Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 33. Managing role-based access controls in IdM using the CLI

Manage role-based access control (RBAC) in Identity Management (IdM) using the CLI to restrict administrative access to authorized users. Define roles with specific permissions and assign them to users to enforce the principle of least privilege.

33.1. Role-based access control in IdM
Copiar o link

Use role-based access control (RBAC) in Identity Management (IdM) to grant fine-grained administrative authority to users through permissions, privileges, and roles. RBAC provides more granular control than self-service and delegation access methods.

Role-based access control is composed of three parts:

  • Permissions grant the right to perform a specific task such as adding or deleting users, modifying a group, and enabling read-access.
  • Privileges combine permissions, for example all the permissions needed to add a new user.
  • Roles grant a set of privileges to users, user groups, hosts or host groups.

33.1.1. Permissions in IdM
Copiar o link

Understand how IdM permissions define specific operations on LDAP entries as the lowest level unit of role-based access control (RBAC). Comparable to building blocks, permissions can be assigned to as many privileges as needed.

One or more rights define what operations are allowed:

  • write
  • read
  • search
  • compare
  • add
  • delete
  • all

These operations apply to three basic targets:

  • subtree: a domain name (DN); the subtree under this DN
  • target filter: an LDAP filter
  • target: DN with possible wildcards to specify entries

Additionally, the following convenience options set the corresponding attribute(s):

  • type: a type of object (user, group, etc); sets subtree and target filter

  • memberof: members of a group; sets a target filter

    Note

    Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

  • targetgroup: grants access to modify a specific group (such as granting the rights to manage group membership); sets a target

With IdM permissions, you can control which users have access to which objects and even which attributes of these objects. IdM enables you to allow or block individual attributes or change the entire visibility of a specific IdM function, such as users, groups, or sudo, to all anonymous users, all authenticated users, or just a certain group of privileged users.

For example, the flexibility of this approach to permissions is useful for an administrator who wants to limit access of users or groups only to the specific sections these users or groups need to access and to make the other sections completely hidden to them.

Note

A permission cannot contain other permissions.

33.1.2. Default managed permissions
Copiar o link

Understand how IdM managed permissions differ from user-created permissions and how to extend them with included or excluded attributes.

Managed permissions are permissions that come by default with IdM. They behave like other permissions created by the user, with the following differences:

  • You cannot delete them or modify their name, location, and target attributes.

  • They have three sets of attributes:

    • Default attributes, the user cannot modify them, as they are managed by IdM
    • Included attributes, which are additional attributes added by the user
    • Excluded attributes, which are attributes removed by the user

A managed permission applies to all attributes that appear in the default and included attribute sets but not in the excluded set.

Note

While you cannot delete a managed permission, setting its bind type to permission and removing the managed permission from all privileges effectively disables it.

Names of all managed permissions start with System:, for example System: Add Sudo rule or System: Modify Services. Earlier versions of IdM used a different scheme for default permissions. For example, the user could not delete them and was only able to assign them to privileges. Most of these default permissions have been turned into managed permissions, however, the following permissions still use the previous scheme:

  • Add Automember Rebuild Membership Task
  • Add Configuration Sub-Entries
  • Add Replication Agreements
  • Certificate Remove Hold
  • Get Certificates status from the CA
  • Read DNA Range
  • Modify DNA Range
  • Read PassSync Managers Configuration
  • Modify PassSync Managers Configuration
  • Read Replication Agreements
  • Modify Replication Agreements
  • Remove Replication Agreements
  • Read LDBM Database Configuration
  • Request Certificate
  • Request Certificate ignoring CA ACLs
  • Request Certificates from a different host
  • Retrieve Certificates from the CA
  • Revoke Certificate
  • Write IPA Configuration
Note

If you attempt to modify a managed permission from the command line, the system does not allow you to change the attributes that you cannot modify, the command fails. If you attempt to modify a managed permission from the Web UI, the attributes that you cannot modify are disabled.

33.1.3. Privileges in IdM
Copiar o link

Understand how IdM privileges combine multiple permissions needed for specific administrative tasks like creating users or managing groups.

While a permission provides the rights to do a single operation, there are certain IdM tasks that require multiple permissions to succeed. Therefore, a privilege combines the different permissions required to perform a specific task.

For example, setting up an account for a new IdM user requires the following permissions:

  • Creating a new user entry
  • Resetting a user password
  • Adding the new user to the default IPA users group

Combining these three low-level tasks into a higher level task in the form of a custom privilege named, for example, Add User makes it easier for a system administrator to manage roles. IdM already contains several default privileges. Apart from users and user groups, privileges are also assigned to hosts and host groups, as well as network services. This practice permits a fine-grained control of operations by a set of users on a set of hosts using specific network services.

