Chapter 32. Managing role-based access controls using the IdM Web UI

Procedure

1. To add a new permission, open the IPA Server>Role-Based Access Control submenu and select Permissions:
2. The list of permissions opens: Click the Add button at the top of the list of the permissions:
3. The Add Permission form opens. Specify the name of the new permission and define its properties.

4. Select the appropriate bind rule type:

   • permission is the default permission type, granting access through privileges and roles
   • all specifies that the permission applies to all authenticated users

   • anonymous specifies that the permission applies to all users, including unauthenticated users

     Note

     It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

5. Choose the rights to grant with this permission in Granted rights.

6. Define the method to identify the target entries for the permission:

   • Type specifies an entry type, such as user, host, or service. If you choose a value for the Type setting, a list of all possible attributes which will be accessible through this ACI for that entry type appears under Effective Attributes. Defining Type sets Subtree and Target DN to one of the predefined values.
   • Subtree (required) specifies a subtree entry; every entry beneath this subtree entry is then targeted. Provide an existing subtree entry, as Subtree does not accept wildcards or non-existent domain names (DNs). For example: cn=automount,dc=example,dc=com

   • Extra target filter uses an LDAP filter to identify which entries the permission applies to. The filter can be any valid LDAP filter, for example: (!(objectclass=posixgroup))

     IdM automatically checks the validity of the given filter. If you enter an invalid filter, IdM warns you about this when you attempt to save the permission.

   • Target DN specifies the domain name (DN) and accepts wildcards. For example: uid=*,cn=users,cn=accounts,dc=com

   • Member of group sets the target filter to members of the given group. After you specify the filter settings and click Add, IdM validates the filter. If all the permission settings are correct, IdM will perform the search. If some of the permissions settings are incorrect, IdM will display a message informing you about which setting is set incorrectly.

     Note

     Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

7. Add attributes to the permission:

   • If you set Type, choose the Effective attributes from the list of available ACI attributes.

   • If you did not use Type, add the attributes manually by writing them into the Effective attributes field. Add a single attribute at a time; to add multiple attributes, click Add to add another input field.

     Important

     If you do not set any attributes for the permission, then the permissions includes all attributes by default.

8. Finish adding the permissions with the Add buttons at the bottom of the form:

   • Click the Add button to save the permission and go back to the list of permissions.
   • To save the permission and continue adding additional permissions in the same form, click the Add and Add another button.
   • The Add and Edit button enables you to save and continue editing the newly created permission.
9. Optional: You can also edit the properties of an existing permission by clicking its name from the list of permissions to display the Permission settings page.

10. Optional: If you need to remove an existing permission, select the checkbox next to its name in the list and click the Delete button to display The Remove permissions dialog. Click Delete.

    Note

    Operations on default managed permissions are restricted: the attributes you cannot modify are disabled in the IdM Web UI and you cannot delete the managed permissions completely.

    However, you can effectively disable a managed permission that has a bind type set to permission, by removing the managed permission from all privileges.

    For example, the following shows how to configure the permission write on the member attribute in the engineers group (so they can add or remove members):

    

Procedure

1. To add a new privilege, open the IPA Server>Role-Based Access Control submenu and select Privileges:
2. The list of privileges opens. Click the Add button at the top of the list of privileges.
3. The Add Privilege form opens. Enter the name and a description of the privilege.
4. Click the Add and Edit button to save the new privilege and continue to the privilege configuration page to add permissions.
5. Click the Permissions tab to display a list of permissions included in the selected privilege. Click the Add button at the top of the list to add permissions to the privilege:
6. Select the checkbox next to the name of each permission to add, and use the > button to move the permissions to the Prospective column.
7. Confirm by clicking the Add button.
8. Optional: If you need to remove permissions, select the checkbox next to the relevant permissions and click the Delete button to display the Remove privileges from permissions dialog. Click Delete.
9. Optional: If you need to delete an existing privilege, select the checkbox next to its name in the list and click the Delete button to open the Remove privileges dialog. Click Delete.

Procedure

1. To add a new role, open the IPA Server>Role-Based Access Control submenu and select Roles:
2. The list of roles opens. Click the Add button at the top of the list of roles.
3. The Add Role form opens. Enter the role name and a description:
4. Click the Add and Edit button to save the new role and continue to the role configuration page to add privileges and users.
5. Add members using the Users, Users Groups, Hosts, Host Groups or Services tabs, by clicking the Add button on top of the relevant list(s).
6. In the window that opens, select the members on the left and use the > button to move them to the Prospective column.
7. Select the Privileges tab and click Add.
8. Select the privileges on the left and use the > button to move them to the Prospective column.
9. Click the Add button to save.
10. Optional: If you need to remove privileges or members from a role, select the checkbox next to the name of the entity you want to remove and click the Delete button. A dialog opens. Click Delete.
11. Optional: If you need to remove an existing role, select the checkbox next to its name in the list and click the Delete button to display the Remove roles dialog. Click Delete.