Privileges
Manage privileges that group related permissions for role assignment. Privileges aggregate permissions into meaningful units representing administrative capabilities. Features include privilege creation and modification, permission membership management, and integration with roles for implementing role-based access control (RBAC) across the IPA domain.
Overview
Privileges in FreeIPA are the middle tier of the role-based access control (RBAC) hierarchy, aggregating fine-grained permissions into meaningful administrative capabilities. While permissions define individual LDAP operations (read, write, add, delete), privileges combine related permissions into logical units that represent complete administrative tasks.
This aggregation serves two critical purposes: it simplifies role management by reducing the number of assignments administrators must make, and it ensures that multi-step operations receive all necessary permissions atomically. For example, adding a user requires not just creating the user entry, but also setting the initial password and adding the user to default groups—three separate permissions combined into a single “Add Users” privilege.
Privileges bridge the gap between low-level LDAP access controls (permissions) and high-level delegation (roles), enabling administrators to design access policies that align with organizational job functions rather than technical implementation details.
RBAC Context
In FreeIPA’s three-tier RBAC model:
Permissions (bottom tier): Define specific LDAP operations on specific object types and attributes. Examples: “System: Add Users”, “System: Modify Group Membership”, “System: Read User Standard Attributes”.
Privileges (middle tier): Aggregate related permissions into administrative capabilities. Examples: “User Administrators” privilege contains permissions for adding, modifying, and deleting users; “Group Administrators” privilege contains permissions for group lifecycle operations.
Roles (top tier): Assign privileges to entities (users, groups, hosts, services). Examples: The “User Administrator” role contains “User Administrators” and “Group Administrators” privileges; the “Helpdesk” role contains password reset and account unlock privileges.
This separation enables:
- Principle of least privilege: Grant only the permissions needed for specific job functions
- Consistent delegation: Reuse privilege definitions across multiple roles
- Auditable access: Clear traceability from role membership through privileges to specific LDAP operations
- Flexible administration: Modify privilege composition without changing role assignments
Built-in Privileges
FreeIPA provides extensive built-in privileges covering all administrative domains:
User and Group Management
User Administrators: Complete user lifecycle (add, modify, delete, unlock, enable/disable). Contains permissions for user entries, passwords, group membership, and authentication indicators.
Group Administrators: Complete group lifecycle (add, modify, delete, manage membership). Contains permissions for group entries, membership attributes, and group nesting.
Stage User Provisioners: Manage staged user entries in preparation for activation. Useful for approval workflows where user creation requires manager authorization.
User Lookup: Read-only access to user attributes for directory browsing and reporting without modification privileges.
Certificate Management
Certificate Administrators: Issue, revoke, hold, and release certificates. Manage certificate profiles and sub-CAs.
CA Administrator: Configure certificate authority settings, create sub-CAs, manage certificate profiles and ACLs.
Policy Management
HBAC Administrator: Create and modify host-based access control rules, services, and service groups.
Sudo Administrator: Create and modify sudo rules, commands, and command groups.
Password Policy Administrator: Configure global and group-specific password policies including strength, lifetime, and lockout settings.
SELinux User Map Administrator: Manage SELinux user context mappings for IPA users on enrolled systems.
Infrastructure Management
Host Administrators: Enroll, modify, and remove host entries. Manage host groups and automember rules.
Host Enrollment: Limited privilege for delegating host enrollment without full host administration.
Service Administrators: Manage service principals and their authentication settings.
Delegation Administrator: Create and modify delegation rules for further access control delegation.
Replication Administrators: Manage replication agreements and topology segments between IPA servers.
DNS Management
DNS Administrators: Manage DNS zones, records, and DNSSEC configuration.
DNS Servers: Operational privilege for automated DNS updates by IPA servers.
Directory Services
Automount Administrators: Manage automount locations, maps, and keys for NFS automounter integration.
Vault Administrators: Manage vaults and vault containers, but cannot access vault secrets (owner-controlled).
Netgroups Administrators: Manage netgroup definitions for NIS compatibility.
Custom Privileges
Organizations often need custom privileges for specific delegation patterns:
Design Principles
Task-oriented: Design privileges around job functions, not organizational structure. Example: “Branch Office User Management” rather than “Chicago Office Admin”.
Minimal scope: Include only the permissions required for the task. Avoid “kitchen sink” privileges that grant excessive access.
Clear naming: Use descriptive names that indicate capability: “Read-Only User Audit”, “Group Membership Managers”, “Certificate Renewal Operators”.
Documentation: Set comprehensive descriptions explaining the privilege’s purpose, intended use cases, and any limitations or security considerations.
Permission Aggregation Patterns
Vertical slicing (lifecycle): All operations for a specific object type. Example: A “User Account Operators” privilege containing add, modify, delete, and unlock permissions for users.
Horizontal slicing (operation): A specific operation across multiple object types. Example: A “Read-Only Auditor” privilege containing read permissions for users, groups, hosts, and policies.
Workflow-based: Permissions for a multi-step business process. Example: A “New Employee Onboarding” privilege containing permissions to create users, add to default groups, issue certificates, and enroll workstations.
Capability-based: Permissions for a specific administrative capability. Example: An “Account Recovery” privilege containing password reset and unlock permissions without full user modification rights.
Permission Membership
Adding Permissions
Privileges aggregate permissions using membership relationships:
# Add a single permission to a privilege
$ ipa privilege-add-permission "Custom User Managers" \
--permissions="System: Add Users"
# Add multiple permissions at once
$ ipa privilege-add-permission "Custom User Managers" \
--permissions="System: Modify Users" \
--permissions="System: Remove Users" \
--permissions="System: Unlock User"
Permission Discovery
Before creating custom privileges, identify required permissions:
# List all available permissions
$ ipa permission-find --all
# Search permissions by name pattern
$ ipa permission-find --name="System: *User*"
# Find permissions for specific object types
$ ipa permission-find --type=user
# Show details of a specific permission
$ ipa permission-show "System: Add Users" --all
Removing Permissions
Remove permissions when reducing privilege scope:
# Remove a permission from a privilege
$ ipa privilege-remove-permission "Custom User Managers" \
--permissions="System: Remove Users"
Role Integration
Privileges become effective when assigned to roles, which in turn are assigned to entities:
Direct Role Assignment
Most commonly, administrators create or modify roles to include specific privileges:
# Add a privilege to an existing role
$ ipa role-add-privilege "Junior Admins" \
--privileges="User Administrators"
# Create a new role with privileges
$ ipa role-add "Branch Managers" \
--desc="Branch office user and group management"
$ ipa role-add-privilege "Branch Managers" \
--privileges="User Administrators" \
--privileges="Group Administrators"
Effective Privilege Calculation
Users and services receive privileges through role membership:
# View all privileges assigned to a user
$ ipa user-show alice --all | grep -i privilege
# View all roles (and thus privileges) for a user
$ ipa user-show alice --all | grep -i "member of roles"
# Check which privilege grants a specific permission
$ ipa permission-show "System: Add Users" --all | grep -i privilege
Privilege Constraints
No Nesting
Unlike groups and roles, privileges cannot contain other privileges. The RBAC hierarchy is strictly three-tiered: permissions belong to privileges, privileges belong to roles.
