Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

11.5. Allowing Non-admin Users to Manage User Entries

By default, only the admin user is allowed to manage user life cycle and disable or enable user accounts. To allow another, non-admin user to do this, create a new role, add the relevant permissions to this role, and assign the non-admin user to the role.
By default, IdM includes the following privileges related to managing user accounts:
Modify Users and Reset passwords
This privilege includes permissions to modify various user attributes.
User Administrators
This privilege includes permissions to add active users, activate non-active users, remove users, modify user attributes, and other permissions.
Stage User Provisioning
This privilege includes a permission to add stage users.
Stage User Administrator
This privilege includes permissions to perform a number of life cycle operations, such as adding stage users or moving users between life cycle states. However, it does not include permissions to move users to the active state.
For information on defining roles, permissions, and privileges, see Section 10.4, “Defining Role-Based Access Controls”.

Allowing Different Users to Perform Different User Management Operations

The different privileges related to managing user accounts can be added to different users. For example, you can separate privileges for employee account entry and activation by:
  • Configuring one user as a stage user administrator, who is allowed to add future employees to IdM as stage users, but not to activate them.
  • Configuring another user as a security administrator, who is allowed to activate the stage users after their employee credentials are verified on the first day of employment.
To allow a user to perform certain user management operations, create a new role with the required privilege or privileges, and assign the user to that role.

Example 11.1. Allowing a Non-admin User to Add Stage Users

This example shows how to create a user who is only allowed to add new stage users, but not to perform any other stage user management operations.
  1. Log in as the admin user or another user allowed to manage role-based access control.
    $ kinit admin
    
  2. Create a new custom role to manage adding stage users.
    1. Create the System Provisioning role.
      $ ipa role-add --desc "Responsible for provisioning stage users" "System Provisioning"
      --------------------------------
      Added role "System Provisioning"
      --------------------------------
      Role name: System Provisioning
      Description: Responsible for provisioning stage users
      
    2. Add the Stage User Provisioning privilege to the role. This privilege provides the ability to add stage users.
      $ ipa role-add-privilege "System Provisioning" --privileges="Stage User Provisioning"
      Role name: System Provisioning
      Description: Responsible for provisioning stage users
      Privileges: Stage User Provisioning
      ----------------------------
      Number of privileges added 1
      ----------------------------
      
  3. Grant a non-admin user the rights to add stage users.
    1. If the non-admin user does not yet exist, create a new user. In this example, the user is named stage_user_admin.
      $ ipa user-add stage_user_admin --password
      First name: first_name
      Last name: last_name
      Password:
      Enter password again to verify:
      ...
      
    2. Assign the stage_user_admin user to the System Provisioning role.
      $ ipa role-add-member "System Provisioning" --users=stage_user_admin
      Role name: System Provisioning
      Description: Responsible for provisioning stage users
      Member users: stage_user_admin
      Privileges: Stage User Provisioning
      -------------------------
      Number of members added 1
      -------------------------
      
    3. To make sure the System Provisioning role is configured correctly, you can use the ipa role-show command to display the role settings.
      $ ipa role-show "System Provisioning"
      --------------
      1 role matched
      --------------
      Role name: System provisioning
      Description: Responsible for provisioning stage users
      Member users: stage_user_admin
      Privileges: Stage User Provisioning
      ----------------------------
      Number of entries returned 1
      ----------------------------
      
  4. Test adding a new stage user as the stage_user_admin user.
    1. Log in as stage_user_admin. Note that if you created stage_user_admin as a new user in one of the previous steps, IdM will ask you to change the initial password set by admin.
      $ kinit stage_user_admin
      Password for stage_user_admin@EXAMPLE.COM:
      Password expired.  You must change it now.
      Enter new password:
      Enter it again:
      
    2. To make sure your Kerberos ticket for admin has been replaced with a Kerberos ticket for stage_user_admin, you can use the klist utility.
      $ klist
      Ticket cache: KEYRING:persistent:0:krb_ccache_xIlCQDW
      Default principal: stage_user_admin@EXAMPLE.COM
      
      Valid starting       Expires              Service principal
      02/25/2016 11:42:20  02/26/2016 11:42:20  krbtgt/EXAMPLE.COM
      
    3. Add a new stage user.
      $ ipa stageuser-add stage_user
      First name: first_name
      Last name: last_name
      ipa: ERROR: stage_user: stage user not found
      
      Note
      The error that IdM reports after adding a stage user is expected. The stage_user_admin is only allowed to add stage users, not to display information about them. Therefore, instead of displaying a summary of the newly added stage_user settings, IdM displays the error.
The stage_user_admin user is not allowed to display information about stage users. Therefore, an attempt to display information about the new stage_user user while logged in as stage_user_admin fails:
$ ipa stageuser-show stage_user
ipa: ERROR: stage_user: stage user not found
To display information about stage_user, you can log in as admin:
$ kinit admin
Password for admin@EXAMPLE.COM:
$ ipa stageuser-show stage_user
  User login: stage_user
  First name: Stage
  Last name: User
...