此内容没有您所选择的语言版本。
27.2. Defining Self-Service Settings
Self-service access control rules define the operations that an entity can perform on itself. These rules define only what attributes a user (or other IdM entity) can edit on their personal entries.
Three self-service rules exist by default:
- A rule for editing some general attributes in the personal entry, including given name and surname, phone numbers, and addresses.
- A rule to edit personal passwords, including two Samba passwords, the Kerberos password, and the general user password.
- A rule to manage personal SSH keys.
27.2.1. Creating Self-Service Rules from the Web UI
- Open the IPA Server tab in the top menu, and select the Self Service Permissions subtab.
- Click the Add link at the top of the list of self-service ACIs.
- Enter the name of the rule in the pop-up window. Spaces are allowed.
- Select the checkboxes by the attributes which this ACI will permit users to edit.
- Click the Add button to save the new self-service ACI.
27.2.2. Creating Self-Service Rules from the Command Line
A new self-service rule can be added using the
selfservice-add command. There are two required options, --permissions to set whether the ACI grants write, add, or delete permission and --attrs to give the full list of attributes which this ACI grants permission to.
$ ipa selfservice-add "Users can manage their own name details" --permissions=write --attrs=givenname,displayname,title,initials
-----------------------------------------------------------
Added selfservice "Users can manage their own name details"
-----------------------------------------------------------
Self-service name: Users can manage their own name details
Permissions: write
Attributes: givenname, displayname, title, initials27.2.3. Editing Self-Service Rules
In the self-service entry in the web UI, the only element that can be edited is the list of attributes that are included in the ACI. The checkboxes can be selected or deselected.
Figure 27.1. Self-Service Edit Page
With the command line, self-service rules are edited using the
ipa selfservice-mod command. The --attrs option overwrites whatever the previous list of supported attributes was, so always include the complete list of attributes along with any new attributes.
$ ipa selfservice-mod "Users can manage their own name details" --attrs=givenname,displayname,title,initials,surname -------------------------------------------------------------- Modified selfservice "Users can manage their own name details" -------------------------------------------------------------- Self-service name: Users can manage their own name details Permissions: write Attributes: givenname, displayname, title, initials
Important
Include all of the attributes when modifying a self-service rule, including existing ones.
