Split the hosts into 2 groups, regular and special_access. Put regular operators into a non-posix group, regular_operators, and make a different group, special_operators, for those people.
Disable the allow_all rule. Create a regular access rule with regular hosts and regular users. Create a special access rule for special hosts and users.
If special access users can also use regular hosts, add that group to the regular rule as well.

On April 19, 2022 4:20:42 AM EDT, iulian roman via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello Everybody, 

I would like to ask if it is possible to deny access to a specific server group for a group of users who have access to all servers by default. 
Example: operators group have access to all servers , but I would like to deny access for them for a specific subset of servers which are highly secure.
Is that possible and if yes , how can it be configured ?

Thank You, 
i roman
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Computers amplify human error
Super computers are really cool