Product SiteDocumentation Site

15.4. Defining Role-Based Access Controls

Role-based access control grants a very different kind of authority to users compared to self-service and delegation access controls. Role-based access controls are fundamentally administrative, with the potential to add, delete, and significantly modify entries.
There are three parts to role-based access controls:
It is possible to create entirely new permissions, as well as to create new privileges based on existing permissions or new permissions. A list of the default privileges and their associated permissions are in Table 15.1, “Privileges and Permissions in FreeIPA”.

NOTE

FreeIPA does not provide a way to grant read access explicitly, and this is an important distinction from standard LDAP access control rules. In LDAP, all operations, including read, are implicitly denied and must be explicitly granted. In FreeIPA, read and search access are implicitly granted to any authenticated user.
Because read access is already granted, there is no way through the UI to grant read access. However, there is an option in the CLI tools to grant read access for special cases where there may be a broad deny rule set but read access should be granted to specific attributes. For example, read access is blocked to password attributes, but could be allowed by a special read permission.
Table 15.1. Privileges and Permissions in FreeIPA
Privilege Associated Permissions
Automount Administrators
Add_Automount_maps
Remove_Automount_maps
Add_Automount_keys
Remove_Automount_keys
Certificate Administrators
Retrieve_Certificates_from_the_CA
Request_Certificate
Request_Certificates_from_a_different_hos
Get_Certificates_status_from_the_CA
Revoke_Certificate
Certificate_Remove_Hold
Delegation Administrator
Add_Roles
Remove_Roles
Modify_Roles
Modify_Role_membership
Modify_privilege_membership
DNS Administrators (for users)
add_dns_entries
remove_dns_entries
update_dns_entries
DNS Servers (for machines)
add_dns_entries
remove_dns_entries
update_dns_entries
Group Administrators
Add_Groups
Remove_Groups
Modify_Groups
Modify_Group_membership
HBAC Administrator
Add_HBAC_rule
Delete_HBAC_rule
Modify_HBAC_rule
Manage_HBAC_rule_membership
Add_HBAC_services
Delete_HBAC_services
Add_HBAC_service_groups
Delete_HBAC_service_groups
Manage_HBAC_service_group_membership
Host Administrators
Add_Hosts
Remove_Hosts
Modify_Hosts
Manage_host_keytab
Enroll_a_host
Add_krbPrincipalName_to_a_host
Host Enrollment
Manage_host_keytab
Enroll_a_host
Add_krbPrincipalName_to_a_host
Host Group Administrators
Add_Hostgroups
Remove_Hostgroups
Modify_Hostgroups
Modify_Hostgroup_membership
Modify Users and Reset Passwords
Modify_Users
Netgroups Administrators
Add_netgroups
Remove_netgroups
Modify_netgroups
Modify_netgroup_membership
Password Policy Administrator
Add_Group_Password_Policy_costemplate
Delete_Group_Password_Policy_costemplate
Modify_Group_Password_Policy_costemplate
Add_Group_Password_Policy
Delete_Group_Password_Policy
Modify_Group_Password_Policy
Replication Administrators[a]
Add_Replication_Agreements
Remove_Replication_Agreements
Modify_Replication_Agreements
Service Administrators
Add_Services
Remove_Services
Modify_Services
Manage_service_keytab
Sudo Administrator
Add_Sudo_rule
Delete_Sudo_rule
Modify_Sudo_rule
Add_Sudo_command
Delete_Sudo_command
Modify_Sudo_command
Add_Sudo_command_group
Delete_Sudo_command_group
Manage_Sudo_command_group_membership
User Administrators
Change_a_user_password
Add_user_to_default_group
Unlock_user_accounts
Remove_Users
Modify_Users
Add_Users
Write IPA Configuration
Write_IPA_Configuration
[a] This permission can only be granted to servers, not to users.

15.4.1. Creating Roles

15.4.1.1. Creating Roles in the Web UI

  1. Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
  2. Click the Add link at the top of the list of role-based ACIs.
  3. Enter the role name and a description.
  4. Click the Add and Edit button to save the new role and go to the configuration page.
  5. Open the Privileges tab in the role configuration page.
  6. Click the Enroll link at the top of the list of privileges to add a new privilege.
  7. Enter the role name and a description.

