Re: [Freeipa-users] Limit regular user access only to self service portal

2017-01-18 Thread Georgijs Radovs

Thank you for your help.


On 2017.01.18. 10:21, Alexander Bokovoy wrote:

On ke, 18 tammi 2017, David Kupka wrote:

On 17/01/17 16:23, Georgijs Radovs wrote:

Hello everyone!

Is it possible to configure Sef-service permissions in FreeIPA in a 
way,
so that, when regular users log in, they don't have read access to 
other

FreeIPA sections like "Policy", "Authentication", "IPA Server"...?

My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.

Basically, I want to limit user to his account only, so he does not see
information about other accounts.




Hello,
by default user without any added roles can see "Users" and "OTP 
Tokens" tabs and is able to read other users and modify only his 
attributes.


You can find permissions that affects reading user attributes in IPA 
Server->Role Based Access Control->Permissions (eg. System: Read User 
Addressbook Attributes) and change "Bind rule type" from all to 
"permission".
But be aware that modifying the permissions may result in SSSD being 
unable to resolve users unless you add those permissions to hosts 
(SSSD always uses host principal in FreeIPA deployment).

Even with that, I'd not recommend tightening permissions so that users
would not be able to see other users. There are always ways to break
through this 'enforcement', even start with the fact that a user could
actually authenticate with the host principal of their desktop system.
Access to the identity information is not arbitrated in POSIX
environment. Any process under any user could ask for other user and
group identities with standard libc API.

Security through obscurity never works well in a longer term.




--


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Limit regular user access only to self service portal

2017-01-18 Thread Alexander Bokovoy

On ke, 18 tammi 2017, David Kupka wrote:

On 17/01/17 16:23, Georgijs Radovs wrote:

Hello everyone!

Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?

My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.

Basically, I want to limit user to his account only, so he does not see
information about other accounts.




Hello,
by default user without any added roles can see "Users" and "OTP 
Tokens" tabs and is able to read other users and modify only his 
attributes.


You can find permissions that affects reading user attributes in IPA 
Server->Role Based Access Control->Permissions (eg. System: Read User 
Addressbook Attributes) and change "Bind rule type" from all to 
"permission".
But be aware that modifying the permissions may result in SSSD being 
unable to resolve users unless you add those permissions to hosts 
(SSSD always uses host principal in FreeIPA deployment).

Even with that, I'd not recommend tightening permissions so that users
would not be able to see other users. There are always ways to break
through this 'enforcement', even start with the fact that a user could
actually authenticate with the host principal of their desktop system.
Access to the identity information is not arbitrated in POSIX
environment. Any process under any user could ask for other user and
group identities with standard libc API.

Security through obscurity never works well in a longer term.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Limit regular user access only to self service portal

2017-01-18 Thread David Kupka

On 17/01/17 16:23, Georgijs Radovs wrote:

Hello everyone!

Is it possible to configure Sef-service permissions in FreeIPA in a way,
so that, when regular users log in, they don't have read access to other
FreeIPA sections like "Policy", "Authentication", "IPA Server"...?

My goal is - when user logs in Self-service portal, he sees only his
user account in "Identity" tab, no other tabs like "Policy" or
"Authentication" and can read and write only to his profile.

Basically, I want to limit user to his account only, so he does not see
information about other accounts.




Hello,
by default user without any added roles can see "Users" and "OTP Tokens" 
tabs and is able to read other users and modify only his attributes.


You can find permissions that affects reading user attributes in IPA 
Server->Role Based Access Control->Permissions (eg. System: Read User 
Addressbook Attributes) and change "Bind rule type" from all to 
"permission".
But be aware that modifying the permissions may result in SSSD being 
unable to resolve users unless you add those permissions to hosts (SSSD 
always uses host principal in FreeIPA deployment).


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project