Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1451901
Description of problem: We have a request coming from the business to support groups with membership and other attributes hidden from all but select users. These would be groupofgroup groups (not posixgroups). I'm fairly sure we can accomplish this with DS ACIs today, but it was not clear how to do with IdM's RBAC model Consider the group: dn: cn=it-iam-team,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=example,dc=com objectClass: ipaobject objectClass: top objectClass: ipausergroup objectClass: groupofnames objectClass: nestedgroup cn: it-iam-team description: IT IAM Team Group member: uid=user1,cn=users,cn=accounts,dc=ipa,dc=dev,dc=example,dc=com Under this RFE, there are a couple of use-cases 1. All users and anon. binds would be able to see the cn=it-iam-team,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=example,dc=com group and description, but not view the group membership. 2. Group is completely hidden from all but chosen users Individual users and/or groups should define access to both these use-cases. That is, I should be able to define a group (or use the hidden group itself) to grant access to view group membership.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1451901
Login to comment on this ticket.