第 32 章 Managing role-based access controls using the IdM Web UI

Procedure

1. To add a new permission, open the IPA Server>Role-Based Access Control submenu and select Permissions:
2. The list of permissions opens: Click the Add button at the top of the list of the permissions:
3. The Add Permission form opens. Specify the name of the new permission and define its properties.

4. Select the appropriate bind rule type:

   • permission is the default permission type, granting access through privileges and roles
   • all specifies that the permission applies to all authenticated users

   • anonymous specifies that the permission applies to all users, including unauthenticated users

     注意

     It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

5. Choose the rights to grant with this permission in Granted rights.

6. Define the method to identify the target entries for the permission:

   • Type specifies an entry type, such as user, host, or service. If you choose a value for the Type setting, a list of all possible attributes which will be accessible through this ACI for that entry type appears under Effective Attributes. Defining Type sets Subtree and Target DN to one of the predefined values.
   • Subtree (required) specifies a subtree entry; every entry beneath this subtree entry is then targeted. Provide an existing subtree entry, as Subtree does not accept wildcards or non-existent domain names (DNs). For example: cn=automount,dc=example,dc=com

   • Extra target filter uses an LDAP filter to identify which entries the permission applies to. The filter can be any valid LDAP filter, for example: (!(objectclass=posixgroup))

     IdM automatically checks the validity of the given filter. If you enter an invalid filter, IdM warns you about this when you attempt to save the permission.

   • Target DN specifies the domain name (DN) and accepts wildcards. For example: uid=*,cn=users,cn=accounts,dc=com

   • Member of group sets the target filter to members of the given group. After you specify the filter settings and click Add, IdM validates the filter. If all the permission settings are correct, IdM will perform the search. If some of the permissions settings are incorrect, IdM will display a message informing you about which setting is set incorrectly.

     注意

     Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

7. Add attributes to the permission:

   • If you set Type, choose the Effective attributes from the list of available ACI attributes.

   • If you did not use Type, add the attributes manually by writing them into the Effective attributes field. Add a single attribute at a time; to add multiple attributes, click Add to add another input field.

     重要

     If you do not set any attributes for the permission, then the permissions includes all attributes by default.

8. Finish adding the permissions with the Add buttons at the bottom of the form:

   • Click the Add button to save the permission and go back to the list of permissions.
   • To save the permission and continue adding additional permissions in the same form, click the Add and Add another button.
   • The Add and Edit button enables you to save and continue editing the newly created permission.
9. Optional: You can also edit the properties of an existing permission by clicking its name from the list of permissions to display the Permission settings page.

10. Optional: If you need to remove an existing permission, select the checkbox next to its name in the list and click the Delete button to display The Remove permissions dialog. Click Delete.

    注意

    Operations on default managed permissions are restricted: the attributes you cannot modify are disabled in the IdM Web UI and you cannot delete the managed permissions completely.

    However, you can effectively disable a managed permission that has a bind type set to permission, by removing the managed permission from all privileges.

    For example, the following shows how to configure the permission write on the member attribute in the engineers group (so they can add or remove members):