Skip to main content

Freeipa/policy

@shrug/freeipa/policyv2026.07.12.1· 1d agoMODELS
01README

Manage FreeIPA sudo, HBAC, and RBAC policy over the JSON-RPC API: find/show read-only snapshots plus idempotent ensureSudoRule/ensureHbacRule/ensureRole, fan-out member/option/privilege methods, enable/disable toggles, read-only privilege/permission discovery, and confirm-guarded deletes, each mutation with an audit trail.

02Models1
@shrug/freeipa/policyv2026.07.12.1policy.ts
fn sudoRuleFind()
Snapshot sudo rules matching an optional search criteria (read-only).
fn sudoRuleShow(cn: string)
Snapshot a single sudo rule by name (read-only).
ArgumentTypeDescription
cnstringSudo rule name (cn) to fetch
fn ensureSudoRule(cn: string)
Idempotently ensure a sudo rule exists (sudorule_add). Swallows DuplicateEntry and re-reads via sudorule_show, so re-runs are safe. sudoorder is a first-class arg because sudo evaluation is last-match-wins — order matters. Writes the sudo rule state on success; audits both paths.
ArgumentTypeDescription
cnstringSudo rule name (cn)
fn sudoRuleAddOption(cn: string)
Add a sudo option to a rule (sudorule_add_option), e.g. `!authenticate` for passwordless sudo. Writes the updated sudo rule state on success; audits both paths.
ArgumentTypeDescription
cnstringSudo rule name (cn)
fn sudoRuleAddUser(cn: string)
Add users and/or user groups to a sudo rule in one call (sudorule_add_user). Fan-out: pass lists of users and groups. Surfaces IPA's `failed` structure in the audit response; writes the updated sudo rule state on success.
ArgumentTypeDescription
cnstringSudo rule name (cn)
fn sudoRuleAddHost(cn: string)
Add hosts and/or host groups to a sudo rule in one call (sudorule_add_host). Fan-out: pass lists of hosts and hostgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated sudo rule state on success.
ArgumentTypeDescription
cnstringSudo rule name (cn)
fn sudoRuleAddCommand(cn: string)
Add allowed commands and/or command groups to a sudo rule in one call (sudorule_add_allow_command). Fan-out: pass lists of sudocmds and sudocmdgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated sudo rule state on success.
ArgumentTypeDescription
cnstringSudo rule name (cn)
fn sudoRuleSetEnabled(cn: string)
Enable or disable a sudo rule (sudorule_enable / sudorule_disable). Writes the updated sudo rule state on success; audits both paths.
ArgumentTypeDescription
cnstringSudo rule name (cn)
fn sudoRuleDel(cn: string)
Delete a sudo rule (sudorule_del). Requires confirm:true; audits both paths.
ArgumentTypeDescription
cnstringSudo rule name (cn) to delete
fn hbacRuleFind()
Snapshot HBAC rules matching an optional search criteria (read-only).
fn hbacRuleShow(cn: string)
Snapshot a single HBAC rule by name (read-only).
ArgumentTypeDescription
cnstringHBAC rule name (cn) to fetch
fn ensureHbacRule(cn: string)
Idempotently ensure an HBAC rule exists (hbacrule_add). Swallows DuplicateEntry and re-reads via hbacrule_show, so re-runs are safe. Writes the HBAC rule state on success; audits both paths.
ArgumentTypeDescription
cnstringHBAC rule name (cn)
fn hbacRuleAddUser(cn: string)
Add users and/or user groups to an HBAC rule in one call (hbacrule_add_user). Fan-out: pass lists of users and groups. Surfaces IPA's `failed` structure in the audit response; writes the updated HBAC rule state on success.
ArgumentTypeDescription
cnstringHBAC rule name (cn)
fn hbacRuleAddHost(cn: string)
Add hosts and/or host groups to an HBAC rule in one call (hbacrule_add_host). Fan-out: pass lists of hosts and hostgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated HBAC rule state on success.
ArgumentTypeDescription
cnstringHBAC rule name (cn)
fn hbacRuleAddService(cn: string)
Add HBAC services and/or service groups to an HBAC rule in one call (hbacrule_add_service). Fan-out: pass lists of hbacsvcs and hbacsvcgroups. Surfaces IPA's `failed` structure in the audit response; writes the updated HBAC rule state on success.
ArgumentTypeDescription
cnstringHBAC rule name (cn)
fn hbacRuleSetEnabled(cn: string)
Enable or disable an HBAC rule (hbacrule_enable / hbacrule_disable). Writes the updated HBAC rule state on success; audits both paths.
ArgumentTypeDescription
cnstringHBAC rule name (cn)
fn hbacRuleDel(cn: string)
Delete an HBAC rule (hbacrule_del). Requires confirm:true; audits both paths.
ArgumentTypeDescription
cnstringHBAC rule name (cn) to delete
fn roleFind()
Snapshot roles matching an optional search criteria (read-only).
fn roleShow(cn: string)
Snapshot a single role by name (read-only).
ArgumentTypeDescription
cnstringRole name (cn) to fetch
fn ensureRole(cn: string)
Idempotently ensure a role exists (role_add). Swallows DuplicateEntry and re-reads via role_show, so re-runs are safe. Writes the role state on success; audits both paths. NOTE: role/privilege mutation is privilege-escalation sensitive — the scoped service account is deliberately NOT granted Delegation Administrator, so this operates only within the rights the operator already holds.
ArgumentTypeDescription
cnstringRole name (cn)
fn roleAddPrivilege(cn: string)
Add privileges to a role in one call (role_add_privilege). Fan-out: pass a list of privileges. Surfaces IPA's `failed` structure in the audit response; writes the updated role state on success. NOTE: privilege-escalation sensitive — bounded by the operator's own rights (no Delegation Administrator on the scoped account).
ArgumentTypeDescription
cnstringRole name (cn)
fn roleAddMember(cn: string)
Add users and/or user groups to a role in one call (role_add_member). Fan-out: pass lists of users and groups. Surfaces IPA's `failed` structure in the audit response; writes the updated role state on success.
ArgumentTypeDescription
cnstringRole name (cn)
fn privilegeFind()
Snapshot privileges matching an optional search criteria (read-only). Useful for discovering the privilege names to feed roleAddPrivilege.
fn permissionFind()
Snapshot permissions matching an optional search criteria (read-only). Useful for discovering the permission names bundled into privileges.
fn roleDel(cn: string)
Delete a role (role_del). Requires confirm:true; audits both paths. NOTE: role deletion is privilege-escalation sensitive and admin-scoped by design.
ArgumentTypeDescription
cnstringRole name (cn) to delete

Resources

sudoRules(infinite)— Snapshot of sudo rules matching a find (array of parsed rows)
sudoRule(infinite)— Snapshot of a single sudo rule (parsed row + raw entry)
hbacRules(infinite)— Snapshot of HBAC rules matching a find (array of parsed rows)
hbacRule(infinite)— Snapshot of a single HBAC rule (parsed row + raw entry)
roles(infinite)— Snapshot of roles matching a find (array of parsed rows)
role(infinite)— Snapshot of a single role (parsed row + raw entry)
privileges(infinite)— Read-only snapshot of privileges matching a find (name + description + raw)
permissions(infinite)— Read-only snapshot of permissions matching a find (name + description + raw)
attempt(infinite)— Audit record of a mutation attempt (request + result/error + timestamp). Written on both success and failure.
03Previous Versions1
2026.07.11.1Jul 12, 2026
04Stats
A
100 / 100
Downloads
0
Archive size
31.6 KB
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types (deprecated)1/1earned
  • Dependencies pass trust audit2/2earned
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
05Platforms
06Labels