Note

A privilege may not contain other privileges.

33.1.4. Roles in IdM
Copiar o link

Understand how IdM roles group privileges together to define what actions specific users or groups can perform in your domain.

In effect, permissions grant the ability to perform given low-level tasks (such as creating a user entry and adding an entry to a group), privileges combine one or more of these permissions needed for a higher-level task (such as creating a new user in a given group). Roles gather privileges together as needed: for example, a User Administrator role would be able to add, modify, and delete users.

Important

Roles are used to classify permitted actions. They are not used as a tool to implement privilege separation or to protect from privilege escalation.

Note

Roles cannot contain other roles.

33.1.5. Predefined roles in Identity Management
Copiar o link

Review the default RBAC roles available in Red Hat Enterprise Linux Identity Management (IdM) to understand which privileges are assigned for common administrative tasks.

IdM provides the following range of pre-defined roles:

Expand
Table 33.1. Predefined Roles in Identity Management
RolePrivilegeDescription

Enrollment Administrator

Host Enrollment

Responsible for client, or host, enrollment

helpdesk

Modify Users and Reset passwords, Modify Group membership

Responsible for performing simple user administration tasks

IT Security Specialist

Netgroups Administrators, HBAC Administrator, Sudo Administrator

Responsible for managing security policy such as host-based access controls, sudo rules

IT Specialist

Host Administrators, Host Group Administrators, Service Administrators, Automount Administrators

Responsible for managing hosts

Security Architect

Delegation Administrator, Replication Administrators, Write IPA Configuration, Password Policy Administrator

Responsible for managing the Identity Management environment, creating trusts, creating replication agreements

User Administrator

User Administrators, Group Administrators, Stage User Administrators

Responsible for creating users and groups

33.2. Managing IdM permissions in the CLI
Copiar o link

Create and configure permissions using the Identity Management (IdM) CLI to define granular access control rules for LDAP operations. Permissions enable you to specify which users can perform specific actions on particular objects and attributes.

Prerequisites

Procedure

  1. Create new permission entries with the ipa permission-add command. For example, to add a permission named dns admin: 

    $ ipa permission-add "dns admin"

  2. Specify the properties of the permission with the following options:

    • --bindtype specifies the bind rule type. This option accepts the all, anonymous, and permission arguments. The permission bindtype means that only the users who are granted this permission via a role can exercise it.

      For example: 

      $ ipa permission-add "dns admin" --bindtype=all

      If you do not specify --bindtype, then permission is the default value.

      Note

      It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

    • --right lists the rights granted by the permission, it replaces the deprecated --permissions option. The available values are add, delete, read, search, compare, write, all.

      You can set multiple attributes by using multiple --right options or with a comma-separated list inside curly braces. For example: 

      $ ipa permission-add "dns admin" --right=read --right=write
$ ipa permission-add "dns admin" --right={read,write}
      Note

      add and delete are entry-level operations (for example, deleting a user, adding a group, and so on) while read, search, compare and write are more attribute-level: you can write to userCertificate but not read userPassword.

    • --attrs gives the list of attributes over which the permission is granted.

      You can set multiple attributes by using multiple --attrs options or by listing the options in a comma-separated list inside curly braces. For example: 

      $ ipa permission-add "dns admin" --attrs=description --attrs=automountKey
$ ipa permission-add "dns admin" --attrs={description,automountKey}

      The attributes provided with --attrs must exist and be allowed attributes for the given object type, otherwise the command fails with schema syntax errors.

    • --type defines the entry object type to which the permission applies, such as user, host, or service. Each type has its own set of allowed attributes. For example: 

      $ ipa permission-add "manage service" --right=all --type=service --attrs=krbprincipalkey --attrs=krbprincipalname --attrs=managedby

    • --subtree gives a subtree entry; the filter then targets every entry beneath this subtree entry. Provide an existing subtree entry; --subtree does not accept wildcards or non-existent domain names (DNs). Include a DN within the directory.

      Because IdM uses a simplified, flat directory tree structure, --subtree can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration. For example: 

      $ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --right=write --attrs=automountmapname --attrs=automountkey --attrs=automountInformation
      Note

      The --type and --subtree options are mutually exclusive: you can see the inclusion of filters for --type as a simplification of --subtree, intending to make life easier for an admin.

    • --filter uses an LDAP filter to identify which entries the permission applies to.