Invalid: Attempting to create “super-privileges” containing other privileges. Valid: Creating comprehensive privileges by adding many individual permissions.
Permission Limits
A single privilege can contain dozens or even hundreds of permissions. However, very large privileges may indicate poor design:
- Code smell: A privilege with 50+ permissions may be too broad for least-privilege security
- Better approach: Split into multiple focused privileges that roles can combine as needed
- Exception: Built-in system privileges like “User Administrators” appropriately contain many related permissions
Deletion Safety
Privileges in use by roles cannot be deleted until all role memberships are removed:
# Attempt to delete a privilege assigned to roles fails
$ ipa privilege-del "User Administrators"
ipa: ERROR: privilege "User Administrators" is used by roles:
User Administrator
IT Administrator
# Must first remove from all roles
$ ipa role-remove-privilege "User Administrator" \
--privileges="User Administrators"
$ ipa role-remove-privilege "IT Administrator" \
--privileges="User Administrators"
# Now deletion succeeds
$ ipa privilege-del "User Administrators"
Examples
Basic Privilege Creation
# Create a simple privilege for password management
$ ipa privilege-add "Password Operators" \
--desc="Reset user passwords and unlock accounts"
# Add relevant permissions
$ ipa privilege-add-permission "Password Operators" \
--permissions="System: Change User password" \
--permissions="System: Unlock user"
# Verify privilege configuration
$ ipa privilege-show "Password Operators" --all
Custom User Management Privilege
# Create a privilege for basic user operations
$ ipa privilege-add "Basic User Managers" \
--desc="Add and modify users without deletion rights"
# Add creation and modification permissions
$ ipa privilege-add-permission "Basic User Managers" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Read User Standard Attributes"
# Verify the privilege contains expected permissions
$ ipa privilege-show "Basic User Managers"
Privilege name: Basic User Managers
Description: Add and modify users without deletion rights
Member permissions: System: Add Users, System: Modify Users,
System: Read User Standard Attributes
Group Management Privilege
# Create a privilege for group membership management
$ ipa privilege-add "Membership Managers" \
--desc="Modify group membership without creating or deleting groups"
# Add membership modification permissions
$ ipa privilege-add-permission "Membership Managers" \
--permissions="System: Modify Group Membership" \
--permissions="System: Read Groups"
Certificate Operations Privilege
# Create a privilege for certificate lifecycle management
$ ipa privilege-add "Certificate Operators" \
--desc="Issue and revoke certificates for users and services"
# Add certificate operation permissions
$ ipa privilege-add-permission "Certificate Operators" \
--permissions="System: Request Certificate" \
--permissions="System: Revoke Certificate" \
--permissions="System: Read Certificates"
Host Enrollment Delegation
# Create a privilege for delegated host enrollment
$ ipa privilege-add "Limited Host Enrollment" \
--desc="Enroll hosts into specific hostgroups"
# Add enrollment permissions
$ ipa privilege-add-permission "Limited Host Enrollment" \
--permissions="System: Enroll a Host" \
--permissions="System: Add Hosts" \
--permissions="System: Read Host Attributes"
DNS Management Privilege
# Create a privilege for DNS record management
$ ipa privilege-add "DNS Record Managers" \
--desc="Add, modify, and delete DNS records without zone administration"
# Add DNS record permissions
$ ipa privilege-add-permission "DNS Record Managers" \
--permissions="System: Add DNS Entries" \
--permissions="System: Modify DNS Entries" \
--permissions="System: Remove DNS Entries" \
--permissions="System: Read DNS Entries"
Read-Only Audit Privilege
# Create a read-only privilege for compliance auditing
$ ipa privilege-add "Security Auditor" \
--desc="Read-only access to all user, group, and policy information"
# Add read permissions for various object types
$ ipa privilege-add-permission "Security Auditor" \
--permissions="System: Read User Standard Attributes" \
--permissions="System: Read Groups" \
--permissions="System: Read HBAC Rules" \
--permissions="System: Read Sudo Rules" \
--permissions="System: Read Password Policies"
Service Principal Management
# Create a privilege for service administration
$ ipa privilege-add "Service Managers" \
--desc="Manage service principals and their authentication settings"
# Add service operation permissions
$ ipa privilege-add-permission "Service Managers" \
--permissions="System: Add Services" \
--permissions="System: Modify Services" \
--permissions="System: Remove Services" \
--permissions="System: Manage Service Keytab"
Sudo Rule Management
# Create a privilege for sudo policy administration
$ ipa privilege-add "Sudo Policy Managers" \
--desc="Create and manage sudo rules, commands, and command groups"
# Add sudo administration permissions
$ ipa privilege-add-permission "Sudo Policy Managers" \
--permissions="System: Add Sudo rule" \
--permissions="System: Modify Sudo rule" \
--permissions="System: Remove Sudo rule" \
--permissions="System: Add Sudo Command" \
--permissions="System: Modify Sudo Command Group"
HBAC Policy Management
# Create a privilege for access control policy
$ ipa privilege-add "Access Control Managers" \
--desc="Manage HBAC rules and service definitions"
# Add HBAC administration permissions
$ ipa privilege-add-permission "Access Control Managers" \
--permissions="System: Add HBAC rule" \
--permissions="System: Modify HBAC rule" \
--permissions="System: Remove HBAC rule" \
--permissions="System: Add HBAC Services"
Discovering Permission Requirements
# Find all user-related permissions
$ ipa permission-find --name="*User*" --pkey-only
Privilege name: System: Add Users
Privilege name: System: Modify Users
Privilege name: System: Remove Users
Privilege name: System: Unlock User
[...]
