Discussion:
[Freeipa-users] Limit regular user access only to self service portal
Georgijs Radovs
2017-01-17 15:23:35 UTC
Permalink
Hello everyone!

Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?

My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.

Basically, I want to limit user to his account only, so he does not see
information about other accounts.
--

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
David Kupka
2017-01-18 08:09:06 UTC
Permalink
Post by Georgijs Radovs
Hello everyone!
Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?
My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.
Basically, I want to limit user to his account only, so he does not see
information about other accounts.
Hello,
by default user without any added roles can see "Users" and "OTP Tokens"
tabs and is able to read other users and modify only his attributes.

You can find permissions that affects reading user attributes in IPA
Server->Role Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hosts (SSSD
always uses host principal in FreeIPA deployment).
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-01-18 08:21:58 UTC
Permalink
Post by David Kupka
Post by Georgijs Radovs
Hello everyone!
Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?
My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.
Basically, I want to limit user to his account only, so he does not see
information about other accounts.
Hello,
by default user without any added roles can see "Users" and "OTP
Tokens" tabs and is able to read other users and modify only his
attributes.
You can find permissions that affects reading user attributes in IPA
Server->Role Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hosts
(SSSD always uses host principal in FreeIPA deployment).
Even with that, I'd not recommend tightening permissions so that users
would not be able to see other users. There are always ways to break
through this 'enforcement', even start with the fact that a user could
actually authenticate with the host principal of their desktop system.
Access to the identity information is not arbitrated in POSIX
environment. Any process under any user could ask for other user and
group identities with standard libc API.

Security through obscurity never works well in a longer term.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Georgijs Radovs
2017-01-18 14:19:13 UTC
Permalink
Thank you for your help.
Post by Alexander Bokovoy
Post by David Kupka
Post by Georgijs Radovs
Hello everyone!
Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?
My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.
Basically, I want to limit user to his account only, so he does not see
information about other accounts.
Hello,
by default user without any added roles can see "Users" and "OTP
Tokens" tabs and is able to read other users and modify only his
attributes.
You can find permissions that affects reading user attributes in IPA
Server->Role Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hosts
(SSSD always uses host principal in FreeIPA deployment).
Even with that, I'd not recommend tightening permissions so that users
would not be able to see other users. There are always ways to break
through this 'enforcement', even start with the fact that a user could
actually authenticate with the host principal of their desktop system.
Access to the identity information is not arbitrated in POSIX
environment. Any process under any user could ask for other user and
group identities with standard libc API.
Security through obscurity never works well in a longer term.
--
http://youtu.be/coVJlV1LJ84
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...