21.2. Creating Host-Based Access Control Entries for Services and Service Groups

Any PAM service can be identified as to the host-based access control (HBAC) system in IdM. The service entries used in host-based access control are separate from adding a service to the IdM domain. Adding a service to the domain makes it a recognized resource which is available to other resources. Adding a domain resource to the host-based access control configuration allows administrators to exert defined control over what domain users and what domain clients can access that service.
Some common services are already configured as HBAC services, so they can be used in host-based access control rules. Additional services can be added, and services can be added into service groups for simpler management.

21.2.1. Adding HBAC Services

21.2.1.1. Adding HBAC Services in the Web UI

  1. Click the Policy tab.
  2. Click the Host-Based Access Control subtab, and then select the HBAC Services link.
  3. Click the Add link at the top of the list of services.
  4. Enter the service name and a description.
  5. Click the Add button to save the new service.
  6. If a service group already exists, then add the service to the desired group, as described in Section 21.2.2.1, “Adding Service Groups in the Web UI”.

21.2.1.2. Adding Services in the Command Line

The service is added to the access control system using the hbacsvc-add command, specifying the service by the name that PAM uses to evaluate the service.
For example, this adds the tftp service:
# ipa hbacsvc-add --desc="TFTP service" tftp
------------------------- 
Added HBAC service "tftp" 
------------------------- 
Service name: tftp 
Description: TFTP service
If a service group already exists, then the service can be added to the group using the hbacsvcgroup-add-member command, as in Section 21.2.2.2, “Adding Service Groups in the Command Line”.

21.2.2. Adding Service Groups

Once the individual service is added, it can be added to the access control rule. However, if there is a large number of services, then it can require frequent updates to the access control rules as services change. Identity Management also allows groups of services to be added to access control rules. This makes it much easier to manage access control, because the members of the service group can be changed without having to edit the rule itself.

21.2.2.1. Adding Service Groups in the Web UI

  1. Click the Policy tab.
  2. Click the Host-Based Access Control subtab, and then select the HBAC Service Groups link.
  3. Click the Add link at the top of the list of service groups.
  4. Enter the service group name and a description.
  5. Click the Add and Edit button to go immediately to the service group configuration page.
  6. At the top of the HBAC Services tab, click the Add link.
  7. Click the checkbox by the names of the services to add, and click the right arrows button, >>, to move the command to the selection box.
  8. Click the Add button to save the group membership.

21.2.2.2. Adding Service Groups in the Command Line

First create the service group entry, then create the service, and then add that service to the service group as a member. For example:
[jsmith@server ~]$ kinit admin
[jsmith@server ~]$ ipa hbacsvcgroup-add --desc="login services" login
--------------------------------
Added HBAC service group "login"
--------------------------------
  Service group name: login
  Description: login services

[jsmith@server ~]$ ipa hbacsvc-add --desc="SSHD service" sshd
------------------------- 
Added HBAC service "sshd" 
------------------------- 
Service name: sshd 
Description: SSHD service 

[jsmith@server ~]$ ipa hbacsvcgroup-add-member --hbacsvcs=sshd login
  Service group name: login
  Description: login services
-------------------------
Number of members added 1
-------------------------

NOTE

IdM defines two default service groups: SUDO for sudo services and FTP for services which provide FTP access.