Granular Privilege Escalation and Delegation within Red Hat's Identity Management Server

Solution In Progress - Updated -


Unable to implement a Role Based Access Control (RBAC) or Host Based Access Control (HBAC) policy with in Red Hat's Identity Management (IdM) or IPA Server that meets the following criteria.

Example scenario:

  • There are two groups of users created in IdM: AppManager & AppDeploy
    • Alternatively, the AppManager or AppDeploy could be an individual user or multiple individual users, not requiring the use of a specific group.
  • The users of each group are different (no users are able to be a part of one group if they are a part of the other).
  • When it's time for an app to be upgraded or patched, or system/app maintenance to occur, AppManager can allow the AppDeploy group the access required to deploy/upgrade the app.
  • What is not wanted is for the AppManager members to have complete control over any user and/or complete control over all sudo, RBAC Roles, or HBAC Roles as that could circumvent our security controls.


Red Hat Identity Management (IdM) Server installed on:

  • Red Hat Enterprise Linux (RHEL) 7
  • Red Hat Enterprise Linux (RHEL) 8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In