# Show details of a specific permission
$ ipa permission-show "System: Add Users" --all
Privilege name: System: Add Users
Granted rights: add
Effective attributes: objectclass, uid, givenname, sn, cn, [...]
Default privileges: User Administrators
Member of privileges: User Administrators
Modifying Existing Privileges
# Update privilege description
$ ipa privilege-mod "Custom Operators" \
--desc="Updated description with expanded scope"
# Rename a privilege
$ ipa privilege-mod "Old Name" --rename="New Name"
# Add additional permissions to expand scope
$ ipa privilege-add-permission "Custom Operators" \
--permissions="System: Additional Permission"
# Remove permissions to reduce scope
$ ipa privilege-remove-permission "Custom Operators" \
--permissions="System: Excessive Permission"
Listing and Searching Privileges
# List all privileges
$ ipa privilege-find
# Search by name pattern
$ ipa privilege-find --name="*Administrator*"
# Search by description
$ ipa privilege-find --desc="*user*"
# Show only privilege names
$ ipa privilege-find --pkey-only
# Find privileges containing a specific permission
$ ipa permission-show "System: Add Users" | grep -i "member of privileges"
Privilege Assignment to Roles
# Create a new role and assign privileges
$ ipa role-add "Junior Administrators" \
--desc="Limited administrative access for junior staff"
$ ipa role-add-privilege "Junior Administrators" \
--privileges="Basic User Managers" \
--privileges="Membership Managers"
# Add privilege to existing role
$ ipa role-add-privilege "IT Support" \
--privileges="Password Operators"
# View all privileges assigned to a role
$ ipa role-show "Junior Administrators" --all
Batch Permission Assignment
# Add multiple related permissions in sequence
$ PRIV="Application Operators"
$ ipa privilege-add "$PRIV" --desc="Manage application service principals"
$ ipa privilege-add-permission "$PRIV" --permissions="System: Add Services"
$ ipa privilege-add-permission "$PRIV" --permissions="System: Modify Services"
$ ipa privilege-add-permission "$PRIV" --permissions="System: Manage Service Keytab"
$ ipa privilege-add-permission "$PRIV" --permissions="System: Request Certificate"
Permission Aggregation for Workflows
# Create a privilege for complete user provisioning workflow
$ ipa privilege-add "New Hire Provisioning" \
--desc="Complete user setup including accounts, groups, and certificates"
# Add all permissions for the end-to-end workflow
$ ipa privilege-add-permission "New Hire Provisioning" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Modify Group Membership" \
--permissions="System: Request Certificate" \
--permissions="System: Enroll a Host"
Vertical vs Horizontal Permission Slicing
# Vertical: All operations for one object type (users)
$ ipa privilege-add "Complete User Control"
$ ipa privilege-add-permission "Complete User Control" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Remove Users" \
--permissions="System: Unlock User"
# Horizontal: One operation across multiple types (read-only)
$ ipa privilege-add "Read Only Access"
$ ipa privilege-add-permission "Read Only Access" \
--permissions="System: Read User Standard Attributes" \
--permissions="System: Read Groups" \
--permissions="System: Read Hosts" \
--permissions="System: Read Services"
Removing Privileges
# Remove all permissions from a privilege first
$ ipa privilege-show "Old Privilege" --all | grep "Member permissions"
$ ipa privilege-remove-permission "Old Privilege" \
--permissions="System: First Permission" \
--permissions="System: Second Permission"
# Remove privilege from all roles
$ ipa privilege-show "Old Privilege" --all | grep "Member of roles"
$ ipa role-remove-privilege "Role Name" --privileges="Old Privilege"
# Delete the privilege
$ ipa privilege-del "Old Privilege"
Auditing Privilege Usage
# Find all roles using a specific privilege
$ ipa privilege-show "User Administrators" --all | grep "Member of roles"
# Find all privileges assigned to a role
$ ipa role-show "IT Administrator" --all | grep "Member privileges"
# Trace permissions from privilege to roles
$ ipa permission-show "System: Add Users" --all
[shows "Member of privileges"]
$ ipa privilege-show "User Administrators" --all
[shows "Member of roles"]
Complex Privilege Composition
# Create a comprehensive infrastructure management privilege
$ ipa privilege-add "Infrastructure Operators" \
--desc="Manage hosts, services, DNS, and certificates"
# Add host management permissions
$ ipa privilege-add-permission "Infrastructure Operators" \
--permissions="System: Add Hosts" \
--permissions="System: Modify Hosts" \
--permissions="System: Enroll a Host"
# Add service management permissions
$ ipa privilege-add-permission "Infrastructure Operators" \
--permissions="System: Add Services" \
--permissions="System: Modify Services"
# Add DNS management permissions
$ ipa privilege-add-permission "Infrastructure Operators" \
--permissions="System: Add DNS Entries" \
--permissions="System: Modify DNS Entries"
# Add certificate management permissions
$ ipa privilege-add-permission "Infrastructure Operators" \
--permissions="System: Request Certificate" \
--permissions="System: Revoke Certificate"
# Verify the complete privilege
$ ipa privilege-show "Infrastructure Operators" --all
Privilege Cloning Pattern
# Show permissions from existing privilege
$ ipa privilege-show "User Administrators" --all > /tmp/perms.txt
# Create new privilege with similar scope
$ ipa privilege-add "Limited User Administrators" \
--desc="User management without deletion rights"
# Add permissions from the original (manually select subset)
$ ipa privilege-add-permission "Limited User Administrators" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Unlock User"
# (deliberately omit System: Remove Users)
Best Practices
Design Principles
Task-oriented naming: Name privileges after capabilities, not organizational roles. Use “Certificate Issuers” rather than “Security Team”. This maintains flexibility as organizational structures change.
Minimal scope: Grant only the permissions required for the task. Resist the temptation to add “might need someday” permissions. Over-privileged accounts increase security risk.
Comprehensive descriptions: Document the privilege’s purpose, intended use cases, required permissions, and any security considerations. Future administrators will thank you.
Regular audits: Periodically review privilege definitions to ensure they still align with organizational needs and security policies. Remove obsolete privileges and consolidate duplicates.
Test before deployment: Create test privileges in a non-production environment to verify permission combinations work as expected before granting access in production.
Permission Aggregation Strategy
Group related operations: Combine permissions that logically belong together for a complete task. A “User Provisioning” privilege should include user creation, group membership, and initial password setup.
Separate read and write: Maintain distinct read-only and read-write privileges. “User Auditors” (read-only) vs “User Operators” (read-write) enables better least-privilege controls.
