On 17/01/17 16:23, Georgijs Radovs wrote:
Hello everyone!

Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?

My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.

Basically, I want to limit user to his account only, so he does not see
information about other accounts.

by default user without any added roles can see "Users" and "OTP Tokens" tabs and is able to read other users and modify only his attributes.

You can find permissions that affects reading user attributes in IPA Server->Role Based Access Control->Permissions (eg. System: Read User Addressbook Attributes) and change "Bind rule type" from all to "permission". But be aware that modifying the permissions may result in SSSD being unable to resolve users unless you add those permissions to hosts (SSSD always uses host principal in FreeIPA deployment).

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to