31.2. Configuring Host-based Access Control in an IdM Domain

To configure your domain for host-based access control:

Create HBAC rules
Test the new HBAC rules
Disable the default allow_all HBAC rule
Important
Do not disable the allow_all rule before creating custom HBAC rules. If you do this, no users will be able to access any hosts.

31.2.1. Creating HBAC Rules

To create an HBAC rule, you can use:

the IdM web UI (see the section called “Web UI: Creating an HBAC Rule”)
the command line (see the section called “Command Line: Creating HBAC Rules”)

For examples, see the section called “Examples of HBAC Rules”.

Web UI: Creating an HBAC Rule

Select Policy → Host-Based Access Control → HBAC Rules.
Click Add to start adding a new rule.
Enter a name for the rule, and click Add and Edit to go directly to the HBAC rule configuration page.
In the Who area, specify the target users.
- To apply the HBAC rule to specified users or groups only, select Specified Users and Groups. Then click Add to add the users or groups.
- To apply the HBAC rule to all users, select Anyone.
Figure 31.2. Specifying a Target User for an HBAC Rule
In the Accessing area, specify the target hosts:
- To apply the HBAC rule to specified hosts or groups only, select Specified Hosts and Groups. Then click Add to add the hosts or groups.
- To apply the HBAC rule to all hosts, select Any Host.
In the Via Service area, specify the target HBAC services:
- To apply the HBAC rule to specified services or groups only, select Specified Services and Groups. Then click Add to add the services or groups.
- To apply the HBAC rule to all services, select Any Service.
Note
Only the most common services and service groups are configured for HBAC rules by default.
- To display the list of services that are currently available, select Policy → Host-Based Access Control → HBAC Services.
- To display the list of service groups that are currently available, select Policy → Host-Based Access Control → HBAC Service Groups.
To add more services and service groups, see Section 31.3, “Adding HBAC Service Entries for Custom HBAC Services” and Section 31.4, “Adding HBAC Service Groups”.
Changing certain settings on the HBAC rule configuration page highlights the Save button at the top of the page. If this happens, click the button to confirm the changes.

Command Line: Creating HBAC Rules

Use the ipa hbacrule-add command to add the rule.

$ ipa hbacrule-add
Rule name: rule_name
---------------------------
Added HBAC rule "rule_name"
---------------------------
  Rule name: rule_name
  Enabled: TRUE

Specify the target users.

To apply the HBAC rule to specified users or groups only, use the ipa hbacrule-add-user command.

For example, to add a group:

$ ipa hbacrule-add-user
Rule name: rule_name
[member user]:
[member group]: group_name
  Rule name: rule_name
  Enabled: TRUE
  User Groups: group_name
-------------------------
Number of members added 1
-------------------------

To add multiple users or groups, use the --users and --groups options:

$ ipa hbacrule-add-user rule_name --users=user1 --users=user2 --users=user3
  Rule name: rule_name
  Enabled: TRUE
  Users: user1, user2, user3
-------------------------
Number of members added 3
-------------------------

To apply the HBAC rule to all users, use the ipa hbacrule-mod command and specify the all user category:
```
$ ipa hbacrule-mod rule_name --usercat=all
------------------------------
Modified HBAC rule "rule_name"
------------------------------
  Rule name: rule_name
  User category: all
  Enabled: TRUE
```
Note
If the HBAC rule is associated with individual users or groups, ipa hbacrule-mod --usercat=all fails. In this situation, remove the users and groups using the ipa hbacrule-remove-user command.
For details, run ipa hbacrule-remove-user with the --help option.

Specify the target hosts.

To apply the HBAC rule to specified hosts or groups only, use the ipa hbacrule-add-host command.