Avoid permission sprawl: Don’t create dozens of nearly-identical privileges. If you find yourself creating “User Managers for Finance” and “User Managers for Engineering” with identical permissions, you probably need a single “User Managers” privilege assigned to different roles.
Consider operational boundaries: Align privileges with support tier boundaries. Tier 1 support might have password reset privileges, Tier 2 adds account unlock, Tier 3 adds user creation/deletion.
RBAC Integration
Privilege reuse: Design privileges to be combined in roles rather than creating monolithic “super-privileges”. A “Branch Manager” role might combine “Basic User Managers”, “Membership Managers”, and “Password Operators” privileges.
Clear delegation paths: Structure privileges to support clear escalation paths. Junior admins get “Basic User Managers”, senior admins add “Advanced User Managers”, while “User Administrators” privilege is reserved for the IAM team.
Role-agnostic design: Don’t embed role concepts into privilege names. “Helpdesk Operations” (good) vs “Tier 2 Support” (bad)—organizational tiers change, operational capabilities don’t.
Document role composition: Maintain documentation showing which privileges combine to form standard organizational roles. This accelerates onboarding and ensures consistent access grants.
Security Considerations
Principle of least privilege: Grant minimal permissions necessary. A user who only needs to reset passwords shouldn’t receive full “User Administrators” privilege.
Separation of duties: Avoid combining incompatible privileges. For example, the ability to create users and the ability to assign administrative roles should typically be separate privileges.
Dangerous permission combinations: Be cautious when combining permissions that together enable privilege escalation. Adding users + modifying role membership could allow unauthorized privilege grants.
Audit trail awareness: Privileges that modify security-critical objects (roles, privileges, permissions themselves) warrant extra scrutiny and should be granted sparingly.
Break-glass procedures: Maintain an emergency “super-admin” role with comprehensive privileges for disaster recovery, but restrict normal operations to task-specific privileges.
Maintenance Practices
Version control: Treat privilege definitions as code. Document changes, maintain a changelog, and consider exporting privilege definitions to version control.
Peer review: Have security or IAM teams review new privilege definitions before deployment, especially those granting write access to critical objects.
Deprecation process: When replacing or consolidating privileges, follow a deprecation process: announce the change, migrate role assignments, mark as deprecated, then delete after a grace period.
Naming conventions: Establish and enforce naming conventions. Examples: “Noun Verb” format (“User Managers”), category prefixes (“DNS: Record Operators”), or scope indicators (“Read: User Data”).
Permission inventory: Regularly review which permissions exist and ensure custom privileges use current permission names. Permissions may be renamed or superseded across IPA versions.
Common Pitfalls
Over-privileging: Adding excessive permissions “just in case” creates security risks. Grant additional permissions on-demand rather than speculatively.
Under-documentation: Failing to document privilege purpose and permission rationale. Six months later, no one will remember why “Custom Privilege 7” exists.
Organizational coupling: Embedding department names or team names in privilege definitions. “Finance User Managers” becomes obsolete when organizational structure changes.
Permission discovery shortcuts: Copying permission lists from roles without understanding what each permission does. This perpetuates over-privileging.
Ignoring built-ins: Creating custom privileges that duplicate built-in privileges. Review existing privileges before creating new ones.
No test environment: Deploying untested privilege combinations directly to production. Permission misconfigurations can grant unintended access or break legitimate workflows.
Integration Points
Permissions
Every privilege must contain at least one permission. Permissions define the actual LDAP operations (read, write, add, delete) on specific object types and attributes.
Commands: permission-find, permission-show, permission-add, permission-mod
Relationship: Permissions are members of privileges (many-to-many)
Best practice: Review permission effective attributes before adding to privileges to avoid unintended access grants
Roles
Privileges become effective when assigned to roles, which in turn grant access to users, groups, hosts, or services.
Commands: role-add-privilege, role-remove-privilege, role-show
Relationship: Privileges are members of roles (many-to-many)
Best practice: Design privileges for reuse across multiple roles rather than one-to-one mappings
Users, Groups, Hosts, Services
While privileges don’t directly reference these entities, they ultimately control what these principals can do in IPA.
Commands: user-show, group-show, host-show, service-show (with —all to see role memberships)
Relationship: Indirect through role membership
Best practice: Use role membership queries to audit effective privileges for principals
Delegation Rules
Delegation rules provide an alternative access control mechanism that can reference privileges for conditional access.
Commands: delegation-add, delegation-find
Relationship: Delegation rules can grant privileges contextually
Best practice: Use privileges for stable, broad access grants; use delegation for narrower, conditional access
ACI (Access Control Instructions)
Permissions (and thus privileges) are implemented as LDAP Access Control Instructions in the directory.
Commands: ipa permission-show --all (shows underlying ACI)
Relationship: Permissions generate ACIs; privileges aggregate permissions
Best practice: Understand that privilege changes propagate to directory ACIs, requiring replication time in multi-master environments
Use Cases
Creating Application-Specific Privilege
Applications often require a specific combination of permissions that don’t match built-in privileges. Create a custom privilege tailored to application requirements.
# Application needs to create service principals and request certificates
ipa privilege-add "Web App Service Management" \
--desc="Manage service principals and certificates for web applications"
# Identify required permissions
ipa permission-find --name="*Service*" --pkey-only
ipa permission-find --name="*Certificate*" --pkey-only
# Add permissions for service lifecycle
ipa privilege-add-permission "Web App Service Management" \
--permissions="System: Add Services" \
--permissions="System: Modify Services" \
--permissions="System: Read Services"
# Add certificate operations permissions
ipa privilege-add-permission "Web App Service Management" \
--permissions="System: Request Certificate" \
--permissions="System: Read Certificates"
# Create role and assign privilege
ipa role-add "Web App Admins" --desc="Web application administrators"
ipa role-add-privilege "Web App Admins" --privileges="Web App Service Management"
# Assign role to application team
ipa group-add webapp-team --desc="Web application team"
ipa role-add-member "Web App Admins" --groups=webapp-team
Workflow-Based Privilege for Employee Onboarding
HR onboarding workflows require specific combinations of permissions spanning users, groups, and initial resource allocation. Create a privilege supporting the complete onboarding process.
