Red Hat Training

A Red Hat training course is available for Red Hat Linux

27.4. Defining Role-Based Access Controls

Role-based access control grants a very different kind of authority to users compared to self-service and delegation access controls. Role-based access controls are fundamentally administrative, with the potential to add, delete, and significantly modify entries.
There are three parts to role-based access controls:
  • The permission. The permission defines a specific operation or set of operations (write, add, or delete) and the target entries within the IdM LDAP directory to which those operations apply. Permissions are building blocks; they can be assigned to multiple privileges as needed.
  • The privileges available to a role. A privilege is essentially a group of permissions. Permissions are not applied directly to a role. Permissions are added to a privilege so that the privilege creates a coherent and complete picture of a set of access control rules. For example, a permission can be created to add, edit, and delete automount locations. Then that permission can be combined with another permission relating to managing FTP services, and they can be used to create a single privilege that relates to managing filesystems.
  • The role. This is the list of IdM users who are able to perform the actions defined in the privileges.
It is possible to create entirely new permissions, as well as to create new privileges based on existing permissions or new permissions.

27.4.1. Creating Roles

27.4.1.1. Creating Roles in the Web UI

  1. Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
  2. Click the Add link at the top of the list of role-based ACIs.
  3. Enter the role name and a description.
  4. Click the Add and Edit button to save the new role and go to the configuration page.
  5. At the top of the Users tab, or in the Users Groups tab when adding groups, click the Add link.
  6. Select the users on the left and use the >> button to move them to the assigned box.
  7. Open the Privileges tab in the role configuration page.
  8. Click the Add link at the top of the list of privileges to add a new privilege.
  9. Select the privileges on the left and use the >> button to move them to the assigned box.
  10. Click the Add button to save.

27.4.1.2. Creating Roles in the Command Line

  1. Add the new role:
    [root@server ~]# kinit admin
    [root@server ~]# ipa role-add --desc="User Administrator" useradmin
      ------------------------
      Added role "useradmin"
      ------------------------
      Role name: useradmin
      Description: User Administrator
  2. Add the required privileges to the role:
    [root@server ~]# ipa role-add-privilege --privileges="User Administrators" useradmin
      Role name: useradmin
      Description: User Administrator
      Privileges: user administrators
      ----------------------------
      Number of privileges added 1
    ----------------------------
    
  3. Add the required groups to the role. In this case, we are adding only a single group, useradmin, which already exists.
    [root@server ~]# ipa role-add-member --groups=useradmins useradmin
      Role name: useradmin
      Description: User Administrator
      Member groups: useradmins
      Privileges: user administrators
      -------------------------
      Number of members added 1
    -------------------------
    

27.4.2. Creating New Permissions

27.4.2.1. Creating New Permissions from the Web UI

  1. Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
  2. Select the Permissions task link.
  3. Click the Add link at the top of the list of permissions.
  4. Enter the name of the new permission.
  5. Select the checkboxes next to the allowed operations for this permission.
  6. Select the method to use to identify the target entries from the Target drop-down menu. There are four different methods:
    • Type looks for an entry type like user, host, or service and then provides a list of all possible attributes for that entry type. The attributes which will be accessible through this ACI are selected from the list.
    • Filter uses an LDAP filter to identify which entries the permission applies to.
    • Subtree targets every entry beneath the specified subtree entry. All attributes within the matching entries can be modified.
    • Target group specifies a user group, and all the user entries within that group are available through the ACI. All attributes within the matching entries can be modified.
  7. Fill in the required information to identify the target entries, depending on the selected type.
  8. For Filter, Subtree, and Target group targets, click the Add link to add attributes that are included in the permission. A single attribute is added at a time; to add multiple attributes, click the Add again to add another field.
    If no attributes are set for the permission then, by default, all attributes are excluded.
  9. Click the Add button to save the permission.

27.4.2.2. Creating New Permissions from the Command Line

A new permission is added using the permission-add command. All permissions require a list of attributes over which permission is granted (--attr), a list of allowed actions (--permissions), and the target entries for the ACI. There are four methods to identify the target entries:
  • --type looks for an entry type like user, host, or service and then provides a list of all possible attributes for that entry type.
  • --filter uses an LDAP filter to identify which entries the permission applies to.
  • --subtree targets every entry beneath the specified subtree entry.
  • --targetgroup specifies a user group, and all the user entries within that group are available through the ACI.

Example 27.1. Adding a Permission with a Filter

A filter can be any valid LDAP filter.
$ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --permissions=write --attrs=description

Note

The permission-add command does not validate the given LDAP filter. Verify that the filter returns the expected results before configuring the permission.

Example 27.2. Adding a Permission for a Subtree

All a subtree filter requires is a DN within the directory. Since IdM uses a simplified, flat directory tree structure, this can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration.
$ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --permissions=write --attrs=automountmapname,automountkey,automountInformation

Example 27.3. Adding a Permission Based on Object Type

There seven object types that can be used to form a permission:
  • user
  • group
  • host
  • service
  • hostgroup
  • netgroup
  • dnsrecord
Each type has its own set of allowed attributes, in a comma-separated list.
$ ipa permission-add "manage service" --permissions=all --type=service --attrs=krbprincipalkey,krbprincipalname,managedby
The attributes (--attrs) must exist and be allowed attributes for the given object type, or the permission operation fails with schema syntax errors.

27.4.3. Creating New Privileges

27.4.3.1. Creating New Privileges from the Web UI

  1. Open the IPA Server tab in the top menu, and select the Role Based Access Control subtab.
  2. Select the Privileges task link.
  3. Click the Add link at the top of the list of privileges.
  4. Enter the name and a description of the privilege.
  5. Click the Add and Edit button to go to the privilege configuration page to add permissions.
  6. Select the Permissions tab.
  7. Click the Add link at the top of the list of permissions to add permission to the privilege.
  8. Click the checkbox by the names of the permissions to add, and click the right arrows button, >>, to move the permissions to the selection box.
  9. Click the Add button.

27.4.3.2. Creating New Privileges from the Command Line

Privilege entries are created using the privilege-add command, and then permissions are added to the privilege group using the privilege-add-permission command.
  1. Create the privilege entry.
    $ ipa privilege-add "managing filesystems" --desc="for filesystems"
  2. Assign the desired permissions. For example:
    $ ipa privilege-add-permission "managing filesystems" --permissions="managing automount","managing ftp services"