Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
11.5. Allowing Non-admin Users to Manage User Entries
By default, only the
admin user is allowed to manage user life cycle and disable or enable user accounts. To allow another, non-admin user to do this, create a new role, add the relevant permissions to this role, and assign the non-admin user to the role.
By default, IdM includes the following privileges related to managing user accounts:
- Modify Users and Reset passwords
- This privilege includes permissions to modify various user attributes.
- User Administrators
- This privilege includes permissions to add active users, activate non-active users, remove users, modify user attributes, and other permissions.
- Stage User Provisioning
- This privilege includes a permission to add stage users.
- Stage User Administrator
- This privilege includes permissions to perform a number of life cycle operations, such as adding stage users or moving users between life cycle states. However, it does not include permissions to move users to the active state.
For information on defining roles, permissions, and privileges, see Section 10.4, “Defining Role-Based Access Controls”.
Allowing Different Users to Perform Different User Management Operations
The different privileges related to managing user accounts can be added to different users. For example, you can separate privileges for employee account entry and activation by:
- Configuring one user as a stage user administrator, who is allowed to add future employees to IdM as stage users, but not to activate them.
- Configuring another user as a security administrator, who is allowed to activate the stage users after their employee credentials are verified on the first day of employment.
To allow a user to perform certain user management operations, create a new role with the required privilege or privileges, and assign the user to that role.
Example 11.1. Allowing a Non-admin User to Add Stage Users
This example shows how to create a user who is only allowed to add new stage users, but not to perform any other stage user management operations.
- Log in as the
adminuser or another user allowed to manage role-based access control.$ kinit admin
- Create a new custom role to manage adding stage users.
- Create the
System Provisioningrole.$ ipa role-add --desc "Responsible for provisioning stage users" "System Provisioning" -------------------------------- Added role "System Provisioning" -------------------------------- Role name: System Provisioning Description: Responsible for provisioning stage users
- Add the
Stage User Provisioningprivilege to the role. This privilege provides the ability to add stage users.$ ipa role-add-privilege "System Provisioning" --privileges="Stage User Provisioning" Role name: System Provisioning Description: Responsible for provisioning stage users Privileges: Stage User Provisioning ---------------------------- Number of privileges added 1 ----------------------------
- Grant a non-admin user the rights to add stage users.
- If the non-admin user does not yet exist, create a new user. In this example, the user is named
stage_user_admin.$ ipa user-add stage_user_admin --password First name: first_name Last name: last_name Password: Enter password again to verify: ...
- Assign the
stage_user_adminuser to theSystem Provisioningrole.$ ipa role-add-member "System Provisioning" --users=stage_user_admin Role name: System Provisioning Description: Responsible for provisioning stage users Member users: stage_user_admin Privileges: Stage User Provisioning ------------------------- Number of members added 1 -------------------------
- To make sure the
System Provisioningrole is configured correctly, you can use the ipa role-show command to display the role settings.$ ipa role-show "System Provisioning" -------------- 1 role matched -------------- Role name: System provisioning Description: Responsible for provisioning stage users Member users: stage_user_admin Privileges: Stage User Provisioning ---------------------------- Number of entries returned 1 ----------------------------
- Test adding a new stage user as the
stage_user_adminuser.- Log in as
stage_user_admin. Note that if you createdstage_user_adminas a new user in one of the previous steps, IdM will ask you to change the initial password set byadmin.$ kinit stage_user_admin Password for stage_user_admin@EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again:
- To make sure your Kerberos ticket for
adminhas been replaced with a Kerberos ticket forstage_user_admin, you can use theklistutility.$ klist Ticket cache: KEYRING:persistent:0:krb_ccache_xIlCQDW Default principal: stage_user_admin@EXAMPLE.COM Valid starting Expires Service principal 02/25/2016 11:42:20 02/26/2016 11:42:20 krbtgt/EXAMPLE.COM - Add a new stage user.
$ ipa stageuser-add stage_user First name: first_name Last name: last_name ipa: ERROR: stage_user: stage user not found
NoteThe error that IdM reports after adding a stage user is expected. Thestage_user_adminis only allowed to add stage users, not to display information about them. Therefore, instead of displaying a summary of the newly addedstage_usersettings, IdM displays the error.
The
stage_user_admin user is not allowed to display information about stage users. Therefore, an attempt to display information about the new stage_user user while logged in as stage_user_admin fails:
$ ipa stageuser-show stage_user ipa: ERROR: stage_user: stage user not found
To display information about
stage_user, you can log in as admin:
$ kinit admin Password for admin@EXAMPLE.COM: $ ipa stageuser-show stage_user User login: stage_user First name: Stage Last name: User ...
