15.4. Defining Role-Based Access Controls

Role-based access control grants a very different kind of authority to users compared to self-service and delegation access controls. Role-based access controls are fundamentally administrative, with the potential to add, delete, and significantly modify entries.

There are three parts to role-based access controls:

The permission. The permission defines a specific operation or set of operations (write, add, or delete) and the target entries within the IPA LDAP directory to which those operations apply. Permissions are building blocks; they can be assigned to multiple privileges as needed.
The privileges available to a role. A privilege is essentially a group of permissions. Permissions are not applied directly to a role. Permissions are added to a privilege so that the privilege creates a coherent and complete picture of a set of access control rules. For example, a permission can be created to add, edit, and delete automount locations. Then that permission can be combined with another permission relating to managing FTP services, and they can be used to create a single privilege that relates to managing filesystems.
The role. This is the list of IPA users who are able to perform the actions defined in the privileges.

It is possible to create entirely new permissions, as well as to create new privileges based on existing permissions or new permissions. A list of the default privileges and their associated permissions are in Table 15.1, “Privileges and Permissions in IPA”.

NOTE

Identity Management does not provide a way to grant read access explicitly, and this is an important distinction from standard LDAP access control rules. In LDAP, all operations, including read, are implicitly denied and must be explicitly granted. In IPA, read and search access are implicitly granted to any authenticated user.

Because read access is already granted, there is no way through the UI to grant read access. However, there is an option in the CLI tools to grant read access for special cases where there may be a broad deny rule set but read access should be granted to specific attributes. For example, read access is blocked to password attributes, but could be allowed by a special read permission.

Table 15.1. Privileges and Permissions in IPA

Privilege

Associated Permissions

Automount Administrators

Add_Automount_maps

Remove_Automount_maps

Add_Automount_keys

Remove_Automount_keys

Certificate Administrators

Retrieve_Certificates_from_the_CA

Request_Certificate

Request_Certificates_from_a_different_hos

Get_Certificates_status_from_the_CA

Revoke_Certificate

Certificate_Remove_Hold

Delegation Administrator

Add_Roles

Remove_Roles

Modify_Roles

Modify_Role_membership

Modify_privilege_membership

DNS Administrators (for users)

add_dns_entries

remove_dns_entries

update_dns_entries

DNS Servers (for machines)

add_dns_entries

remove_dns_entries

update_dns_entries

Group Administrators

Add_Groups

Remove_Groups

Modify_Groups

Modify_Group_membership

HBAC Administrator

Add_HBAC_rule

Delete_HBAC_rule

Modify_HBAC_rule

Manage_HBAC_rule_membership

Add_HBAC_services

Delete_HBAC_services

Add_HBAC_service_groups

Delete_HBAC_service_groups

Manage_HBAC_service_group_membership

Host Administrators

Add_Hosts

Remove_Hosts

Modify_Hosts

Manage_host_keytab

Enroll_a_host

Add_krbPrincipalName_to_a_host

Host Enrollment

Manage_host_keytab

Enroll_a_host

Add_krbPrincipalName_to_a_host

Host Group Administrators

Add_Hostgroups

Remove_Hostgroups

Modify_Hostgroups

Modify_Hostgroup_membership

Modify Users and Reset Passwords

Modify_Users

Netgroups Administrators

Add_netgroups

Remove_netgroups

Modify_netgroups

Modify_netgroup_membership

Password Policy Administrator

Add_Group_Password_Policy_costemplate

Delete_Group_Password_Policy_costemplate

Modify_Group_Password_Policy_costemplate

Add_Group_Password_Policy

Delete_Group_Password_Policy

Modify_Group_Password_Policy

Replication Administrators^[a]

Add_Replication_Agreements

Remove_Replication_Agreements

Modify_Replication_Agreements

Service Administrators

Add_Services

Remove_Services

Modify_Services

Manage_service_keytab

Sudo Administrator

Add_Sudo_rule

Delete_Sudo_rule

Modify_Sudo_rule

Add_Sudo_command

Delete_Sudo_command

Modify_Sudo_command

Add_Sudo_command_group

Delete_Sudo_command_group

Manage_Sudo_command_group_membership

User Administrators

Change_a_user_password

Add_user_to_default_group

Unlock_user_accounts

Remove_Users

Modify_Users

Add_Users

Write IPA Configuration

Write_IPA_Configuration

^[a] This permission can only be granted to servers, not to users.