15.4.1.2. Creating Roles in the Command Line

  1. Add the new role:
    # ipa role-add --desc="User Administrator" useradmin
      ------------------------
      Added role "useradmin"
      ------------------------
      Role name: useradmin
      Description: User Administrator
  2. Add the required privileges to the role:
    # ipa role-add-privilege --privileges="User Administrators" useradmin
      Role name: useradmin
      Description: User Administrator
      Privileges: user administrators
      ----------------------------
      Number of privileges added 1
    ----------------------------
    
  3. Add the required groups to the role. In this case, we are adding only a single group, useradmin, which already exists.
    # ipa role-add-member --groups=useradmins useradmin
      Role name: useradmin
      Description: User Administrator
      Member groups: useradmins
      Privileges: user administrators
      -------------------------
      Number of members added 1
    -------------------------
    

15.4.2. Creating New Permissions

NOTE

FreeIPA does not provide a way to grant read access explicitly, and this is an important distinction from standard LDAP access control rules. In LDAP, all operations, including read, are implicitly denied and must be explicitly granted. In FreeIPA, read and search access are implicitly granted to any authenticated user.
Because read access is already granted, there is no way through the UI to grant read access. However, there is an option in the CLI tools to grant read access for special cases where there may be a broad deny rule set but read access should be granted to specific attributes. For example, read access is blocked to password attributes, but could be allowed by a special read permission.

15.4.2.1. Creating New Permissions from the Web UI

  1. Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
  2. Select the Permissions task link.
  3. Click the Add link at the top of the list of permissions.
  4. Enter the name of the new permission.
  5. Select the checkboxes next to the allowed operations for this permission.
  6. Select the method to use to identify the target entries from the Target drop-down menu. There are four different methods:
    • Type looks for an entry type like user, host, or service and then provides a list of all possible attributes for that entry type. The attributes which will be accessible through this ACI are selected from the list.
    • Filter uses an LDAP filter to identify which entries the permission applies to. All attributes within the matching entries can be modified.
    • Subtree targets every entry beneath the specified subtree entry. All attributes within the matching entries can be modified.
    • Target group specifies a user group, and all the user entries within that group are available through the ACI. All attributes within the matching entries can be modified.
  7. Fill in the required information to identify the target entries, depending on the selected type.
  8. Click the Add button to save the permission.

15.4.2.2. Creating New Permissions from the Command Line

A new permission is added using the permission-add command. All permissions require a list of allowed actions (--permissions), but the way that the target entries for the ACI are selected can be different. There are four options:
  • --type looks for an entry type like user, host, or service and then provides a list of all possible attributes for that entry type. The attributes which will be accessible through this ACI are selected from the list.
  • --filter uses an LDAP filter to identify which entries the permission applies to. All attributes within the matching entries can be modified.
  • --subtree targets every entry beneath the specified subtree entry. All attributes within the matching entries can be modified.
  • --targetgroup specifies a user group, and all the user entries within that group are available through the ACI. All attributes within the matching entries can be modified.
Example 15.1. Adding a Permission with a Filter
A filter can be any valid LDAP filter.
$ ipa permission-add "manage Windows groups" --filter="posixGroup=false" --permissions=write

NOTE

The permission-add command does not validate the given LDAP filter. Verify that the filter returns the expected results before configuring the permission.
Example 15.2. Adding a Permission for a Subtree
All a subtree filter requires is a DN within the directory. Since FreeIPA uses a simplified, flat directory tree structure, this can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration.
$ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --permissions=write

Example 15.3. Adding a Permission Based on Object Type
There seven object types that can be used to form a permission:
  • user
  • group
  • host
  • service
  • hostgroup
  • netgroup
  • dnsrecord
Each type has its own set of allowed attributes, and the attributes which are managed by this permission are set with the --attrs option, in a comma-separated list.
$ ipa permission-add "manage service" --permissions=all --type=service --attrs=krbprincipalkey,krbprincipalname,managedby
The attributes (--attrs) must exist and be allowed attributes for the given object type, or the permission operation fails with schema syntax errors.

15.4.3. Creating New Privileges

15.4.3.1. Creating New Privileges from the Web UI

  1. Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
  2. Select the Privileges task link.
  3. Click the Add link at the top of the list of privileges.
  4. Enter the name and a description of the privilege.
  5. Click the Add and Edit button to go to the privilege configuration page to add permissions.
  6. Select the Permissions tab.
  7. Click the Enroll link at the top of the list of permissions to add permission to the privilege.
  8. Click the checkbox by the names of the permissions to add, and click the right arrows button, >>, to move the permissions to the selection box.
  9. Click the Enroll button.

15.4.3.2. Creating New Privileges from the Command Line

Privilege entries are created using the privilege-add command, and then permissions are added to the privilege group using the privilege-add-permission command.
  1. Create the privilege entry.
    $ ipa privilege-add "managing filesystems" --desc="for filesystems"
  2. Assign the desired permissions. For example:
    $ ipa privilege-add-permission "managing filesystems" --permissions="managing automount","managing ftp services"