FreeIPA
Draft version. Content is hallucinated. Do not use!
policy

HBAC Service Groups

Manage groups of HBAC services for simplified policy management. Service groups enable collective assignment of multiple services to HBAC rules, reducing administrative overhead. Features include nested service group membership, service addition and removal, and centralized management of related service access policies.

7 commands
policy
hbac groups services

HBAC service groups can contain any number of individual services, or “members”. Every group must have a description.

EXAMPLES

Add a new HBAC service group:

ipa hbacsvcgroup-add --desc="login services" login

Add members to an HBAC service group:

ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login

Display information about a named group:

ipa hbacsvcgroup-show login

Delete an HBAC service group:

ipa hbacsvcgroup-del login

Commands

Command Description

hbacsvcgroup-add Add a new HBAC service group.

hbacsvcgroup-add-member Add members to an HBAC service group.

hbacsvcgroup-del Delete an HBAC service group.

hbacsvcgroup-find Search for an HBAC service group.

hbacsvcgroup-mod Modify an HBAC service group.

hbacsvcgroup-remove-member Remove members from an HBAC service group.

hbacsvcgroup-show Display information about an HBAC service group.

hbacsvcgroup-add

Usage: ipa [global-options] hbacsvcgroup-add NAME [options]

Add a new HBAC service group.

Arguments

Argument Required Description

NAME yes Service group name

Options

Option Description

--desc DESC HBAC service group description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

hbacsvcgroup-add-member

Usage: ipa [global-options] hbacsvcgroup-add-member NAME [options]

Add members to an HBAC service group.

Arguments

Argument Required Description

NAME yes Service group name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--hbacsvcs HBACSVCS HBAC services to add

hbacsvcgroup-del

Usage: ipa [global-options] hbacsvcgroup-del NAME [options]

Delete an HBAC service group.

Arguments

Argument Required Description

NAME yes Service group name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

hbacsvcgroup-find

Usage: ipa [global-options] hbacsvcgroup-find [CRITERIA] [options]

Search for an HBAC service group.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--name NAME Service group name

--desc DESC HBAC service group description

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“name”)

hbacsvcgroup-mod

Usage: ipa [global-options] hbacsvcgroup-mod NAME [options]

Modify an HBAC service group.

Arguments

Argument Required Description

NAME yes Service group name

Options

Option Description

--desc DESC HBAC service group description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

hbacsvcgroup-remove-member

Usage: ipa [global-options] hbacsvcgroup-remove-member NAME [options]

Remove members from an HBAC service group.

Arguments

Argument Required Description

NAME yes Service group name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--hbacsvcs HBACSVCS HBAC services to remove

hbacsvcgroup-show

Usage: ipa [global-options] hbacsvcgroup-show NAME [options]

Display information about an HBAC service group.

Arguments

Argument Required Description

NAME yes Service group name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

Related Topics

hbacsvc hbacrule