15.4.1. Creating Roles

15.4.1.1. Creating Roles in the Web UI

Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
Click the Add link at the top of the list of role-based ACIs.
Enter the role name and a description.
Click the Add and Edit button to save the new role and go to the configuration page.
Open the Privileges tab in the role configuration page.
Click the Enroll link at the top of the list of privileges to add a new privilege.
Enter the role name and a description.

15.4.1.2. Creating Roles in the Command Line

Add the new role:

# ipa role-add --desc="User Administrator" useradmin
  ------------------------
  Added role "useradmin"
  ------------------------
  Role name: useradmin
  Description: User Administrator

Add the required privileges to the role:

# ipa role-add-privilege --privileges="User Administrators" useradmin
  Role name: useradmin
  Description: User Administrator
  Privileges: user administrators
  ----------------------------
  Number of privileges added 1
----------------------------

Add the required groups to the role. In this case, we are adding only a single group, useradmin, which already exists.

# ipa role-add-member --groups=useradmins useradmin
  Role name: useradmin
  Description: User Administrator
  Member groups: useradmins
  Privileges: user administrators
  -------------------------
  Number of members added 1
-------------------------

15.4.2. Creating New Permissions

NOTE

15.4.2.1. Creating New Permissions from the Web UI

Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
Select the Permissions task link.
Click the Add link at the top of the list of permissions.
Enter the name of the new permission.
Select the checkboxes next to the allowed operations for this permission.
Select the method to use to identify the target entries from the Target drop-down menu. There are four different methods:
- Type looks for an entry type like user, host, or service and then provides a list of all possible attributes for that entry type. The attributes which will be accessible through this ACI are selected from the list.
- Filter uses an LDAP filter to identify which entries the permission applies to. All attributes within the matching entries can be modified.
- Subtree targets every entry beneath the specified subtree entry. All attributes within the matching entries can be modified.
- Target group specifies a user group, and all the user entries within that group are available through the ACI. All attributes within the matching entries can be modified.
Fill in the required information to identify the target entries, depending on the selected type.
Click the Add button to save the permission.

15.4.2.2. Creating New Permissions from the Command Line

A new permission is added using the permission-add command. All permissions require a list of allowed actions (--permissions), but the way that the target entries for the ACI are selected can be different. There are four options:

--type looks for an entry type like user, host, or service and then provides a list of all possible attributes for that entry type. The attributes which will be accessible through this ACI are selected from the list.
--filter uses an LDAP filter to identify which entries the permission applies to. All attributes within the matching entries can be modified.
--subtree targets every entry beneath the specified subtree entry. All attributes within the matching entries can be modified.
--targetgroup specifies a user group, and all the user entries within that group are available through the ACI. All attributes within the matching entries can be modified.

Example 15.1. Adding a Permission with a Filter

A filter can be any valid LDAP filter.

$ ipa permission-add "manage Windows groups" --filter="posixGroup=false" --permissions=write

NOTE

The permission-add command does not validate the given LDAP filter. Verify that the filter returns the expected results before configuring the permission.

Example 15.2. Adding a Permission for a Subtree

All a subtree filter requires is a DN within the directory. Since IPA uses a simplified, flat directory tree structure, this can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration.

$ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --permissions=write

Example 15.3. Adding a Permission Based on Object Type

There seven object types that can be used to form a permission:

user
group
host
service
hostgroup
netgroup
dnsrecord

Each type has its own set of allowed attributes, and the attributes which are managed by this permission are set with the --attrs option, in a comma-separated list.

$ ipa permission-add "manage service" --permissions=all --type=service --attrs=krbprincipalkey,krbprincipalname,managedby

The attributes (--attrs) must exist and be allowed attributes for the given object type, or the permission operation fails with schema syntax errors.

15.4.3. Creating New Privileges

15.4.3.1. Creating New Privileges from the Web UI

Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
Select the Privileges task link.
Click the Add link at the top of the list of privileges.
Enter the name and a description of the privilege.
Click the Add and Edit button to go to the privilege configuration page to add permissions.
Select the Permissions tab.
Click the Enroll link at the top of the list of permissions to add permission to the privilege.
Click the checkbox by the names of the permissions to add, and click the right arrows button, >>, to move the permissions to the selection box.
Click the Enroll button.

15.4.3.2. Creating New Privileges from the Command Line

Privilege entries are created using the privilege-add command, and then permissions are added to the privilege group using the privilege-add-permission command.

Create the privilege entry.

$ ipa privilege-add "managing filesystems" --desc="for filesystems"

Assign the desired permissions. For example:

$ ipa privilege-add-permission "managing filesystems" --permissions="managing automount","managing ftp services"