Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1812688

Description of problem:

Foreman is set up to authenticate against an IPA server through sssd by following the steps from official docs at [1]. User group mappings are created and working fine. Now, when a remote user logs in for the first time, Foreman should create that user locally. It kinda does: only if you are logged in as a remote admin user will you see the new user under Administer > Users. If you are logged in as a local admin user, the remote non-admin user will not show up on the user list at Administer > Users.

Version-Release number of selected component (if applicable):
I remember seeing this issue on Satellite 6.3, possibly earlier. I just confirmed it's still happening on Satellite 6.6.1 and 6.7.0 Beta though.

How reproducible:
Every time

Steps to Reproduce:
1. Create 2 groups on an IPA server: satadmins and satusers.
2. On IPA, create user "idmadmin01" and add to satadmins.
3. On IPA, create user "idmuser02" and add to satusers.
4. Follow the steps at [1] to set up Satellite authentication against this IPA server.
5. Create 2 local groups on Satellite: satadmins and satusers, link them to their counterparts from IPA.
6. Assign all roles containing "view" or "read" to the satusers group, check the Admin checkbox for the satadmins group.
7. Open 2 separate browser sessions (use an anonymous window for the second one, or a separate account container if using Firefox).
8. On browser window 1, log into Satellite with user "idmuser02" i.e. a member of the remote satusers group.
9. On browser window 2, log into Satellite with an admin user (local or remote).
10. On browser window 2, go to Administer > Users.

Actual results:
If step #9 is done with a LOCAL admin user, idmuser02 will not appear on Satellite at step #10. In contrast:
If step #9 is done with a REMOTE admin user (idmadmin01), then idmuser02 appears on Satellite at step #10.

Expected results:
Step #10 would show all users, remote or local, regardless of you being logged into Satellite as a local or remote admin.

Additional info:

[1] Authenticating Satellite to Red Hat Identity Manager, official documentation for Satellite 6.7.0 Beta: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7-beta/html-single/administering_red_hat_satellite/index#sect-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication-Using_Identity_Management

Also [1] Same as the above, for Satellite 6.6: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.6/html-single/administering_red_hat_satellite/index#configuring-idm-authentication-on-satellite-server_assembly