# Create onboarding privilege for HR workflow
ipa privilege-add "Employee Onboarding" \
--desc="Complete new employee provisioning workflow permissions"
# Add user creation and modification permissions
ipa privilege-add-permission "Employee Onboarding" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Read User Standard Attributes"
# Add group membership management
ipa privilege-add-permission "Employee Onboarding" \
--permissions="System: Modify Group Membership"
# Add certificate request for employee smart cards
ipa privilege-add-permission "Employee Onboarding" \
--permissions="System: Request Certificate"
# Create HR role and assign privilege
ipa role-add "HR Provisioners" --desc="HR staff for employee onboarding"
ipa role-add-privilege "HR Provisioners" --privileges="Employee Onboarding"
# Assign to HR group
ipa group-add hr-provisioning --desc="HR provisioning team"
ipa role-add-member "HR Provisioners" --groups=hr-provisioning
Read-Only Audit Privilege for Compliance
Compliance auditors need comprehensive read access to IPA configuration without modification rights. Aggregate all read-only permissions into a single audit privilege.
# Create comprehensive read-only audit privilege
ipa privilege-add "Complete Audit Access" \
--desc="Read-only access to all IPA objects for compliance auditing"
# Add user and group read permissions
ipa privilege-add-permission "Complete Audit Access" \
--permissions="System: Read User Standard Attributes" \
--permissions="System: Read Groups"
# Add policy read permissions
ipa privilege-add-permission "Complete Audit Access" \
--permissions="System: Read HBAC Rules" \
--permissions="System: Read Sudo Rules" \
--permissions="System: Read Password Policies"
# Add infrastructure read permissions
ipa privilege-add-permission "Complete Audit Access" \
--permissions="System: Read Hosts" \
--permissions="System: Read Services" \
--permissions="System: Read DNS Entries"
# Add certificate and CA read permissions
ipa privilege-add-permission "Complete Audit Access" \
--permissions="System: Read Certificates" \
--permissions="System: Read Certificate Profiles"
# Create auditor role
ipa role-add "Compliance Auditors" --desc="Read-only access for compliance"
ipa role-add-privilege "Compliance Auditors" --privileges="Complete Audit Access"
Scoped Delete Privilege for Cleanup Operations
Junior admins need to remove test or staging user accounts but should not be able to delete production users or sensitive accounts. Create a scoped deletion privilege.
# Create privilege for stage user deletion only
ipa privilege-add "Stage User Cleanup" \
--desc="Delete staged user entries without affecting active users"
# Add staged user deletion permission
ipa privilege-add-permission "Stage User Cleanup" \
--permissions="System: Remove Stage User" \
--permissions="System: Read Stage User"
# Do NOT add System: Remove Users permission
# This restricts deletion to staging area only
# Create cleanup role
ipa role-add "Stage User Managers" --desc="Manage staged user accounts"
ipa role-add-privilege "Stage User Managers" \
--privileges="Stage User Provisioners" \
--privileges="Stage User Cleanup"
# Assign to junior admin group
ipa group-add junior-provisioners --desc="Junior provisioning team"
ipa role-add-member "Stage User Managers" --groups=junior-provisioners
Emergency Break-Glass Privilege
During emergency situations, designated staff need temporary elevated privileges for disaster recovery. Create a break-glass privilege with broad capabilities reserved for emergencies.
# Create emergency privilege with comprehensive permissions
ipa privilege-add "Emergency Operations" \
--desc="Emergency break-glass privilege for disaster recovery"
# Add critical recovery permissions
ipa privilege-add-permission "Emergency Operations" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Unlock User" \
--permissions="System: Change User password"
# Add system recovery permissions
ipa privilege-add-permission "Emergency Operations" \
--permissions="System: Add Hosts" \
--permissions="System: Modify Hosts" \
--permissions="System: Add Services"
# Add configuration access for emergency changes
ipa privilege-add-permission "Emergency Operations" \
--permissions="System: Modify HBAC rule" \
--permissions="System: Modify Sudo rule"
# Create break-glass role (normally unused)
ipa role-add "Emergency Responders" --desc="Emergency break-glass access"
ipa role-add-privilege "Emergency Responders" --privileges="Emergency Operations"
# During emergency, add responders temporarily
# ipa role-add-member "Emergency Responders" --users=oncall-admin
# After emergency, immediately remove
# ipa role-remove-member "Emergency Responders" --users=oncall-admin
Delegated Certificate Renewal Privilege
Certificate renewal automation requires issuance privileges without full CA administration capabilities. Create minimal privilege for certificate operations.
# Create privilege for certificate renewal only
ipa privilege-add "Certificate Renewal" \
--desc="Renew existing certificates without CA administration"
# Add certificate request and read permissions
ipa privilege-add-permission "Certificate Renewal" \
--permissions="System: Request Certificate" \
--permissions="System: Read Certificates" \
--permissions="System: Retrieve Certificates from the CA"
# Explicitly do NOT add certificate revocation or CA configuration
# This limits to renewal operations only
# Create renewal automation role
ipa role-add "Cert Renewal Automation" --desc="Automated certificate renewal"
ipa role-add-privilege "Cert Renewal Automation" --privileges="Certificate Renewal"
# Assign to automation service principal
ipa service-add certrenew/automation.example.com
ipa role-add-member "Cert Renewal Automation" \
--services=certrenew/automation.example.com
Privilege for Limited DNS Subdomain Management
Network teams need to manage specific DNS subdomains (e.g., lab.example.com) without access to production zones. Create a scoped DNS privilege.
# Create privilege for specific zone management
ipa privilege-add "Lab DNS Management" \
--desc="Manage DNS records in lab subdomain only"
# Add DNS record management permissions
ipa privilege-add-permission "Lab DNS Management" \
--permissions="System: Add DNS Entries" \
--permissions="System: Modify DNS Entries" \
--permissions="System: Remove DNS Entries" \
--permissions="System: Read DNS Entries"
# Create role and assign to lab network team
ipa role-add "Lab Network Admins" --desc="Lab environment network administrators"
ipa role-add-privilege "Lab Network Admins" --privileges="Lab DNS Management"
# Assign to lab team
ipa group-add lab-netadmins --desc="Lab network administrators"
ipa role-add-member "Lab Network Admins" --groups=lab-netadmins
# Note: Actual zone restriction requires LDAP-level ACIs or delegation rules
# This privilege grants technical capability; additional controls may be needed
Group Membership Modifier Without Group Creation
Help desk teams need to add/remove users from groups for access control but should not create or delete groups themselves. Create membership-only privilege.
