[Freeipa-users] Limit regular user access only to self service portal

[Alexander Bokovoy]

On ke, 18 tammi 2017, David Kupka wrote:
>On 17/01/17 16:23, Georgijs Radovs wrote:
>>Hello everyone!
>>
>>Is it possible to configure Sef-service permissions in FreeIPA in a way,
>>so that, when regular users log in, they don't have read access to other
>>FreeIPA sections like "Policy", "Authentication", "IPA Server"...?
>>
>>My goal is - when user logs in Self-service portal, he sees only his
>>user account in "Identity" tab, no other tabs like "Policy" or
>>"Authentication" and can read and write only to his profile.
>>
>>Basically, I want to limit user to his account only, so he does not see
>>information about other accounts.
>>
>>
>
>Hello,
>by default user without any added roles can see "Users" and "OTP 
>Tokens" tabs and is able to read other users and modify only his 
>attributes.
>
>You can find permissions that affects reading user attributes in IPA 
>Server->Role Based Access Control->Permissions (eg. System: Read User 
>Addressbook Attributes) and change "Bind rule type" from all to 
>"permission".
>But be aware that modifying the permissions may result in SSSD being 
>unable to resolve users unless you add those permissions to hosts 
>(SSSD always uses host principal in FreeIPA deployment).
Even with that, I'd not recommend tightening permissions so that users
would not be able to see other users. There are always ways to break
through this 'enforcement', even start with the fact that a user could
actually authenticate with the host principal of their desktop system.
Access to the identity information is not arbitrated in POSIX
environment. Any process under any user could ask for other user and
group identities with standard libc API.

Security through obscurity never works well in a longer term.

-- 
/ Alexander Bokovoy