Granular Privilege Escalation and Delegation within Red Hat's Identity Management Server

Solution In Progress - Updated -

Issue

Unable to implement a Role Based Access Control (RBAC) or Host Based Access Control (HBAC) policy with in Red Hat's Identity Management (IdM) or IPA Server that meets the following criteria.

Example scenario:

  • There are two groups of users created in IdM: AppManager & AppDeploy
    • Alternatively, the AppManager or AppDeploy could be an individual user or multiple individual users, not requiring the use of a specific group.
  • The users of each group are different (no users are able to be a part of one group if they are a part of the other).
  • When it's time for an app to be upgraded or patched, or system/app maintenance to occur, AppManager can allow the AppDeploy group the access required to deploy/upgrade the app.
  • What is not wanted is for the AppManager members to have complete control over any user and/or complete control over all sudo, RBAC Roles, or HBAC Roles as that could circumvent our security controls.

Environment

Red Hat Identity Management (IdM) Server installed on:

  • Red Hat Enterprise Linux (RHEL) 7
  • Red Hat Enterprise Linux (RHEL) 8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content