# ipa The `ipa` command is part of the **Identity, Policy, and Audit (IPA)** suite, often referred to as **FreeIPA**. It is a powerful identity management tool used to provide centralized authentication, authorization, and account information in Linux environments. In large-scale or enterprise environments, FreeIPA helps administrators manage permissions, privileges, roles, and access control across multiple systems. ## Key Areas: Permissions, Privileges, and Roles 1. **Permissions**: Define what specific actions users or groups can perform on certain resources. 2. **Privileges**: Collection of permissions grouped together. Used to assign multiple permissions at once. 3. **Roles**: Higher-level entities that define access and control by combining privileges, which in turn contain permissions. ### Common Subcommands Related to Permissions, Privileges, and Roles Below is a breakdown of relevant IPA subcommands related to **permissions**, **privileges**, and **roles**, as well as their use cases: ### 1. **Permissions** Permissions in FreeIPA control access to specific objects or tasks, such as adding users or modifying group memberships. #### Key Commands: * **Creating a Permission**: ```bash ipa permission-add "Permission Name" --permissions=read,write --type=user --attr=attrname ``` This creates a permission with specific rights (e.g., `read`, `write`) for a particular resource type (e.g., user) and attribute. * **Listing Permissions**: ```bash ipa permission-find ``` Lists all defined permissions within the IPA environment. * **Showing Permission Details**: ```bash ipa permission-show "Permission Name" ``` Displays detailed information about a specific permission. * **Modifying a Permission**: ```bash ipa permission-mod "Permission Name" --rights=write ``` Modifies an existing permission, such as changing access rights. * **Deleting a Permission**: ```bash ipa permission-del "Permission Name" ``` Deletes a defined permission from IPA. #### Example Use Case: A company wants to allow help desk staff to reset passwords for users but not modify any other user data. A permission can be created for the password reset action and applied to the relevant group. *** ### 2. **Privileges** Privileges in FreeIPA are collections of permissions that can be assigned to roles, making permission management more modular and reusable. #### Key Commands: * **Creating a Privilege**: ```bash ipa privilege-add "Privilege Name" ``` Adds a new privilege that can later be associated with permissions. * **Adding Permissions to a Privilege**: ```bash ipa privilege-add-permission "Privilege Name" --permission="Permission Name" ``` Attaches a previously defined permission to the privilege. * **Listing Privileges**: ```bash ipa privilege-find ``` Lists all defined privileges. * **Showing Privilege Details**: ```bash ipa privilege-show "Privilege Name" ``` Displays detailed information about a specific privilege, including associated permissions. * **Modifying a Privilege**: ```bash ipa privilege-mod "Privilege Name" --description="New Description" ``` Modifies an existing privilege, such as updating its description or permissions. * **Deleting a Privilege**: ```bash ipa privilege-del "Privilege Name" ``` Deletes a defined privilege. #### Example Use Case: For example, a privilege could be created for "User Account Management" that combines permissions like "Create User" and "Delete User." This privilege can then be assigned to roles for managers. *** ### 3. **Roles** Roles in FreeIPA assign privileges to users or groups, giving them the capabilities defined by the included privileges. #### Key Commands: * **Creating a Role**: ```bash ipa role-add "Role Name" ``` Adds a new role that can later be associated with privileges. * **Adding Privileges to a Role**: ```bash ipa role-add-privilege "Role Name" --privilege="Privilege Name" ``` Attaches a privilege to the role. * **Listing Roles**: ```bash ipa role-find ``` Lists all defined roles. * **Showing Role Details**: ```bash ipa role-show "Role Name" ``` Displays detailed information about a specific role. * **Assigning Roles to Users/Groups**: ```bash ipa role-add-member "Role Name" --users="username" ipa role-add-member "Role Name" --groups="groupname" ``` Assigns a role to a user or group, granting them the privileges and associated permissions of that role. * **Removing Roles from Users/Groups**: ```bash ipa role-remove-member "Role Name" --users="username" ipa role-remove-member "Role Name" --groups="groupname" ``` Removes a role from a user or group. * **Deleting a Role**: ```bash ipa role-del "Role Name" ``` Deletes a defined role. #### Example Use Case: A "Help Desk" role could be created with privileges like "Reset Password" and "Unlock Account." Members of the help desk team would be assigned this role, giving them the necessary permissions to perform these actions without broader system access. *** ### 4. **Other IPA Commands** * **ipa user-add-role**: Assign a role to a user directly. * **ipa group-add-role**: Assign a role to a group of users. * **ipa role-add-privilege**: Add privileges to a specific role. * **ipa permission-mod**: Modify an existing permission to adjust the granted rights. These commands allow centralized control of user privileges and permissions in a scalable, enterprise environment. *** ## Practical Example: Managing Help Desk Roles A typical scenario in an enterprise setting might involve creating a role for the **Help Desk** team. You want to allow help desk members to reset user passwords and unlock accounts but prevent them from modifying any other attributes. ### Steps: 1. **Create Permissions**: ```bash ipa permission-add "Reset Password" --permissions=write --type=user --attr=userPassword ipa permission-add "Unlock Account" --permissions=write --type=user --attr=krbPrincipalExpiration ``` 2. **Create a Privilege**: ```bash ipa privilege-add "Help Desk Privileges" ipa privilege-add-permission "Help Desk Privileges" --permission="Reset Password" ipa privilege-add-permission "Help Desk Privileges" --permission="Unlock Account" ``` 3. **Create a Role**: ```bash ipa role-add "Help Desk" ipa role-add-privilege "Help Desk" --privilege="Help Desk Privileges" ``` 4. **Assign Role to Users**: ```bash ipa role-add-member "Help Desk" --users=john.doe ``` Now, user **john.doe** will have the ability to reset passwords and unlock accounts but will not be able to modify any other user attributes. *** ## Conclusion The **IPA** system's permission, privilege, and role management structure allows for granular and flexible access control across an enterprise. Using commands like `ipa permission`, `ipa privilege`, and `ipa role`, administrators can define, organize, and assign responsibilities in a scalable and secure manner. Each subcommand and concept helps ensure that users have only the access they need, reducing risk and ensuring compliance with security best practices. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://linux-tutorial-cli.gitbook.io/linux-cli-tutorial/txt-files/file-systems-cocepts/lpic3-300/ipa-including-relevant-permission-privilege-and-role-subcommands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.