31.2. Managing IdM permissions in the CLI

Procedure

1. Create new permission entries with the ipa permission-add command. For example, to add a permission named dns admin:

   $ ipa permission-add "dns admin"

2. Specify the properties of the permission with the following options:

   • --bindtype specifies the bind rule type. This option accepts the all, anonymous, and permission arguments. The permission bindtype means that only the users who are granted this permission via a role can exercise it.

     For example:

     $ ipa permission-add "dns admin" --bindtype=all

     If you do not specify --bindtype, then permission is the default value.

     참고

     It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

   • --right lists the rights granted by the permission, it replaces the deprecated --permissions option. The available values are add, delete, read, search, compare, write, all.

     You can set multiple attributes by using multiple --right options or with a comma-separated list inside curly braces. For example:

     $ ipa permission-add "dns admin" --right=read --right=write
     $ ipa permission-add "dns admin" --right={read,write}

     참고

     add and delete are entry-level operations (for example, deleting a user, adding a group, and so on) while read, search, compare and write are more attribute-level: you can write to userCertificate but not read userPassword.

   • --attrs gives the list of attributes over which the permission is granted.

     You can set multiple attributes by using multiple --attrs options or by listing the options in a comma-separated list inside curly braces. For example:

     $ ipa permission-add "dns admin" --attrs=description --attrs=automountKey
     $ ipa permission-add "dns admin" --attrs={description,automountKey}

     The attributes provided with --attrs must exist and be allowed attributes for the given object type, otherwise the command fails with schema syntax errors.

   • --type defines the entry object type to which the permission applies, such as user, host, or service. Each type has its own set of allowed attributes. For example:

     $ ipa permission-add "manage service" --right=all --type=service --attrs=krbprincipalkey --attrs=krbprincipalname --attrs=managedby

   • --subtree gives a subtree entry; the filter then targets every entry beneath this subtree entry. Provide an existing subtree entry; --subtree does not accept wildcards or non-existent domain names (DNs). Include a DN within the directory.

     Because IdM uses a simplified, flat directory tree structure, --subtree can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration. For example:

     $ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --right=write --attrs=automountmapname --attrs=automountkey --attrs=automountInformation

     참고

     The --type and --subtree options are mutually exclusive: you can see the inclusion of filters for --type as a simplification of --subtree, intending to make life easier for an admin.

   • --filter uses an LDAP filter to identify which entries the permission applies to.

     IdM automatically checks the validity of the given filter. The filter can be any valid LDAP filter, for example:

     $ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --right=write --attrs=description

   • --memberof sets the target filter to members of the given group after checking that the group exists. For example, to let the users with this permission modify the login shell of members of the engineers group:

     $ ipa permission-add ManageShell --right="write" --type=user --attr=loginshell --memberof=engineers

     참고

     Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

   • --targetgroup sets target to the specified user group after checking that the group exists. For example, to let those with the permission write the member attribute in the engineers group (so they can add or remove members):

     $ ipa permission-add ManageMembers --right="write" --subtree=cn=groups,cn=accounts,dc=example,dc=test --attr=member --targetgroup=engineers

   • Optionally, you can specify a target domain name (DN):

     • --target specifies the DN to apply the permission to. Wildcards are accepted.
     • --targetto specifies the DN subtree where an entry can be moved to.
     • --targetfrom specifies the DN subtree from where an entry can be moved.