From Fedora Project Wiki


Delegation is an overloaded term in IPA. It broadly means assigning rights to update objects to a principal.

Within IPA there are several different ways to delegate permissions:

  1. The permissions/privileges/roles trio which can grant access to do nearly anything in IPA.
  2. The selfservice plugin which controls what an entry can do to itself
  3. The delegation plugin which can grant one group of users the ability to modify a fixed set of attributes in another group of users. This is useful if a manager wants to delegate to his assistant the ability to update the address information of the people that report to him, for example.


  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)

How to test

Permission/Privilege/Role Testing

In this test we'll be creating a permission, adding it to a privilege, adding the privilege to a role, then adding a user to the role and testing the permission.


Create a permission that will allow users to be added:

# kinit admin
# ipa permission-add --permissions=add --type=user "Test Add User"

Create a permission that allows users to be modified:

# ipa permission-add --permissions=write \
 --attrs=cn,sn,givenname,street,l,st,postalcode,telephonenumber,title \
 --type=user "Test Modify Users"


Create a new privilege and assign our permissions to it:

# ipa privilege-add --desc="Test User management" "Test Manage users"
# ipa privilege-add-permission --permissions='Test Add User','Test Modify Users' 'Test Manage users'


Create a role, assign the privilege to the role and add a user to the role:

# ipa role-add --desc="Test Role" "Test Role"
# ipa role-add-privilege --privileges='Test Manage users' 'Test Role'

Now create a user to go into this role:

# ipa user-add --first=Jim --last=Test jtest1 --password
# ipa role-add-member --users=jtest1 'Test Role'

End-to-end test

Become our test user:

# kinit jtest1

Try adding a user (should fail):

# ipa user-add --first=Gary --last=Test gtest1

Aha, adding a user requires a few more than just writing the user entry. The user was actually created, it is just incomplete:

# ipa user-show gtest1 (note not a member of ipausers group)

We also need to add it to the default users group. Return to the admin user and add these additional permissions:

# kinit admin
# ipa permission-add --permissions=write --attrs=member --targetgroup=ipausers "Test add members to ipausers"
# ipa privilege-add-permission --permissions='test add members to ipausers' 'test manage users'

Try again as jtest1:

# kinit jtest1
# ipa user-add --first=Gary --last=Test gtest2 (success)

Now show that we can create a new user with a password:

# ipa user-add --first=Gary --last=Test gtest3 --password

To really test it, become the new user:

# kinit gtest3

Great, now return to our jtest1:

# kinit jtest1

And lets see what we can change about these users, should all succeed:

# ipa user-mod --title=Directory gtest3
# ipa user-mod --street='123 Main St' --city=Baltimore --state=MD --postalcode=21090 gtest3

Now some negative tests, these should all fail:

# ipa user-mod --homedir=/home/foo gtest3
# ipa group-add-member --users=gtest3 admins
# ipa user-del gtest3

Finally, we only add juser1 to the role, lets make sure other users don't also have these rights. The user-add should fail.

# kinit gtest3
# ipa user-add --first=Gary --last=Test gtest4

Selfservice Testing


Start out as the admin user:

# kinit admin

Find all current selfservice rules

# ipa selfservice-find

There should be two, one that defines the password attributes that can be updated and one containing a long list of attributes that are modifiable.

Add a new selfservice rule

Let us add a new rule that lets us change our own UID

# ipa selfservice-add --attrs=uidnumber "Write own uidnumber"

Testing the rule

First add a user to test with (or re-use this user from a previous test)

# ipa user-add --first=Gary --last=Test gtest3 --password

Become that user:

# kinit gtest3

Find out our current UID:

# id gtest3

Set a new uidnumber to something different than above:

# ipa user-mod --uid=500 gtest3

Make sure we can't just update anything, these should fail:

# ipa user-mod --gid=600 gtest3
# ipa user-mod --uid=501 admin

Delegation Plugin Testing


  • create two testing users (you have to set passwords for both of them)
# kinit admin
# ipa user-add --first=Tim --last=Test tuser1 --password
# ipa user-add --first=Pam --last=Test puser1 --password
  • create two testing groups
# ipa group-add --desc='Test group 1' testgroup1
# ipa group-add --desc='Test group 2' testgroup2
  • add one member to each group
# ipa group-add-member --users=tuser1 testgroup1
# ipa group-add-member --users=puser1 testgroup2
  • set some user attributes (street, phone number, job title, ...) to each user
# ipa user-mod --street='123 Main' --title=Director tuser1
# ipa user-mod --street='456 Maple' --title=COO puser1

Delegation creation

  • create a delegation allowing one group to write some attributes of users in the second group
#  ipa delegation-add --attrs=street,title --membergroup=testgroup2 \
   --group=testgroup1 'testgroup1 can Modify testgroup2'
  • logout from admin account
# kdestroy
  • log in as a the first user (you'll need to reset the password)
# kinit tuser1
  • try user-show --all on the second user (for reference)
# ipa user-show --all puser1
  • try modifying the attribute of the second user you delegated to be writable (should succeed)
# ipa user-mod --title=President puser1
  • try user-show --all on the second user (attribute should be modified)
# ipa user-show --all puser1
  • try modifying some attributes of the second user you didn't delegate to be writable (should fail)
# ipa user-mod --city=Baltimore puser1
  • try user-show --all on the second user (attribute should not be modified)
# ipa user-show --all puser1 
  • logout from the account and login as the admin again
# kdestroy
# kinit admin

Delegation update

  • modify the original delegation - add some more fields to it, for example those you tried to modify in step 7 of previous test
# ipa delegation-mod --attrs=street,l,st,postalcode,title 'testgroup1 can Modify testgroup2'
  • repeat steps 2-9 of previous test (no failure should occur and all attempts to modify something should succeed)

Delegation deletion

  • Delete the delegation you created
# ipa delegation-del 'testgroup1 can Modify testgroup2'
  • repeat steps 2-9 of the first test (no modification should succeed, user attributes of the second user should be the same after the test as they were before)

Expected Results

All the test steps should end with the specified results.