[Freeipa-users] Limit regular user access only to self service portal
David Kupka
dkupka at redhat.com
Wed Jan 18 08:09:06 UTC 2017
On 17/01/17 16:23, Georgijs Radovs wrote:
> Hello everyone!
>
> Is it possible to configure Sef-service permissions in FreeIPA in a way,
> so that, when regular users log in, they don't have read access to other
> FreeIPA sections like "Policy", "Authentication", "IPA Server"...?
>
> My goal is - when user logs in Self-service portal, he sees only his
> user account in "Identity" tab, no other tabs like "Policy" or
> "Authentication" and can read and write only to his profile.
>
> Basically, I want to limit user to his account only, so he does not see
> information about other accounts.
>
>
Hello,
by default user without any added roles can see "Users" and "OTP Tokens"
tabs and is able to read other users and modify only his attributes.
You can find permissions that affects reading user attributes in IPA
Server->Role Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hosts (SSSD
always uses host principal in FreeIPA deployment).
--
David Kupka
More information about the Freeipa-users
mailing list