For example, to add a single host:

$ ipa hbacrule-add-host
Rule name: rule_name
[member host]: host.example.com
[member host group]:
  Rule name: rule_name
  Enabled: TRUE
  Hosts: host.example.com
-------------------------
Number of members added 1
-------------------------

To add multiple hosts or groups, use the --hosts and --hostgroups options:

$ ipa hbacrule-add-host rule_name --hosts=host1 --hosts=host2 --hosts=host3
  Rule name: rule_name
  Enabled: TRUE
  Hosts: host1, host2, host3
-------------------------
Number of members added 3
-------------------------

To apply the HBAC rule to all hosts, use the ipa hbacrule-mod command and specify the all host category:
```
$ ipa hbacrule-mod rule_name --hostcat=all
------------------------------
Modified HBAC rule "rule_name"
------------------------------
  Rule name: rule_name
  Host category: all
  Enabled: TRUE
```
Note
If the HBAC rule is associated with individual hosts or groups, ipa hbacrule-mod --hostcat=all fails. In this situation, remove the hosts and groups using the ipa hbacrule-remove-host command.
For details, run ipa hbacrule-remove-host with the --help option.

Specify the target HBAC services.
- To apply the HBAC rule to specified services or groups only, use the ipa hbacrule-add-service command.
  For example, to add a single service:
```
$ ipa hbacrule-add-service
Rule name: rule_name
[member HBAC service]: ftp
[member HBAC service group]:
Rule name: rule_name
Enabled: TRUE
Services: ftp
-------------------------
Number of members added 1
-------------------------
```
  To add multiple services or groups, you can use the --hbacsvcs and --hbacsvcgroups options:
```
$ ipa hbacrule-add-service rule_name --hbacsvcs=su --hbacsvcs=sudo
  Rule name: rule_name
  Enabled: TRUE
  Services: su, sudo
-------------------------
Number of members added 2
-------------------------
```
  Note
  Only the most common services and service groups are configured for HBAC rules. To add more, see Section 31.3, “Adding HBAC Service Entries for Custom HBAC Services” and Section 31.4, “Adding HBAC Service Groups”.
- To apply the HBAC rule to all services, use the ipa hbacrule-mod command and specify the all service category:
```
$ ipa hbacrule-mod rule_name --servicecat=all
------------------------------
Modified HBAC rule "rule_name"
------------------------------
  Rule name: rule_name
  Service category: all
  Enabled: TRUE
```
  Note
  If the HBAC rule is associated with individual services or groups, ipa hbacrule-mod --servicecat=all fails. In this situation, remove the services and groups using the ipa hbacrule-remove-service command.
  For details, run ipa hbacrule-remove-service with the --help option.
Optional. Verify that the HBAC rule has been added correctly.
1. Use the ipa hbacrule-find command to verify that the HBAC rule has been added to IdM.
2. Use the ipa hbacrule-show command to verify the properties of the HBAC rule.
For details, run the commands with the --help option.

Examples of HBAC Rules

Example 31.1. Granting a Single User Access to All Hosts Using Any Service

To allow the admin user to access all systems in the domain using any service, create a new HBAC rule and set:

the user to admin
the host to Any host (in the web UI), or use --hostcat=all with ipa hbacrule-add (when adding the rule) or ipa hbacrule-mod
the service to Any service (in the web UI), or use --servicecat=all with ipa hbacrule-add (when adding the rule) or ipa hbacrule-mod

Example 31.2. Ensuring That Only Specific Services Can Be Used to Access a Host

To make sure that all users must use sudo-related services to access the host named host.example.com, create a new HBAC rule and set:

the user to Anyone (in the web UI), or use --usercat=all with ipa hbacrule-add (when adding the rule) or ipa hbacrule-mod
the host to host.example.com
the HBAC service group to Sudo, which is a default group for sudo and related services

31.2.2. Testing HBAC Rules

IdM enables you to test your HBAC configuration in various situations using simulated scenarios. By performing these simulated test runs, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.

Important

Always test custom HBAC rules before you start using them in production.

Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because AD data is not stored in the IdM LDAP directory, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.

