On ke, 15 helmi 2017, Gerald Zabos wrote:
after setting up a productive IPA 4.4 environment with eight nodes (master
+ replicas) on four different locations everything works well. Good job,
I am tinkering around with user management and prepared an example setup:
- create one supervisor user (bob)
- create four team users on bob's team (bridget, betty, bernard, bill)
- create a user group (b-team) with bob, bridget, betty, bernard, bill as
active users in that team
Now i want to achieve the following:
- supervisor (bob) can see his team members (bridget, betty, bernard, bill)
-and only his team members- to handle administrative tasks within his team
-and only his team- , e.g. reset their password, lock their account, change
Use case: external customer gets limited access and MUST NOT see our
internal users and/or other external customers.
Not seeing other users or objects is no possible with FreeIPA design. It
is also security through obscurity and doesn't really contribute
You should be looking at proper permissions/roles to confine what bob
and others could actually do, not see.
Can someone please point me to the right documentation and/or give me hints
on how to achieve this?
I have practical example in my blog, for hosts, not people:
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project