Freeipa/policy
@shrug/freeipa/policyv2026.07.12.1
01README
Manage FreeIPA sudo, HBAC, and RBAC policy over the JSON-RPC API: find/show read-only snapshots plus idempotent ensureSudoRule/ensureHbacRule/ensureRole, fan-out member/option/privilege methods, enable/disable toggles, read-only privilege/permission discovery, and confirm-guarded deletes, each mutation with an audit trail.
02Models
@shrug/freeipa/policyv2026.07.12.1policy.ts
fn sudoRuleFind()
Snapshot sudo rules matching an optional search criteria (read-only).
fn sudoRuleShow(cn: string)
Snapshot a single sudo rule by name (read-only).
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) to fetch |
fn ensureSudoRule(cn: string)
Idempotently ensure a sudo rule exists (sudorule_add). Swallows DuplicateEntry and re-reads via sudorule_show, so re-runs are safe. sudoorder is a first-class arg because sudo evaluation is last-match-wins — order matters. Writes the sudo rule state on success; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) |
fn sudoRuleAddOption(cn: string)
Add a sudo option to a rule (sudorule_add_option), e.g. `!authenticate` for passwordless sudo. Writes the updated sudo rule state on success; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) |
fn sudoRuleAddUser(cn: string)
Add users and/or user groups to a sudo rule in one call (sudorule_add_user). Fan-out: pass lists of users and groups. Surfaces IPA's `failed` structure in the audit response; writes the updated sudo rule state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) |
fn sudoRuleAddHost(cn: string)
Add hosts and/or host groups to a sudo rule in one call (sudorule_add_host). Fan-out: pass lists of hosts and hostgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated sudo rule state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) |
fn sudoRuleAddCommand(cn: string)
Add allowed commands and/or command groups to a sudo rule in one call (sudorule_add_allow_command). Fan-out: pass lists of sudocmds and sudocmdgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated sudo rule state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) |
fn sudoRuleSetEnabled(cn: string)
Enable or disable a sudo rule (sudorule_enable / sudorule_disable). Writes the updated sudo rule state on success; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) |
fn sudoRuleDel(cn: string)
Delete a sudo rule (sudorule_del). Requires confirm:true; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | Sudo rule name (cn) to delete |
fn hbacRuleFind()
Snapshot HBAC rules matching an optional search criteria (read-only).
fn hbacRuleShow(cn: string)
Snapshot a single HBAC rule by name (read-only).
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) to fetch |
fn ensureHbacRule(cn: string)
Idempotently ensure an HBAC rule exists (hbacrule_add). Swallows DuplicateEntry and re-reads via hbacrule_show, so re-runs are safe. Writes the HBAC rule state on success; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) |
fn hbacRuleAddUser(cn: string)
Add users and/or user groups to an HBAC rule in one call (hbacrule_add_user). Fan-out: pass lists of users and groups. Surfaces IPA's `failed` structure in the audit response; writes the updated HBAC rule state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) |
fn hbacRuleAddHost(cn: string)
Add hosts and/or host groups to an HBAC rule in one call (hbacrule_add_host). Fan-out: pass lists of hosts and hostgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated HBAC rule state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) |
fn hbacRuleAddService(cn: string)
Add HBAC services and/or service groups to an HBAC rule in one call (hbacrule_add_service). Fan-out: pass lists of hbacsvcs and hbacsvcgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated HBAC rule state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) |
fn hbacRuleSetEnabled(cn: string)
Enable or disable an HBAC rule (hbacrule_enable / hbacrule_disable). Writes the updated HBAC rule state on success; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) |
fn hbacRuleDel(cn: string)
Delete an HBAC rule (hbacrule_del). Requires confirm:true; audits both paths.
| Argument | Type | Description |
|---|---|---|
| cn | string | HBAC rule name (cn) to delete |
fn roleFind()
Snapshot roles matching an optional search criteria (read-only).
fn roleShow(cn: string)
Snapshot a single role by name (read-only).
| Argument | Type | Description |
|---|---|---|
| cn | string | Role name (cn) to fetch |
fn ensureRole(cn: string)
Idempotently ensure a role exists (role_add). Swallows DuplicateEntry and re-reads via role_show, so re-runs are safe. Writes the role state on success; audits both paths. NOTE: role/privilege mutation is privilege-escalation sensitive — the scoped service account is deliberately NOT granted Delegation Administrator, so this operates only within the rights the operator already holds.
| Argument | Type | Description |
|---|---|---|
| cn | string | Role name (cn) |
fn roleAddPrivilege(cn: string)
Add privileges to a role in one call (role_add_privilege). Fan-out: pass a list of privileges. Surfaces IPA's `failed` structure in the audit response; writes the updated role state on success. NOTE: privilege-escalation sensitive — bounded by the operator's own rights (no Delegation Administrator on the scoped account).
| Argument | Type | Description |
|---|---|---|
| cn | string | Role name (cn) |
fn roleAddMember(cn: string)
Add users and/or user groups to a role in one call (role_add_member). Fan-out: pass lists of users and groups. Surfaces IPA's `failed` structure in the audit response; writes the updated role state on success.
| Argument | Type | Description |
|---|---|---|
| cn | string | Role name (cn) |
fn privilegeFind()
Snapshot privileges matching an optional search criteria (read-only). Useful for discovering the privilege names to feed roleAddPrivilege.
fn permissionFind()
Snapshot permissions matching an optional search criteria (read-only). Useful for discovering the permission names bundled into privileges.
fn roleDel(cn: string)
Delete a role (role_del). Requires confirm:true; audits both paths. NOTE: role deletion is privilege-escalation sensitive and admin-scoped by design.
| Argument | Type | Description |
|---|---|---|
| cn | string | Role name (cn) to delete |
Resources
sudoRules(infinite)— Snapshot of sudo rules matching a find (array of parsed rows)
sudoRule(infinite)— Snapshot of a single sudo rule (parsed row + raw entry)
hbacRules(infinite)— Snapshot of HBAC rules matching a find (array of parsed rows)
hbacRule(infinite)— Snapshot of a single HBAC rule (parsed row + raw entry)
roles(infinite)— Snapshot of roles matching a find (array of parsed rows)
role(infinite)— Snapshot of a single role (parsed row + raw entry)
privileges(infinite)— Read-only snapshot of privileges matching a find (name + description + raw)
permissions(infinite)— Read-only snapshot of permissions matching a find (name + description + raw)
attempt(infinite)— Audit record of a mutation attempt (request + result/error + timestamp). Written on both success and failure.
03Previous Versions
2026.07.11.1Jul 12, 2026
04Stats
A
100 / 100
Downloads
0
Archive size
31.6 KB
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types (deprecated)1/1earned
- Dependencies pass trust audit2/2earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned
Repository
https://github.com/shrugpw/swamp-freeipa05Platforms
06Labels