=410-555-1212 g1u1
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
> 'facsimileTelephoneNumber' attribute of entry 
> 'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'.
>
> Change the phone number of a non-member of the group and it also fails as 
> expected:
> ipa user-mod --phone=410-555-1213 g2u1
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
> 'telephoneNumber' attribute of entry 
> 'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'.
>
> rob
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to