      IdM automatically checks the validity of the given filter. The filter can be any valid LDAP filter, for example: 

      $ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --right=write --attrs=description

    • --memberof sets the target filter to members of the given group after checking that the group exists. For example, to let the users with this permission modify the login shell of members of the engineers group: 

      $ ipa permission-add ManageShell --right="write" --type=user --attr=loginshell --memberof=engineers
      Note

      Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

    • --targetgroup sets target to the specified user group after checking that the group exists. For example, to let those with the permission write the member attribute in the engineers group (so they can add or remove members): 

      $ ipa permission-add ManageMembers --right="write" --subtree=cn=groups,cn=accounts,dc=example,dc=test --attr=member --targetgroup=engineers

    • Optionally, you can specify a target domain name (DN):

      • --target specifies the DN to apply the permission to. Wildcards are accepted.
      • --targetto specifies the DN subtree where an entry can be moved to.
      • --targetfrom specifies the DN subtree from where an entry can be moved.

33.3. Command options for existing permissions
Copiar o link

Manage existing permissions in Identity Management (IdM) using command-line tools to modify access control policies dynamically.

Using these commands, you can view, edit, and delete permissions without recreating roles or privileges:

  • To edit existing permissions, use the ipa permission-mod command. You can use the same command options as for adding permissions.
  • To find existing permissions, use the ipa permission-find command. You can use the same command options as for adding permissions.

  • To view a specific permission, use the ipa permission-show command.

    The --raw argument shows the raw 389-ds ACI that is generated. For example: 

    $ ipa permission-show <permission> --raw
  • The ipa permission-del command deletes a permission completely.

33.4. Managing IdM privileges in the CLI
Copiar o link

Create and configure privileges using the Identity Management (IdM) CLI to group related permissions for role-based access control. Privileges simplify access management by bundling multiple permissions into reusable components.

Prerequisites

Procedure

  1. Add privilege entries using the ipa privilege-add command

    For example, to add a privilege named managing filesystems with a description: 

    $ ipa privilege-add "managing filesystems" --desc="for filesystems"

  2. Assign the required permissions to the privilege group with the privilege-add-permission command

    For example, to add the permissions named managing automount and managing ftp services to the managing filesystems privilege: 

    $ ipa privilege-add-permission "managing filesystems" --permissions="managing automount" --permissions="managing ftp services"

33.5. Command options for existing privileges
Copiar o link

Manage existing privileges in Identity Management (IdM) using command-line tools to adjust permission bundles assigned to roles.

Using these commands, you can modify access control policies without recreating roles from scratch:

  • To modify existing privileges, use the ipa privilege-mod command.
  • To find existing privileges, use the ipa privilege-find command.
  • To view a specific privilege, use the ipa privilege-show command.
  • The ipa privilege-remove-permission command removes one or more permissions from a privilege.
  • The ipa privilege-del command deletes a privilege completely.

33.6. Managing IdM roles in the CLI
Copiar o link

Create and configure roles using the Identity Management (IdM) CLI to assign sets of privileges to users, groups, or hosts. Roles enable delegation of administrative tasks by granting specific capabilities without full administrator access.

Prerequisites

Procedure

  1. Add new role entries using the ipa role-add command: 

    $ ipa role-add --desc="User Administrator" useradmin
------------------------
Added role "useradmin"
------------------------
Role name: useradmin
Description: User Administrator

  2. Add the required privileges to the role using the ipa role-add-privilege command: 

    $ ipa role-add-privilege --privileges="user administrators" useradmin
Role name: useradmin
Description: User Administrator
Privileges: user administrators
----------------------------
Number of privileges added 1
----------------------------

  3. Add the required members to the role using the ipa role-add-member command. Allowed member types are: users, groups, hosts and hostgroups. For example, to add the group named useradmins to the previously created useradmin role: 

    $ ipa role-add-member --groups=useradmins useradmin
Role name: useradmin
Description: User Administrator
Member groups: useradmins
Privileges: user administrators
-------------------------
Number of members added 1
-------------------------

33.7. Command options for existing roles
Copiar o link

Manage existing roles in Identity Management (IdM) using command-line tools to modify user access and administrative capabilities.

Using these commands, you can adjust role membership and privileges without recreating the entire role-based access control structure:

  • To modify existing roles, use the ipa role-mod command.
  • To find existing roles, use the ipa role-find command.
  • To view a specific role, use the ipa role-show command.
  • To remove a member from the role, use the ipa role-remove-member command.
  • The ipa role-remove-privilege command removes one or more privileges from a role.
  • The ipa role-del command deletes a role completely.
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo