Privileges

A privilege combines permissions into a logical task. A permission provides the rights to do a single task. There are some IPA operations that require multiple permissions to succeed. A privilege is where permissions are combined in order to perform a specific task.

For example, adding a user requires the following permissions:

Creating a new user entry

Resetting a user password

Adding the new user to the default IPA users group

Combining these three low-level tasks into a higher level task in the form of a privilege named “Add User” makes it easier to manage Roles.

A privilege may not contain other privileges.

See role and permission for additional information.

Commands

Command Description

privilege-add Add a new privilege.

privilege-add-permission Add permissions to a privilege.

privilege-del Delete a privilege.

privilege-find Search for privileges.

privilege-mod Modify a privilege.

privilege-remove-permission Remove permissions from a privilege.

privilege-show Display information about a privilege.

privilege-add

Usage: ipa [global-options] privilege-add NAME [options]

Add a new privilege.

Arguments

Argument Required Description

NAME yes Privilege name

Options

Option Description

--desc DESC Privilege description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--no-members` Suppress processing of membership attributes.

privilege-add-permission

Usage: ipa [global-options] privilege-add-permission NAME [options]

Add permissions to a privilege.

Arguments

Argument Required Description

NAME yes Privilege name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

`--permissions PERMISSIONS` permissions

privilege-del

Usage: ipa [global-options] privilege-del NAME [options]

Delete a privilege.

Arguments

Argument Required Description

NAME yes Privilege name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

privilege-find

Usage: ipa [global-options] privilege-find [CRITERIA] [options]

Search for privileges.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--name NAME Privilege name

--desc DESC Privilege description

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--pkey-only` Results should contain primary key attribute only (“name”)

privilege-mod

Usage: ipa [global-options] privilege-mod NAME [options]

Modify a privilege.

Arguments

Argument Required Description

NAME yes Privilege name

Options

Option Description

--desc DESC Privilege description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

`--rename RENAME` Rename the privilege object

privilege-remove-permission

Usage: ipa [global-options] privilege-remove-permission NAME [options]

Remove permissions from a privilege.

Arguments

Argument Required Description

NAME yes Privilege name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

`--permissions PERMISSIONS` permissions

privilege-show

Usage: ipa [global-options] privilege-show NAME [options]

Display information about a privilege.

Arguments

Argument Required Description

NAME yes Privilege name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

Commands

privilege-show Display information about a privilege.

privilege-add

Arguments

Options

--no-members Suppress processing of membership attributes.

privilege-add-permission

Arguments

Options

--permissions PERMISSIONS permissions

privilege-del

Arguments

Options

privilege-find

Arguments

Options

--pkey-only Results should contain primary key attribute only (“name”)

privilege-mod

Arguments

Options

--rename RENAME Rename the privilege object

privilege-remove-permission

Arguments

Options

--permissions PERMISSIONS permissions

privilege-show

Arguments

Options

--no-members Suppress processing of membership attributes.

Related Topics

`--no-members` Suppress processing of membership attributes.

`--permissions PERMISSIONS` permissions

`--pkey-only` Results should contain primary key attribute only (“name”)

`--rename RENAME` Rename the privilege object

`--permissions PERMISSIONS` permissions

`--no-members` Suppress processing of membership attributes.