Este conteúdo não está disponível no idioma selecionado.
Chapter 28. Delegating permissions to user groups to manage users using IdM CLI
Delegation is one of the access control methods in IdM, along with self-service rules and role-based access control (RBAC). You can use delegation to assign permissions to one group of users to manage entries for another group of users.
28.1. Delegation rules Copiar o linkLink copiado para a área de transferência!
You can delegate permissions to user groups to manage users by creating delegation rules.
Delegation rules allow a specific user group to perform write (edit) operations on specific attributes for users in another user group. This form of access control rule is limited to editing the values of a subset of attributes you specify in a delegation rule; it does not grant the ability to add or remove whole entries or control over unspecified attributes.
Delegation rules grant permissions to existing user groups in IdM. You can use delegation to, for example, allow the managers
user group to manage selected attributes of users in the employees
user group.
28.2. Creating a delegation rule using IdM CLI Copiar o linkLink copiado para a área de transferência!
Follow this procedure to create a delegation rule using the IdM CLI.
Prerequisites
-
You are logged in as a member of the
admins
group.
Procedure
Enter the
ipa delegation-add
command. Specify the following options:-
--group
: the group who is being granted permissions to the entries of users in the user group. -
--membergroup
: the group whose entries can be edited by members of the delegation group. -
--permissions
: whether users will have the right to view the given attributes (read) and add or change the given attributes (write). If you do not specify permissions, only the write permission will be added. --attrs
: the attributes which users in the member group are allowed to view or edit.For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
28.3. Viewing existing delegation rules using IdM CLI Copiar o linkLink copiado para a área de transferência!
Follow this procedure to view existing delegation rules using the IdM CLI.
Prerequisites
-
You are logged in as a member of the
admins
group.
Procedure
Enter the
ipa delegation-find
command:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
28.4. Modifying a delegation rule using IdM CLI Copiar o linkLink copiado para a área de transferência!
Follow this procedure to modify an existing delegation rule using the IdM CLI.
The --attrs
option overwrites whatever the previous list of supported attributes was, so always include the complete list of attributes along with any new attributes. This also applies to the --permissions
option.
Prerequisites
-
You are logged in as a member of the
admins
group.
Procedure
Enter the
ipa delegation-mod
command with the desired changes. For example, to add thedisplayname
attribute to thebasic manager attributes
example rule:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
28.5. Deleting a delegation rule using IdM CLI Copiar o linkLink copiado para a área de transferência!
Follow this procedure to delete an existing delegation rule using the IdM CLI.
Prerequisites
-
You are logged in as a member of the
admins
group.
Procedure
-
Enter the
ipa delegation-del
command. When prompted, enter the name of the delegation rule you want to delete:
ipa delegation-del
$ ipa delegation-del Delegation name: basic manager attributes --------------------------------------------- Deleted delegation "basic manager attributes" ---------------------------------------------
Copy to Clipboard Copied! Toggle word wrap Toggle overflow