[Freeipa-users] Limit regular user access only to self service portal

[Georgijs Radovs]

Thank you for your help.


On 2017.01.18. 10:21, Alexander Bokovoy wrote:
> On ke, 18 tammi 2017, David Kupka wrote:
>> On 17/01/17 16:23, Georgijs Radovs wrote:
>>> Hello everyone!
>>>
>>> Is it possible to configure Sef-service permissions in FreeIPA in a 
>>> way,
>>> so that, when regular users log in, they don't have read access to 
>>> other
>>> FreeIPA sections like "Policy", "Authentication", "IPA Server"...?
>>>
>>> My goal is - when user logs in Self-service portal, he sees only his
>>> user account in "Identity" tab, no other tabs like "Policy" or
>>> "Authentication" and can read and write only to his profile.
>>>
>>> Basically, I want to limit user to his account only, so he does not see
>>> information about other accounts.
>>>
>>>
>>
>> Hello,
>> by default user without any added roles can see "Users" and "OTP 
>> Tokens" tabs and is able to read other users and modify only his 
>> attributes.
>>
>> You can find permissions that affects reading user attributes in IPA 
>> Server->Role Based Access Control->Permissions (eg. System: Read User 
>> Addressbook Attributes) and change "Bind rule type" from all to 
>> "permission".
>> But be aware that modifying the permissions may result in SSSD being 
>> unable to resolve users unless you add those permissions to hosts 
>> (SSSD always uses host principal in FreeIPA deployment).
> Even with that, I'd not recommend tightening permissions so that users
> would not be able to see other users. There are always ways to break
> through this 'enforcement', even start with the fact that a user could
> actually authenticate with the host principal of their desktop system.
> Access to the identity information is not arbitrated in POSIX
> environment. Any process under any user could ask for other user and
> group identities with standard libc API.
>
> Security through obscurity never works well in a longer term.
>


-- 
 <https://www.youtube.com/watch?v=coVJlV1LJ84>