# Create privilege for group membership modification only
ipa privilege-add "Group Membership Operators" \
--desc="Modify group membership without group lifecycle management"
# Add only membership modification permission
ipa privilege-add-permission "Group Membership Operators" \
--permissions="System: Modify Group Membership" \
--permissions="System: Read Groups"
# Explicitly do NOT add System: Add Groups or System: Remove Groups
# This restricts to membership operations only
# Create helpdesk role
ipa role-add "Helpdesk Membership Managers" \
--desc="Helpdesk staff managing group membership"
ipa role-add-privilege "Helpdesk Membership Managers" \
--privileges="Group Membership Operators"
# Assign to helpdesk team
ipa group-add helpdesk-l2 --desc="Tier 2 helpdesk staff"
ipa role-add-member "Helpdesk Membership Managers" --groups=helpdesk-l2
Privilege Composition for Multi-Tier Support
Support organization has three tiers with escalating privileges. Create three privileges that build on each other, assigned to different support tier roles.
# Tier 1: Read-only access for information gathering
ipa privilege-add "Support Tier 1 Access" \
--desc="Read-only access to user and group information"
ipa privilege-add-permission "Support Tier 1 Access" \
--permissions="System: Read User Standard Attributes" \
--permissions="System: Read Groups"
# Tier 2: Add password reset and account unlock
ipa privilege-add "Support Tier 2 Access" \
--desc="Password reset and account unlock capabilities"
ipa privilege-add-permission "Support Tier 2 Access" \
--permissions="System: Change User password" \
--permissions="System: Unlock user"
# Tier 3: Add user modification and group membership management
ipa privilege-add "Support Tier 3 Access" \
--desc="User modification and group membership management"
ipa privilege-add-permission "Support Tier 3 Access" \
--permissions="System: Modify Users" \
--permissions="System: Modify Group Membership"
# Create roles combining privileges for each tier
ipa role-add "Support Tier 1" --desc="Tier 1 support staff"
ipa role-add-privilege "Support Tier 1" --privileges="Support Tier 1 Access"
ipa role-add "Support Tier 2" --desc="Tier 2 support staff"
ipa role-add-privilege "Support Tier 2" \
--privileges="Support Tier 1 Access" \
--privileges="Support Tier 2 Access"
ipa role-add "Support Tier 3" --desc="Tier 3 support staff"
ipa role-add-privilege "Support Tier 3" \
--privileges="Support Tier 1 Access" \
--privileges="Support Tier 2 Access" \
--privileges="Support Tier 3 Access"
Privilege Cloning and Customization
Organization needs a privilege similar to built-in “User Administrators” but without deletion rights for safety. Clone the built-in privilege and customize.
# Examine built-in User Administrators privilege
ipa privilege-show "User Administrators" --all
Member permissions: System: Add Users, System: Modify Users,
System: Remove Users, System: Unlock user, [...]
# Create new privilege based on User Administrators
ipa privilege-add "Safe User Administrators" \
--desc="User administration without deletion rights"
# Add all permissions except deletion
ipa privilege-add-permission "Safe User Administrators" \
--permissions="System: Add Users" \
--permissions="System: Modify Users" \
--permissions="System: Unlock user" \
--permissions="System: Change User password" \
--permissions="System: Read User Standard Attributes"
# Deliberately omit "System: Remove Users"
# Create role using customized privilege
ipa role-add "Safe User Admins" --desc="User admins without delete capability"
ipa role-add-privilege "Safe User Admins" --privileges="Safe User Administrators"
# Assign to junior admin team
ipa group-add junior-user-admins --desc="Junior user administrators"
ipa role-add-member "Safe User Admins" --groups=junior-user-admins
Security Considerations
Permission aggregation risks: Combining multiple permissions in a single privilege can create unintended privilege escalation paths. For example, “Add Users” + “Modify Role Membership” enables creating users and granting them administrative roles, effectively granting arbitrary privileges.
Privilege scope creep: Over time, administrators may add “just one more permission” to existing privileges, expanding scope beyond original intent. Regular privilege audits are essential to detect and remediate scope creep before privileges become dangerously broad.
Built-in privilege modification dangers: Modifying built-in privileges affects all roles using those privileges across the entire IPA deployment. A permission added to “User Administrators” immediately grants that capability to everyone holding any role containing that privilege. Prefer creating custom privileges over modifying built-ins.
No granular object filtering: Privileges grant permissions across all objects of a type. A privilege with “System: Modify Users” can modify ANY user, including administrators and service accounts. Privileges cannot restrict operations to specific OUs, groups, or object attributes beyond what permissions define.
Privilege deletion impact: Deleting a privilege immediately removes associated permissions from all roles containing that privilege. Users depending on those permissions lose access instantly, potentially breaking operational workflows. Verify privilege usage before deletion.
Permission discovery complexity: Determining which permissions to include in a custom privilege requires understanding LDAP operations and effective attributes. Incorrectly scoped permissions can grant access to sensitive attributes or deny access to necessary attributes, creating security gaps or operational failures.
Replication timing windows: Privilege changes replicate across IPA masters asynchronously. During replication lag, different masters enforce different privilege definitions, creating inconsistent access control. Critical privilege changes should be verified across all replicas before relying on them.
Insufficient separation of duties: Privileges that combine creation, modification, and deletion capabilities for critical objects (users, roles, permissions) violate separation of duties principles. Attackers compromising accounts with such privileges gain broad control.
Privilege dependency chains: Some administrative tasks require multiple privileges. If users hold only some required privileges (from different roles), they may be unable to complete tasks, or worse, complete tasks in unsafe partial ways. Ensure related permissions are grouped in coherent privileges.
No time-based or conditional access: Privileges are static grants without time-based expiration, IP-based restrictions, or conditional evaluation. Once granted, privileges remain active until explicitly revoked, increasing persistent access risk from compromised accounts.
Audit trail granularity: Audit logs record operations by user but don’t directly indicate which privilege granted the authorization. Tracing authorization decisions requires correlating user identity → role membership → privilege assignment → permission grants → LDAP ACIs.
Permission naming ambiguity: Permission names like “System: Modify Users” don’t explicitly indicate which attributes can be modified. Understanding effective scope requires inspecting permission details with --all flag, which many administrators skip, leading to over-privileged grants.
Privilege proliferation: Without governance, organizations accumulate dozens of custom privileges with overlapping permissions and unclear purposes. This proliferation complicates access control management, increases audit burden, and creates security gaps from forgotten privileges.
Cross-privilege interactions: When a user holds multiple roles with different privileges, the effective permission set is the union of all privileges. This additive model can create unintended combinations (e.g., separate “read users” and “modify passwords” privileges combine to enable password viewing in some configurations).
