Here is our attempt to describe the problem in terms of IPA CLI commands: kinit admin ipa group-add --desc="Group 1" group1 ipa group-add --desc="Group 2" group2 ipa user-add --first="Admin" --last="Group 1" --password admin_group1 ipa user-add --first="Admin" --last="Group 2" --password admin_group2 ipa user-add --first="User" --last="Group 1" user_group1 ipa user-add --first="User" --last="Group 2" user_group2 ipa group-add-member --users=user_group1 group1 ipa group-add-member --users=admin_group1 group1 ipa group-add-member --users=user_group2 group2 ipa group-add-member --users=admin_group2 --password group2 ipa group-remove-member --users=user_group1,admin_group1,user_group2,admin_group2 ipausers ipa permission-add perm_edit_sn_group1 --permission=write --attrs=sn --memberof=group1 --type=user ipa permission-add perm_edit_member_group1 --permission=write --attrs=member --targetgroup=group1 ipa privilege-add priv_group1 --desc="Privilege Group1" ipa privilege-add-permission priv_group1 --permissions=perm_edit_sn_group1,perm_edit_member_group1 ipa role-add role_group1 --desc="Role Group1" ipa role-add-privilege role_group1 --privileges=priv_group1 ipa role-add-member role_group1 --users=admin_group1 kinit admin_group1 ipa user-mod user_group1 --last="Group 1" // I can't change user_group2's lastname. ipa user-mod user_group2 --last="Group 1" // But I can add to group1 any users or user groups existing in IPA. How can I disallow the admin_group1 to add users or user groups from other isolated groups? ipa group-add-member --users=user_group2 group1 // And now I can change user_group2's lastname. ipa user-mod user_group2 --last="Group 1"
Thanks a lot. -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Friday, November 08, 2013 8:48 PM To: Исаев Виталий Анатольевич; [email protected] Subject: Re: [Freeipa-users] Access differentiation in group policy Исаев Виталий Анатольевич wrote: > Rob, I apologize, just one more question. We dealt with the editing of > attributes, but it is still not clear if it is possible to restrict the user > adding to isolated group in case of the user's membership in other isolated > group. I'm not sure I follow. As you can see, this sort of access control can get very complex :-) Can you provide an example of what you want to do? rob > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Friday, November 08, 2013 7:47 PM > To: Исаев Виталий Анатольевич; [email protected] > Subject: Re: [Freeipa-users] Access differentiation in group policy > > Исаев Виталий Анатольевич wrote: >> Dear colleagues, we faced with an issue of access differentiation for >> junior IPA admins. Our idea was to create several (say, three – >> group1, group2, group3) isolated groups with one junior admin per group. >> >> The group isolation means that admin of group1 is not able to add to >> his group neither users nor subgroups – members of other global groups (i.e. >> group2, group3) >> >> We have attempted to accomplish this by RBAC for every junior admin. >> It was pointed out, that the admin can modify the objects (users, >> subgroups) belonging to his group only. However, every user enrolled >> to IPA can see all the other objects by default, therefore any junior >> admin can add users and subgroups FROM THE OTHER isolated group to >> his group with no restrictions. >> >> So the question is – how to implement (the specified) group “isolation” >> in IPA? >> >> We’re running on the RHEL 6.4 with IPA 3.0. Thank you. > > You need to create some custom permissions that limit the capabilities by > memberof. > > I set up a simple system with a couple of users: > > kinit admin > ipa group-add --desc=g1 g1 > ipa group-add --desc=g2 g2 > ipa user-add --first=group1 --last=user1 g1u1 ipa user-add > --first=group2 --last=user1 g2u1 ipa group-add-member --users g1u1 g1 > ipa group-add-member --users g2u1 g2 ipa user-add --first=group1 > --last=admin1 g1a1 ipa group-add-member --users g1a1 g1 ipa passwd > g1a1 > > g1a1 is going to be my junior admin > > Next I created a permission so junior admins can manage the telephone number. > This permission allows the phone number attribute to be written only for > members of the group g1. > > ipa permission-add --attrs=telephonenumber --memberof=g1 --permissions=write > g1_modify_members ipa privilege-add g1_junior_admin --desc='Group 1 junior > admin' > ipa privilege-add-permission --permissions=g1_modify_members > g1_junior_admin ipa role-add --desc='Group 1 junior admin' group1 ipa > role-add-privilege --privileges=g1_junior_admin group1 ipa > role-add-member --users=g1a1 group1 > > So members of the group1 role can modify the telephonenumber attribute of its > members. > > Let's see it in action: > > kinit g1a1 > ipa user-mod --phone=410-555-1212 g1u1 > -------------------- > Modified user "g1u1" > -------------------- > User login: g1u1 > First name: group1 > Last name: user1 > Home directory: /home/g1u1 > Login shell: /bin/sh > Email address: [email protected] > UID: 1197000004 > GID: 1197000004 > Telephone Number: 410-555-1212 > Account disabled: False > Password: False > Member of groups: ipausers, g1 > Kerberos keys available: False > > Try another attribute and it fails as expected: > ipa user-mod --fax=410-555-1212 g1u1 > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'facsimileTelephoneNumber' attribute of entry > 'uid=g1u1,cn=users,cn=accounts,dc=example,dc=com'. > > Change the phone number of a non-member of the group and it also fails as > expected: > ipa user-mod --phone=410-555-1213 g2u1 > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'telephoneNumber' attribute of entry > 'uid=g2u1,cn=users,cn=accounts,dc=example,dc=com'. > > rob > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
