freeipa/doc/api/access_control_guide.md

# Access control examples

IPA provides a way to manage delegation of rights. Permissions allows to define
certain management actions, which can then be grouped in privileges. These
privileges can then be added to roles, which can be assigned to users and
groups.

- [Access control examples](#access-control-examples)
  - [Managing permissions](#managing-permissions)
  - [Managing privileges](#managing-privileges)
  - [Managing roles](#managing-roles)
  - [Assigning roles to users and groups](#assigning-roles-to-users-and-groups)

## Managing permissions

Add a permission for creating users.

```python
api.Command.permission_add("Create users", ipapermright='add', type='user')
```

Add a permission for managing group membership.

```python
api.Command.permission_add("Manage group membership", ipapermright='write', type='group', attrs="member")
```

## Managing privileges

Add a privilege for user creation process (creating user, adding it to groups,
manage user certificates).

```python
api.Command.permission_add("Create users", ipapermright='add', type='user')
api.Command.permission_add("Manage group membership", ipapermright='write', type='group', attrs="member")
api.Command.permission_add("Manage User certificates", ipapermright='write', type='user', attrs='usercertificate')

api.Command.privilege_add("User creation")
api.Command.privilege_add_permission("User creation", permission="Create users")
api.Command.privilege_add_permission("User creation", permission="Manage group membership")
api.Command.privilege_add_permission("User creation", permission="Manage User certificates")
```

## Managing roles

Add a role with the privilege created earlier.

```python
api.Command.role_add("usermanager", description="Users manager")
api.Command.role_add_privilege("usermanager", privilege="User creation")
```

## Assigning roles to users and groups

Assign the role `usermanager` to user `bob`.

```python
api.Command.role_add_member("usermanager", user="bob")
```

Users, groups, hosts and hostgroups may be members of a role. Assign the
`usermanager` role to `managers` group.

```python
api.Command.role_add_member("usermanager", group="managers")
```
Extend API documentation This includes: * Section about command/param info in usage guide * Section about metadata retrieval in usage guide * Guide about differences between CLI and API * Access control guide (management of roles, privileges and permissions). * Guide about API contexts * JSON-RPC usage guide and JSON-to-Python conversion * Notes about types in API Reference Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2023-03-13 10:05:20 -05:00			`# Access control examples`

			`IPA provides a way to manage delegation of rights. Permissions allows to define`
			`certain management actions, which can then be grouped in privileges. These`
			`privileges can then be added to roles, which can be assigned to users and`
			`groups.`

			`- [Access control examples](#access-control-examples)`
			`- [Managing permissions](#managing-permissions)`
			`- [Managing privileges](#managing-privileges)`
			`- [Managing roles](#managing-roles)`
			`- [Assigning roles to users and groups](#assigning-roles-to-users-and-groups)`

			`## Managing permissions`

			`Add a permission for creating users.`

			```python
			`api.Command.permission_add("Create users", ipapermright='add', type='user')`
			```

			`Add a permission for managing group membership.`

			```python
			`api.Command.permission_add("Manage group membership", ipapermright='write', type='group', attrs="member")`
			```

			`## Managing privileges`

			`Add a privilege for user creation process (creating user, adding it to groups,`
			`manage user certificates).`

			```python
			`api.Command.permission_add("Create users", ipapermright='add', type='user')`
			`api.Command.permission_add("Manage group membership", ipapermright='write', type='group', attrs="member")`
			`api.Command.permission_add("Manage User certificates", ipapermright='write', type='user', attrs='usercertificate')`

			`api.Command.privilege_add("User creation")`
			`api.Command.privilege_add_permission("User creation", permission="Create users")`
			`api.Command.privilege_add_permission("User creation", permission="Manage group membership")`
			`api.Command.privilege_add_permission("User creation", permission="Manage User certificates")`
			```

			`## Managing roles`

			`Add a role with the privilege created earlier.`

			```python
			`api.Command.role_add("usermanager", description="Users manager")`
			`api.Command.role_add_privilege("usermanager", privilege="User creation")`
			```

			`## Assigning roles to users and groups`

			Assign the role `usermanager` to user `bob`.

			```python
			`api.Command.role_add_member("usermanager", user="bob")`
			```

			`Users, groups, hosts and hostgroups may be members of a role. Assign the`
			`usermanager` role to `managers` group.

			```python
			`api.Command.role_add_member("usermanager", group="managers")`
			```