https://bugzilla.redhat.com/show_bug.cgi?id=773759
Description of problem: With IPA and delegated administration, at this time, there is no concept of "scoping" those permissions. However, the permission "Change a user passwd", needs to by default exclude users in the Administrators group ... or any help desk or User admin can change the administrator's password without being prompted for the existing password. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Add a new user and assign the user a password 2. Assign the new user the helpdesk role that contains "Change a user password" permission 3. kinit as the user 4. change the admin user's password ipa passwd admin Actual results: help desk admin can change passwords of users in Administrators group Expected results: Denied being able to change the password Additional info:
attachment freeipa-rcrit-942-aci.patch
master: ffd3950[[BR]] ipa-2-2: 6c222bd
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.