External permission dependencies: Some privileges depend on permissions that reference external systems (e.g., “System: Manage Certificate Profiles” depends on CA configuration). Privilege behavior may change based on external system state, creating unpredictable access control.
Troubleshooting
Cannot Add Permission to Privilege: Permission Not Found
Symptom: ipa privilege-add-permission "Custom Privilege" --permissions="System: Add Users" fails with “permission not found”.
Diagnosis: Permission name is incorrect, misspelled, or permission doesn’t exist in IPA version.
Resolution: Search for correct permission name and add with exact spelling:
# Search for user-related permissions
ipa permission-find --name="*User*" --pkey-only
Privilege name: System: Add Users
Privilege name: System: Modify Users
[...]
# Get exact permission name
ipa permission-show "System: Add Users"
Privilege name: System: Add Users
# Add permission using exact name (case-sensitive)
ipa privilege-add-permission "Custom Privilege" \
--permissions="System: Add Users"
Privilege Shows Permissions But Operations Still Fail
Symptom: Privilege contains expected permissions, role includes privilege, user holds role, but operations still fail with “Insufficient access”.
Diagnosis: Permissions may not grant required attributes, or user hasn’t refreshed Kerberos ticket after privilege change.
Resolution: Verify permission scope and refresh credentials:
# Check permission details to see granted attributes
ipa permission-show "System: Add Users" --all
Granted rights: add
Effective attributes: uid, givenname, sn, cn, [full list]
# Verify user has role and privilege
ipa user-show alice --all | grep "Member of roles"
ipa role-show "Custom Role" | grep "Member privileges"
ipa privilege-show "Custom Privilege" | grep "Member permissions"
# User must refresh Kerberos ticket
# As user alice:
kdestroy
kinit alice
# Retry operation
ipa user-add testuser --first=Test --last=User
Cannot Delete Privilege: Used by Roles
Symptom: ipa privilege-del "Old Privilege" fails with error indicating privilege is in use by roles.
Diagnosis: Privilege is assigned to one or more roles and must be removed from all roles before deletion.
Resolution: Remove privilege from all roles before deleting:
# Find which roles use the privilege
ipa privilege-show "Old Privilege" --all | grep "Member of roles"
Member of roles: Custom Role 1, Custom Role 2
# Remove privilege from each role
ipa role-remove-privilege "Custom Role 1" --privileges="Old Privilege"
ipa role-remove-privilege "Custom Role 2" --privileges="Old Privilege"
# Verify privilege has no role membership
ipa privilege-show "Old Privilege" --all | grep "Member of roles"
(no output - no role membership)
# Now delete the privilege
ipa privilege-del "Old Privilege"
Permission Already Belongs to Another Privilege
Symptom: Adding permission to privilege shows warning “permission already belongs to privilege X” but operation completes.
Diagnosis: This is informational, not an error. Permissions can belong to multiple privileges (many-to-many relationship).
Resolution: Verify permission was added successfully:
# Add permission (may show warning)
ipa privilege-add-permission "Custom Privilege" \
--permissions="System: Add Users"
Warning: System: Add Users already belongs to: User Administrators
Modified privilege "Custom Privilege"
# Verify permission was added despite warning
ipa privilege-show "Custom Privilege" | grep "Member permissions"
Member permissions: System: Add Users
# This is expected behavior - permissions can be in multiple privileges
Privilege Modification Not Taking Effect
Symptom: Added permissions to privilege, but users with roles containing that privilege still cannot perform operations.
Diagnosis: Users’ Kerberos tickets were issued before privilege modification; tickets don’t reflect updated permissions.
Resolution: All users with affected roles must refresh Kerberos tickets:
# Modify privilege
ipa privilege-add-permission "Custom Privilege" \
--permissions="System: Additional Permission"
# Identify affected users
ipa role-show "Role Using Custom Privilege" | grep "Member"
Member users: alice, bob
Member groups: admin-group
# All affected users must refresh tickets
# As user alice:
kdestroy
kinit alice
# Retry operation that was failing
ipa <command> # Should now succeed
Cannot Remove Permission from Privilege
Symptom: ipa privilege-remove-permission "Privilege" --permissions="Permission" fails with “permission not found in privilege”.
Diagnosis: Permission name is incorrect or permission is not actually a member of the privilege.
Resolution: Verify permission membership and use exact name:
# Show privilege's current permissions
ipa privilege-show "Custom Privilege" --all | grep "Member permissions"
Member permissions: System: Add Users, System: Modify Users
# Remove permission using exact name from above output
ipa privilege-remove-permission "Custom Privilege" \
--permissions="System: Add Users"
# Verify removal
ipa privilege-show "Custom Privilege" | grep "Member permissions"
Member permissions: System: Modify Users
Privilege Shows Empty Permissions After Upgrade
Symptom: After IPA version upgrade, custom privileges show no member permissions despite previously having permissions.
Diagnosis: Some permissions may have been renamed, removed, or replaced during version upgrade.
Resolution: Re-add permissions using new names:
# Show privilege (empty permissions)
ipa privilege-show "Custom Privilege"
Privilege name: Custom Privilege
Member permissions: (none)
# Search for replacement permissions in new version
ipa permission-find --all | grep -i "add users"
# Re-add permissions with updated names
ipa privilege-add-permission "Custom Privilege" \
--permissions="System: Add Users"
# Verify restoration
ipa privilege-show "Custom Privilege"
Member permissions: System: Add Users
Effective Permissions Don’t Match Privilege Definition
Symptom: Privilege shows specific permissions, but users can perform operations beyond what those permissions should grant.
Diagnosis: User holds multiple roles with different privileges; effective permissions are the union of all privileges.
Resolution: Audit all user’s roles and privileges:
# Show all roles user holds
ipa user-show alice --all | grep "Member of roles"
Member of roles: Custom Role, User Administrator
# Check privileges for each role
ipa role-show "Custom Role" | grep "Member privileges"
Member privileges: Custom Privilege
ipa role-show "User Administrator" | grep "Member privileges"
Member privileges: User Administrators, Group Administrators
# User has permissions from ALL these privileges combined
# To restrict, remove user from roles granting excessive privileges
ipa role-remove-member "User Administrator" --users=alice
Cannot Add Custom Privilege to Built-in Role
Symptom: Attempting to add custom privilege to built-in role fails or shows warning.
Diagnosis: This may be a version-specific restriction or warning, but generally should work.
