#7073 [RFE] Support limited-access groups within IdM
Opened 6 years ago by pvoborni. Modified 6 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1451901

Description of problem:

We have a request coming from the business to support groups with membership
and other attributes hidden from all but select users.  These would be
groupofgroup groups (not posixgroups).  I'm fairly sure we can accomplish this
with DS ACIs today, but it was not clear how to do with IdM's RBAC model

Consider the group:

dn: cn=it-iam-team,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=example,dc=com
objectClass: ipaobject
objectClass: top
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
cn: it-iam-team
description: IT IAM Team Group
member: uid=user1,cn=users,cn=accounts,dc=ipa,dc=dev,dc=example,dc=com


Under this RFE, there are a couple of use-cases

1. All users and anon. binds would be able to see the
cn=it-iam-team,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=example,dc=com group and
description, but not view the group membership.

2. Group is completely hidden from all but chosen users

Individual users and/or groups should define access to both these use-cases.
That is, I should be able to define a group (or use the hidden group itself) to
grant access to view group membership.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1451901

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1451901

6 years ago

Login to comment on this ticket.

Metadata