Hello Alexander, > Not seeing other users or objects is no possible with FreeIPA design. It is > also security through obscurity and doesn't really contribute anything.
> You should be looking at proper permissions/roles to confine what bob and > others could actually do, not see. > I have practical example in my blog, for hosts, not people: > https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ Thanks for your answers. Your blog was already a good starting point for me in the past. This article is exactly why i got here with my question ;-) -- Regards, Gerald Zabos On Wed, Feb 15, 2017 at 11:51 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ke, 15 helmi 2017, Gerald Zabos wrote: >> >> Hello all, >> >> after setting up a productive IPA 4.4 environment with eight nodes (master >> + replicas) on four different locations everything works well. Good job, >> guys. >> >> I am tinkering around with user management and prepared an example setup: >> >> - create one supervisor user (bob) >> - create four team users on bob's team (bridget, betty, bernard, bill) >> - create a user group (b-team) with bob, bridget, betty, bernard, bill as >> active users in that team >> >> Now i want to achieve the following: >> >> - supervisor (bob) can see his team members (bridget, betty, bernard, >> bill) >> -and only his team members- to handle administrative tasks within his team >> -and only his team- , e.g. reset their password, lock their account, >> change >> their information. >> >> Use case: external customer gets limited access and MUST NOT see our >> internal users and/or other external customers. > > Not seeing other users or objects is no possible with FreeIPA design. It > is also security through obscurity and doesn't really contribute > anything. > > You should be looking at proper permissions/roles to confine what bob > and others could actually do, not see. > > >> Can someone please point me to the right documentation and/or give me >> hints >> on how to achieve this? > > I have practical example in my blog, for hosts, not people: > https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project