Resolution: Verify role is modifiable and retry:
# Attempt to add privilege to built-in role
ipa role-add-privilege "User Administrator" \
--privileges="Custom Privilege"
# If this fails, create a custom role instead
ipa role-add "Custom User Admin" \
--desc="User administration with custom privileges"
# Add both built-in and custom privileges to new role
ipa role-add-privilege "Custom User Admin" \
--privileges="User Administrators" \
--privileges="Custom Privilege"
# Migrate users to new custom role
ipa role-add-member "Custom User Admin" --groups=admin-group
Privilege Name Collision After Rename
Symptom: Cannot rename privilege because target name already exists.
Diagnosis: Another privilege already uses the desired name.
Resolution: Use unique name or delete conflicting privilege first:
# Attempt rename
ipa privilege-mod "Old Name" --rename="Desired Name"
ipa: ERROR: privilege with name "Desired Name" already exists
# Check existing privilege
ipa privilege-show "Desired Name"
Privilege name: Desired Name
Member permissions: (none)
# Option 1: Use different name
ipa privilege-mod "Old Name" --rename="Desired Name v2"
# Option 2: Delete conflicting empty privilege first
ipa privilege-del "Desired Name"
ipa privilege-mod "Old Name" --rename="Desired Name"
Permission Grants Too Much Access
Symptom: Permission grants access to sensitive attributes that shouldn’t be accessible to users with this privilege.
Diagnosis: Permission’s effective attributes include sensitive fields beyond what’s needed.
Resolution: Create custom permission with restricted attribute set:
# Show permission's effective attributes
ipa permission-show "System: Modify Users" --all
Effective attributes: uid, givenname, sn, cn, mail, telephonenumber,
userpassword, [many more including sensitive attrs]
# Create custom permission with limited attributes
ipa permission-add "Custom: Modify User Basic Info" \
--type=user \
--right=write \
--attrs=givenname,sn,cn,mail,telephonenumber
# Create privilege using custom permission instead
ipa privilege-add "Limited User Modification" \
--desc="Modify user basic information only"
ipa privilege-add-permission "Limited User Modification" \
--permissions="Custom: Modify User Basic Info"
# Use this privilege in roles instead of built-in broader privilege
Privilege Replication Not Consistent Across Masters
Symptom: Privilege exists on some IPA masters but not others, or has different permissions on different masters.
Diagnosis: Replication failure or replication conflict between IPA masters.
Resolution: Force replication and resolve conflicts:
# Check privilege on all masters
for server in ipa01.example.com ipa02.example.com ipa03.example.com; do
echo "=== $server ==="
ipa -s $server privilege-show "Custom Privilege" 2>&1
done
# Force replication from authoritative master
ipa-replica-manage re-initialize --from=ipa01.example.com
# Wait for replication to complete (5-10 minutes)
sleep 300
# Verify consistency
ipa privilege-show "Custom Privilege" --all
Cannot Find Permission for Required Operation
Symptom: Need to create privilege for specific operation but cannot find appropriate permission.
Diagnosis: Permission may not exist, or may have non-obvious name.
Resolution: Search permissions broadly and examine permission details:
# Search for permission by operation type
ipa permission-find --right=add --type=user
ipa permission-find --right=write --type=group
# Search by keyword in name
ipa permission-find --name="*password*"
ipa permission-find --name="*cert*"
# If no suitable permission exists, create custom permission
ipa permission-add "Custom: Specific Operation" \
--type=<object-type> \
--right=<read/write/add/delete> \
--attrs=<attribute-list>
# Add custom permission to privilege
ipa privilege-add-permission "Custom Privilege" \
--permissions="Custom: Specific Operation"
Privilege Appears in Role But Not Listed in Privilege-Find
Symptom: ipa role-show lists a privilege, but ipa privilege-find doesn’t show it or ipa privilege-show fails.
Diagnosis: Referential integrity issue or deleted privilege with stale role reference.
Resolution: Clean up stale references:
# Role shows privilege membership
ipa role-show "Custom Role"
Member privileges: Old Privilege
# But privilege doesn't exist
ipa privilege-show "Old Privilege"
ipa: ERROR: Old Privilege: privilege not found
# Remove stale reference from role
ipa role-remove-privilege "Custom Role" --privileges="Old Privilege"
# Verify cleanup
ipa role-show "Custom Role"
Member privileges: (none or other valid privileges)
Bulk Permission Addition Fails Partially
Symptom: Adding multiple permissions to privilege in single command, some succeed and some fail.
Diagnosis: Some permission names are invalid or permissions don’t exist.
Resolution: Add permissions individually to identify failures:
# Bulk addition shows partial failure
ipa privilege-add-permission "Custom Privilege" \
--permissions="System: Add Users" \
--permissions="System: Invalid Permission" \
--permissions="System: Modify Users"
ipa: ERROR: System: Invalid Permission: permission not found
Modified privilege "Custom Privilege"
# Check which permissions were added
ipa privilege-show "Custom Privilege"
Member permissions: System: Add Users, System: Modify Users
# Invalid permission was skipped, others succeeded
# Correct the invalid permission name and add separately
ipa permission-find --name="*Invalid*"
# Find correct name, then:
ipa privilege-add-permission "Custom Privilege" \
--permissions="System: Correct Permission Name"
Commands
privilege-add
Usage: ipa [global-options] privilege-add NAME [options]
Add a new privilege.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Privilege name |
Options
| Option | Description |
|---|---|
--desc DESC | Privilege description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
privilege-add-permission
Usage:
ipa [global-options] privilege-add-permission NAME [options]
Add permissions to a privilege.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Privilege name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--permissions PERMISSIONS | permissions |
privilege-del
Usage: ipa [global-options] privilege-del NAME [options]
Delete a privilege.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Privilege name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
privilege-find
Usage: ipa [global-options] privilege-find [CRITERIA] [options]
Search for privileges.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Privilege name |
--desc DESC | Privilege description |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
privilege-mod
Usage: ipa [global-options] privilege-mod NAME [options]
Modify a privilege.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Privilege name |
Options
| Option | Description |
|---|---|
--desc DESC | Privilege description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--rename RENAME | Rename the privilege object |
privilege-remove-permission
Usage:
ipa [global-options] privilege-remove-permission NAME [options]
Remove permissions from a privilege.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Privilege name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--permissions PERMISSIONS | permissions |
privilege-show
Usage: ipa [global-options] privilege-show NAME [options]
Display information about a privilege.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Privilege name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |