ipa

The ipa command is part of the Identity, Policy, and Audit (IPA) suite, often referred to as FreeIPA. It is a powerful identity management tool used to provide centralized authentication, authorization, and account information in Linux environments. In large-scale or enterprise environments, FreeIPA helps administrators manage permissions, privileges, roles, and access control across multiple systems.

Key Areas: Permissions, Privileges, and Roles

  1. Permissions: Define what specific actions users or groups can perform on certain resources.

  2. Privileges: Collection of permissions grouped together. Used to assign multiple permissions at once.

  3. Roles: Higher-level entities that define access and control by combining privileges, which in turn contain permissions.

Common Subcommands Related to Permissions, Privileges, and Roles

Below is a breakdown of relevant IPA subcommands related to permissions, privileges, and roles, as well as their use cases:

1. Permissions

Permissions in FreeIPA control access to specific objects or tasks, such as adding users or modifying group memberships.

Key Commands:

  • Creating a Permission:

    ipa permission-add "Permission Name" --permissions=read,write --type=user --attr=attrname

    This creates a permission with specific rights (e.g., read, write) for a particular resource type (e.g., user) and attribute.

  • Listing Permissions:

    ipa permission-find

    Lists all defined permissions within the IPA environment.

  • Showing Permission Details:

    ipa permission-show "Permission Name"

    Displays detailed information about a specific permission.

  • Modifying a Permission:

    ipa permission-mod "Permission Name" --rights=write

    Modifies an existing permission, such as changing access rights.

  • Deleting a Permission:

    ipa permission-del "Permission Name"

    Deletes a defined permission from IPA.

Example Use Case:

A company wants to allow help desk staff to reset passwords for users but not modify any other user data. A permission can be created for the password reset action and applied to the relevant group.

2. Privileges

Privileges in FreeIPA are collections of permissions that can be assigned to roles, making permission management more modular and reusable.

Key Commands:

  • Creating a Privilege:

    ipa privilege-add "Privilege Name"

    Adds a new privilege that can later be associated with permissions.

  • Adding Permissions to a Privilege:

    ipa privilege-add-permission "Privilege Name" --permission="Permission Name"

    Attaches a previously defined permission to the privilege.

  • Listing Privileges:

    ipa privilege-find

    Lists all defined privileges.

  • Showing Privilege Details:

    ipa privilege-show "Privilege Name"

    Displays detailed information about a specific privilege, including associated permissions.

  • Modifying a Privilege:

    ipa privilege-mod "Privilege Name" --description="New Description"

    Modifies an existing privilege, such as updating its description or permissions.

  • Deleting a Privilege:

    ipa privilege-del "Privilege Name"

    Deletes a defined privilege.

Example Use Case:

For example, a privilege could be created for "User Account Management" that combines permissions like "Create User" and "Delete User." This privilege can then be assigned to roles for managers.

3. Roles

Roles in FreeIPA assign privileges to users or groups, giving them the capabilities defined by the included privileges.

Key Commands:

  • Creating a Role:

    ipa role-add "Role Name"

    Adds a new role that can later be associated with privileges.

  • Adding Privileges to a Role:

    ipa role-add-privilege "Role Name" --privilege="Privilege Name"

    Attaches a privilege to the role.

  • Listing Roles:

    ipa role-find

    Lists all defined roles.

  • Showing Role Details:

    ipa role-show "Role Name"

    Displays detailed information about a specific role.

  • Assigning Roles to Users/Groups:

    ipa role-add-member "Role Name" --users="username"
ipa role-add-member "Role Name" --groups="groupname"

    Assigns a role to a user or group, granting them the privileges and associated permissions of that role.

  • Removing Roles from Users/Groups:

    ipa role-remove-member "Role Name" --users="username"
ipa role-remove-member "Role Name" --groups="groupname"

    Removes a role from a user or group.

  • Deleting a Role:

    ipa role-del "Role Name"

    Deletes a defined role.

Example Use Case:

A "Help Desk" role could be created with privileges like "Reset Password" and "Unlock Account." Members of the help desk team would be assigned this role, giving them the necessary permissions to perform these actions without broader system access.

4. Other IPA Commands

  • ipa user-add-role: Assign a role to a user directly.

  • ipa group-add-role: Assign a role to a group of users.

  • ipa role-add-privilege: Add privileges to a specific role.

  • ipa permission-mod: Modify an existing permission to adjust the granted rights.

These commands allow centralized control of user privileges and permissions in a scalable, enterprise environment.

Practical Example: Managing Help Desk Roles

A typical scenario in an enterprise setting might involve creating a role for the Help Desk team. You want to allow help desk members to reset user passwords and unlock accounts but prevent them from modifying any other attributes.

Steps:

  1. Create Permissions:

    ipa permission-add "Reset Password" --permissions=write --type=user --attr=userPassword
ipa permission-add "Unlock Account" --permissions=write --type=user --attr=krbPrincipalExpiration

  2. Create a Privilege:

    ipa privilege-add "Help Desk Privileges"
ipa privilege-add-permission "Help Desk Privileges" --permission="Reset Password"
ipa privilege-add-permission "Help Desk Privileges" --permission="Unlock Account"

  3. Create a Role:

    ipa role-add "Help Desk"
ipa role-add-privilege "Help Desk" --privilege="Help Desk Privileges"

  4. Assign Role to Users:

    ipa role-add-member "Help Desk" --users=john.doe

Now, user john.doe will have the ability to reset passwords and unlock accounts but will not be able to modify any other user attributes.

Conclusion

The IPA system's permission, privilege, and role management structure allows for granular and flexible access control across an enterprise. Using commands like ipa permission, ipa privilege, and ipa role, administrators can define, organize, and assign responsibilities in a scalable and secure manner.

Each subcommand and concept helps ensure that users have only the access they need, reducing risk and ensuring compliance with security best practices.

PreviousFreeIPA (IPA)Nextipa

Last updated