On ke, 15 helmi 2017, Gerald Zabos wrote:
Hello all,

after setting up a productive IPA 4.4 environment with eight nodes (master
+ replicas) on four different locations everything works well. Good job,
guys.

I am tinkering around with user management and prepared an example setup:

- create one supervisor user (bob)
- create four team users on bob's team (bridget, betty, bernard, bill)
- create a user group (b-team) with bob, bridget, betty, bernard, bill as
active users in that team

Now i want to achieve the following:

- supervisor (bob) can see his team members (bridget, betty, bernard, bill)
-and only his team members- to handle administrative tasks within his team
-and only his team- , e.g. reset their password, lock their account, change
their information.

Use case: external customer gets limited access and MUST NOT see our
internal users and/or other external customers.
Not seeing other users or objects is no possible with FreeIPA design. It
is also security through obscurity and doesn't really contribute
anything.

You should be looking at proper permissions/roles to confine what bob
and others could actually do, not see.


Can someone please point me to the right documentation and/or give me hints
on how to achieve this?
I have practical example in my blog, for hosts, not people:
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to