Access control and policy management
Manage sudo rules for privilege escalation control. Sudo rules define which users can execute which commands as other users on specified hosts. Features include RunAs user and group specifications, command and command group targeting, host and host group filtering, sudo options (NOPASSWD, etc.), order-based priority, and integration with SSSD for centralized sudo policy enforcement.
Manage host-based access control rules to restrict which users can access specific hosts and services. HBAC rules enforce fine-grained access policies based on user groups, host groups, and service groups. Features include rule categories (all users/hosts or specific groups), source hosts, service targeting, external host support, and testing capabilities to verify access decisions before deployment.
Manage delegation rules for allowing users to modify specific attributes of other users. Delegation rules provide granular control over attribute-level access without requiring full administrative privileges. Features include attribute specification, member user and group management, and support for self-service delegation enabling users to manage their own attributes or those of their direct reports.
Manage HBAC service definitions for use in host-based access control rules. Services represent specific system services (SSH, su, sudo, etc.) that can be controlled via HBAC policies. Features include service creation with descriptions, service grouping for policy management, and integration with HBAC rules for granular service-level access control.
Manage groups of HBAC services for simplified policy management. Service groups enable collective assignment of multiple services to HBAC rules, reducing administrative overhead. Features include nested service group membership, service addition and removal, and centralized management of related service access policies.
Manage individual permissions in the role-based access control system. Permissions define atomic operations on LDAP objects and attributes. Features include bind type control (permission or all), target filters, attribute restrictions, permission granting and revocation, and integration with privileges for building flexible, least-privilege access control policies.
Manage privileges that group related permissions for role assignment. Privileges aggregate permissions into meaningful units representing administrative capabilities. Features include privilege creation and modification, permission membership management, and integration with roles for implementing role-based access control (RBAC) across the IPA domain.
Manage password policies controlling complexity, history, and lifetime requirements. Password policies enforce minimum length, character classes, history depth, maximum lifetime, and other password quality constraints. Features include group-based policy assignment, priority ordering, failure lockout configuration, grace period settings, and coordination with Kerberos ticket policies for comprehensive password security.
Manage roles for assigning administrative privileges to users and groups. Roles are the primary mechanism for delegating administrative authority in IPA. Features include role creation and modification, privilege assignment, user and group membership, service membership, and support for both built-in and custom roles for flexible delegation of administrative responsibilities.
Manage self-service permissions allowing users to modify their own attributes. Self-service rules enable users to update specific personal information without administrative intervention. Features include attribute selection, automatic application to all users, and integration with the permission system for secure, user-initiated attribute management.
Manage individual sudo commands for use in sudo rules. Commands represent specific executables with full paths that can be permitted or denied via sudo policies. Features include command creation with descriptions, command grouping, and integration with sudo rules for fine-grained privilege escalation control.
Manage groups of sudo commands for simplified sudo policy management. Command groups enable collective assignment of multiple commands to sudo rules, reducing administrative overhead. Features include command addition and removal, nested command group membership, and centralized management of related command access policies.