Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 19. Managing self-service rules in IdM using the CLI

Learn about self-service rules in Identity Management (IdM) and how to create and edit self-service access rules on the command line (CLI).

19.1. Self-service access control in IdM
Copiar o link

Self-service access control rules define which operations an Identity Management (IdM) entity can perform on its IdM Directory Server entry: for example, IdM users have the ability to update their own passwords.

This method of control allows an authenticated IdM entity to edit specific attributes within its LDAP entry, but does not allow add or delete operations on the entire entry.

Warning

Be careful when working with self-service access control rules: configuring access control rules improperly can inadvertently elevate an entity’s privileges.

19.2. Creating self-service rules using the CLI
Copiar o link

Follow this procedure to create self-service access rules in IdM using the command line (CLI).

Prerequisites

Procedure

  • To add a self-service rule, use the ipa selfservice-add command and specify the following two options:

    --permissions
    sets the read and write permissions the Access Control Instruction (ACI) grants.
    --attrs

    sets the complete list of attributes to which this ACI grants permission.

    For example, to create a self-service rule allowing users to modify their own name details: 

    $ ipa selfservice-add "Users can manage their own name details" --permissions=write --attrs=givenname --attrs=displayname --attrs=title --attrs=initials
-----------------------------------------------------------
Added selfservice "Users can manage their own name details"
-----------------------------------------------------------
    Self-service name: Users can manage their own name details
    Permissions: write
    Attributes: givenname, displayname, title, initials
    Copy to Clipboard Toggle word wrap

19.3. Editing self-service rules using the CLI
Copiar o link

Follow this procedure to edit self-service access rules in IdM using the command line (CLI).

Prerequisites

Procedure

  1. Optional: Display existing self-service rules with the ipa selfservice-find command.
  2. Optional: Display details for the self-service rule you want to modify with the ipa selfservice-show command.

  3. Use the ipa selfservice-mod command to edit a self-service rule.

    For example: 

    $ ipa selfservice-mod "Users can manage their own name details" --attrs=givenname --attrs=displayname --attrs=title --attrs=initials --attrs=surname
--------------------------------------------------------------
Modified selfservice "Users can manage their own name details"
--------------------------------------------------------------
Self-service name: Users can manage their own name details
Permissions: write
Attributes: givenname, displayname, title, initials
    Copy to Clipboard Toggle word wrap
    Important

    Using the ipa selfservice-mod command overwrites the previously defined permissions and attributes, so always include the complete list of existing permissions and attributes along with any new ones you want to define.

Verification

  • Use the ipa selfservice-show command to display the self-service rule you edited. 

    $ ipa selfservice-show "Users can manage their own name details"
--------------------------------------------------------------
Self-service name: Users can manage their own name details
Permissions: write
Attributes: givenname, displayname, title, initials
    Copy to Clipboard Toggle word wrap

19.4. Deleting self-service rules using the CLI
Copiar o link

Follow this procedure to delete self-service access rules in IdM using the command line (CLI).

Prerequisites

Procedure

  • Use the ipa selfservice-del command to delete a self-service rule.

    For example: 

    $ ipa selfservice-del "Users can manage their own name details"
-----------------------------------------------------------
Deleted selfservice "Users can manage their own name details"
-----------------------------------------------------------
    Copy to Clipboard Toggle word wrap

Verification

  • Use the ipa selfservice-find command to display all self-service rules. The rule you just deleted should be missing.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat