Delegation Rules
Manage delegation rules for allowing users to modify specific attributes of other users. Delegation rules provide granular control over attribute-level access without requiring full administrative privileges. Features include attribute specification, member user and group management, and support for self-service delegation enabling users to manage their own attributes or those of their direct reports.
A permission enables fine-grained delegation of permissions. Access Control Rules, or instructions (ACIs), grant permission to permissions to perform given tasks such as adding a user, modifying a group, etc.
Group to Group Delegations grants the members of one group to update a set of attributes of members of another group.
EXAMPLES
Add a delegation rule to allow managers to edit employee’s addresses:
ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"When managing the list of attributes you need to include all attributes
in the list, including existing ones. Add postalCode to the list:
ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street"Display our updated rule:
ipa delegation-show "managers edit employees' street"Delete a rule:
ipa delegation-del "managers edit employees' street"
Commands
Command Description
delegation-add Add a new delegation.
delegation-del Delete a delegation.
delegation-find Search for delegations.
delegation-mod Modify a delegation.
delegation-show Display information about a delegation.
delegation-add
Usage: ipa [global-options] delegation-add NAME [options]
Add a new delegation.
Arguments
Argument Required Description
NAME yes Delegation name
Options
Option Description
--permissions PERMISSIONS Permissions to grant (read, write). Default is
write.
--attrs ATTRS Attributes to which the delegation applies
--membergroup MEMBERGROUP User group to apply delegation to
--group GROUP User group ACI grants access to
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
delegation-del
Usage: ipa [global-options] delegation-del NAME [options]
Delete a delegation.
Arguments
Argument Required Description
NAME yes Delegation name
delegation-find
Usage: ipa [global-options] delegation-find [CRITERIA] [options]
Search for delegations.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--name NAME Delegation name
--permissions PERMISSIONS Permissions to grant (read, write). Default is
write.
--attrs ATTRS Attributes to which the delegation applies
--membergroup MEMBERGROUP User group to apply delegation to
--group GROUP User group ACI grants access to
--pkey-only Results should contain primary key attribute only
(“name”)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
delegation-mod
Usage: ipa [global-options] delegation-mod NAME [options]
Modify a delegation.
Arguments
Argument Required Description
NAME yes Delegation name
Options
Option Description
--permissions PERMISSIONS Permissions to grant (read, write). Default is
write.
--attrs ATTRS Attributes to which the delegation applies
--membergroup MEMBERGROUP User group to apply delegation to
--group GROUP User group ACI grants access to
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
delegation-show
Usage: ipa [global-options] delegation-show NAME [options]
Display information about a delegation.
Arguments
Argument Required Description
NAME yes Delegation name
Options
Option Description
--all Retrieve and print all attributes from the
server. Affects command output.