此内容没有您所选择的语言版本。

Chapter 25. Policy: Defining Automatic Group Membership for Users and Hosts


Most of the policies and configuration within the Identity Management domain are based on groups. Settings from sudo rules to automount to access control are defined for groups, and then those settings are applied to group members.
Managing group membership is an important factor in managing users and hosts. Creating automember groups defines rules to add users and hosts to specified groups automatically, as soon as a new entry is added.

25.1. About Automembership

One of the most critical tasks for managing policies, identities, and security is managing group membership in Identity Management. Groups are the core of most policy configuration.
By default, hosts do not belong to any group when they are created; users are added to the catchall ipausers group. Even if custom groups are configured and all policy configuration is in place, users and hosts cannot take advantage of those policies until they are joined to groups. Of course, this can be done manually, but it is both more efficient and more consistent if group membership can be assigned automatically.
This is done with automembership groups.
Automembership is essentially an automatic, global entry filter that organizes entries, at least in part, based on specific criteria. An automember rule, then, is the way that that filter is specified.
For example, there can be a lot of different, repeatable ways to categorize identities within the IT and organizational environment:
  • Adding all hosts or all users to a single global group.
  • Adding employees to specific groups based on their employee type, ID number, manager, or physical location.
  • Dividing hosts based on their IP address or subnet.
Automembers provide a way to pre-sort those entries. That makes it easier to configure the actual behavior that you want to configure — like granting different sudo rules to different user types or machines on different subnets or have different automount settings for different users.

Note

Automembership only applies to new users or hosts. Changing the configuration for an existing user or group does not trigger a change group membership.
Automembership is a target set on an existing user group or host group. An automembership rule is created as a policy. This is a sister entry to the actual group entry and it signals that the given group is used for automatic group membership.
Once the rule is created — once the group is identified as being a target — then the next step is to define automember conditions. Conditions are regular expression filters that are used to identify group members. Conditions can be inclusive or exclusive, meaning that matching entries can be added or ignored based on those conditions.
There can be multiple conditions in a single rule. A user or host entry can match multiple rules and be added to multiple groups.
Automembership is a way of imposing reliable order on user and host entries by adding them to groups as they are created.
The key to using automember groups effectively is to plan your overall Identity Management structure — the access control policies, sudo rules, host/service management rules, host groups, and user groups.
Once the structure is in place, then several things are clear:
  • What groups will be used in the Identity Management
  • What specific groups different types of users and hosts need to belong to to perform their designated functions
  • What delineating attributes can be used to filter users and hosts into the appropriate groups
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.