30.2. sudo Rules in Identity Management

Using sudo rules, you can define who can do what, where, and as whom.
  • Who are the users allowed to use sudo.
  • What are the commands that can be used with sudo.
  • Where are the target hosts on which the users are allowed to use sudo.
  • As whom is the system or other user identity which the users assume to perform tasks.

30.2.1. External Users and Hosts in sudo Rules

IdM accepts external entities in sudo rules. External entities are entities that are stored outside of the IdM domain, such as users or hosts that are not part of the IdM domain.
For example, you can use sudo rules to grant root access to a member of the IT group in IdM, where the root user is not a user defined in the IdM domain. Or, for another example, administrators can block access to certain hosts that are on a network but are not part of the IdM domain.

30.2.2. User Group Support for sudo Rules

You can use sudo to give access to whole user groups in IdM. IdM supports both Unix and non-POSIX groups. Note that creating non-POSIX groups can cause access problems because any users in a non-POSIX group inherit non-POSIX permissions from the group.

30.2.3. Support for sudoers Options

IdM supports sudoers options. For a complete list of the available sudoers options, see the sudoers(5) man page.
Note that IdM does not allow white spaces or line breaks in sudoers options. Therefore, instead of supplying multiple options in a comma-separated list, add them separately. For example, to add two sudoers options from the command line:
$ ipa sudorule-add-option sudo_rule_name
Sudo Option: first_option
$ ipa sudorule-add-option sudo_rule_name
Sudo Option: second_option
Similarly, make sure to supply long options on one line. For example, from the command line:
$ ipa sudorule-add-option sudo_rule_name
Sudo Option: env_keep="COLORS DISPLAY EDITOR HOSTNAME HISTSIZE INPUTRC KDEDIR LESSSECURE LS_COLORS MAIL PATH PS1 PS2 XAUTHORITY"