To test an HBAC rule, you can use:

the IdM web UI (see the section called “Web UI: Testing an HBAC Rule”)
the command line (see the section called “Command Line: Testing an HBAC Rule”)

Web UI: Testing an HBAC Rule

Select Policy → Host-Based Access Control → HBAC Test.
On the Who screen: Specify the user under whose identity you want to perform the test, and click Next.
Figure 31.3. Specifying the Target User for an HBAC Test
On the Accessing screen: Specify the host that the user will attempt to access, and click Next.
On the Via Service screen: Specify the service that the user will attempt to use, and click Next.
On the Rules screen: Select the HBAC rules you want to test, and click Next. If you do not select any rule, all rules will be tested.
Select Include Enabled to run the test on all rules whose status is Enabled. Select Include Disabled to run the test on all rules whose status is Disabled. To view and change the status of HBAC rules, select Policy → Host-Based Access Control → HBAC Rules.
Important
If the test runs on multiple rules, it will pass successfully if at least one of the selected rules allows access.
On the Run Test screen: Click Run Test.
Figure 31.4. Running an HBAC Test
Review the test results:
- If you see ACCESS DENIED, the user was not granted access in the test.
- If you see ACCESS GRANTED, the user was able to access the host successfully.
Figure 31.5. Reviewing HBAC Test Results
By default, IdM lists all the tested HBAC rules when displaying the test results.
- Select Matched to display the rules that allowed successful access.
- Select Unmatched to display the rules that prevented access.

Command Line: Testing an HBAC Rule

Use the ipa hbactest command and specify at least:

the user under whose identity you want to perform the test
the host that the user will attempt to access
the service that the user will attempt to use

For example, when specifying these values interactively:

$ ipa hbactest
User name: user1
Target host: example.com
Service: sudo
---------------------
Access granted: False
---------------------
Not matched rules: rule1

By default, IdM runs the test on all HBAC rules whose status is enabled. To specify different HBAC rules:

Use the --rules option to define one or more HBAC rules.
Use the --disabled option to test all HBAC rules whose status is disabled.

To see the current status of HBAC rules, run the ipa hbacrule-find command.

Example 31.3. Testing an HBAC Rule from the Command Line

In the following test, an HBAC rule named rule2 prevented user1 from accessing example.com using the sudo service:

$ ipa hbactest --user=user1 --host=example.com --service=sudo --rules=rule1
---------------------
Access granted: False
---------------------
  Not matched rules: rule1

Example 31.4. Testing Multiple HBAC Rules from the Command Line

When testing multiple HBAC rules, the test passes if at least one rule allows the user successful access.

$ ipa hbactest --user=user1 --host=example.com --service=sudo --rules=rule1 --rules=rule2
--------------------
Access granted: True
--------------------
  Matched rules: rule2
  Not matched rules: rule1

In the output:

Matched rules list the rules that allowed successful access.
Not matched rules list the rules that prevented access.

31.2.3. Disabling HBAC Rules

Disabling an HBAC rule deactivates the rule, but does not delete it. If you disable an HBAC rule, you can re-enable it later.

Note

For example, disabling HBAC rules is useful after you configure custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.

To disable an HBAC rule, you can use:

the IdM web UI (see the section called “Web UI: Disabling an HBAC Rule”)
the command line (see the section called “Command Line: Disabling an HBAC Rule”)

Web UI: Disabling an HBAC Rule

Select Policy → Host-Based Access Control → HBAC Rules.
Select the HBAC rule you want to disable, and click Disable.

Figure 31.6. Disabling the allow_all HBAC Rule

Command Line: Disabling an HBAC Rule

Use the ipa hbacrule-disable command. For example, to disable the allow_all rule:

$ ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

31.2. Configuring Host-based Access Control in an IdM Domain

31.2.1. Creating HBAC Rules

Web UI: Creating an HBAC Rule

Command Line: Creating HBAC Rules

Examples of HBAC Rules

31.2.2. Testing HBAC Rules

Web UI: Testing an HBAC Rule

Command Line: Testing an HBAC Rule

31.2.3. Disabling HBAC Rules

Web UI: Disabling an HBAC Rule

Command Line: Disabling an HBAC Rule

Where did the comment section go?