It should be possible to create loosely isolated environments in IPA so that a member of a specific group can only see a subset of entries in UI and CLI depending on which group he belongs to.
The main use case is multitenant environments like OpenStack.
Consider using new permissions framework for this.
The scope & benefit is very tricky for this one - it sounds dangerously close to http://www.freeipa.org/page/V3/Multitenancy proposal.
To be scoped in 4.3 time frame.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.