Self-Service Permissions
Manage self-service permissions allowing users to modify their own attributes. Self-service rules enable users to update specific personal information without administrative intervention. Features include attribute selection, automatic application to all users, and integration with the permission system for secure, user-initiated attribute management.
A permission enables fine-grained delegation of permissions. Access Control Rules, or instructions (ACIs), grant permission to permissions to perform given tasks such as adding a user, modifying a group, etc.
A Self-service permission defines what an object can change in its own entry.
EXAMPLES
Add a self-service rule to allow users to manage their address (using Bash
brace expansion):
ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address"When managing the list of attributes you need to include all attributes
in the list, including existing ones.
Add telephoneNumber to the list (using Bash brace expansion):
ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address"Display our updated rule:
ipa selfservice-show "Users manage their own address"Delete a rule:
ipa selfservice-del "Users manage their own address"
Commands
Command Description
selfservice-add Add a new self-service permission.
selfservice-del Delete a self-service permission.
selfservice-find Search for a self-service permission.
selfservice-mod Modify a self-service permission.
selfservice-show Display information about a self-service permission.
selfservice-add
Usage: ipa [global-options] selfservice-add NAME [options]
Add a new self-service permission.
Arguments
Argument Required Description
NAME yes Self-service name
Options
Option Description
--permissions PERMISSIONS Permissions to grant (read, write). Default is
write.
--attrs ATTRS Attributes to which the permission applies.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
selfservice-del
Usage: ipa [global-options] selfservice-del NAME [options]
Delete a self-service permission.
Arguments
Argument Required Description
NAME yes Self-service name
selfservice-find
Usage: ipa [global-options] selfservice-find [CRITERIA] [options]
Search for a self-service permission.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--name NAME Self-service name
--permissions PERMISSIONS Permissions to grant (read, write). Default is
write.
--attrs ATTRS Attributes to which the permission applies.
--pkey-only Results should contain primary key attribute only
(“name”)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
selfservice-mod
Usage: ipa [global-options] selfservice-mod NAME [options]
Modify a self-service permission.
Arguments
Argument Required Description
NAME yes Self-service name
Options
Option Description
--permissions PERMISSIONS Permissions to grant (read, write). Default is
write.
--attrs ATTRS Attributes to which the permission applies.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
selfservice-show
Usage: ipa [global-options] selfservice-show NAME [options]
Display information about a self-service permission.
Arguments
Argument Required Description
NAME yes Self-service name
Options
Option Description
--all Retrieve and print all attributes from the
server. Affects command output.