红帽全球峰会31.2. Managing IdM permissions in the CLI
Follow this procedure to manage Identity Management (IdM) permissions using the command line (CLI).
Prerequisites
- Administrator privileges for managing IdM or the User Administrator role.
- An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
Procedure
Create new permission entries with the
ipa permission-addcommand. For example, to add a permission named dns admin:$ ipa permission-add "dns admin"Specify the properties of the permission with the following options:
--bindtypespecifies the bind rule type. This option accepts theall,anonymous, andpermissionarguments. Thepermissionbindtype means that only the users who are granted this permission via a role can exercise it.For example:
$ ipa permission-add "dns admin" --bindtype=allIf you do not specify
--bindtype, thenpermissionis the default value.注意It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.
--rightlists the rights granted by the permission, it replaces the deprecated--permissionsoption. The available values areadd,delete,read,search,compare,write,all.You can set multiple attributes by using multiple
--rightoptions or with a comma-separated list inside curly braces. For example:$ ipa permission-add "dns admin" --right=read --right=write $ ipa permission-add "dns admin" --right={read,write}注意addanddeleteare entry-level operations (for example, deleting a user, adding a group, and so on) whileread,search,compareandwriteare more attribute-level: you can write touserCertificatebut not readuserPassword.--attrsgives the list of attributes over which the permission is granted.You can set multiple attributes by using multiple
--attrsoptions or by listing the options in a comma-separated list inside curly braces. For example:$ ipa permission-add "dns admin" --attrs=description --attrs=automountKey $ ipa permission-add "dns admin" --attrs={description,automountKey}The attributes provided with
--attrsmust exist and be allowed attributes for the given object type, otherwise the command fails with schema syntax errors.--typedefines the entry object type to which the permission applies, such as user, host, or service. Each type has its own set of allowed attributes. For example:$ ipa permission-add "manage service" --right=all --type=service --attrs=krbprincipalkey --attrs=krbprincipalname --attrs=managedby--subtreegives a subtree entry; the filter then targets every entry beneath this subtree entry. Provide an existing subtree entry;--subtreedoes not accept wildcards or non-existent domain names (DNs). Include a DN within the directory.Because IdM uses a simplified, flat directory tree structure,
--subtreecan be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration. For example:$ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --right=write --attrs=automountmapname --attrs=automountkey --attrs=automountInformation注意The
--typeand--subtreeoptions are mutually exclusive: you can see the inclusion of filters for--typeas a simplification of--subtree, intending to make life easier for an admin.--filteruses an LDAP filter to identify which entries the permission applies to.IdM automatically checks the validity of the given filter. The filter can be any valid LDAP filter, for example:
$ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --right=write --attrs=description--memberofsets the target filter to members of the given group after checking that the group exists. For example, to let the users with this permission modify the login shell of members of the engineers group:$ ipa permission-add ManageShell --right="write" --type=user --attr=loginshell --memberof=engineers注意Setting the
memberofattribute permission is not applied if the target LDAP entry does not contain any reference to group membership.--targetgroupsets target to the specified user group after checking that the group exists. For example, to let those with the permission write the member attribute in the engineers group (so they can add or remove members):$ ipa permission-add ManageMembers --right="write" --subtree=cn=groups,cn=accounts,dc=example,dc=test --attr=member --targetgroup=engineersOptionally, you can specify a target domain name (DN):
-
--targetspecifies the DN to apply the permission to. Wildcards are accepted. -
--targettospecifies the DN subtree where an entry can be moved to. -
--targetfromspecifies the DN subtree from where an entry can be moved.
-
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}