#5390 [RFE] Manage OTP Tokens - by group or RBAC
Opened 4 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1273964

Description of problem:

Our facility operates 24/7, and the select few users with admin privileges are
not available on all shifts.
I need a way for supervisors to have the permissions for create/add/delete OTP
tokens. In the event a user gets a new phone or loses a token the supervisors
on each shift need to be able to assist their users with making access

I would like to be able to assign the privilege of OTP token create/add/delete
within the role based access control system similarly to how the unlock and
reset password privileges can be assigned to a user group.

Version-Release number of selected component (if applicable):
FreeIPA, version: 4.1.4

How reproducible:
Variable based on scheduling and users needs but fairly frequently with 460+
employees and very few admin privileged users.

Steps to Reproduce:
1. In the interface go to Role Based Access Control > Permissions
2. Look for an option to add/modify/remove OTP tokens
3. Click Add
4. Set the type to either "Entry" or "OTP Configuration" or "User"
5. Select any attributes related to OTP tokens
 (I could not find any specific attributes that I would expect to allow here so
I just went with add everything to see if it would even work)
6. Set granted rights to All
7. Assign new permission to a privilege and role
8. Attempt to use role on user/user group and create an OTP token for a
different user.

Actual results:
No permission exists that I can find or create for managing OTP tokens on other

Expected results:
Ability to find a permission or create one that allows for a user to manage
other users OTP tokens.

Additional info:
My understanding based on what information I could find searching for answers
is that OTP token management is hard coded to the admin group, and individual
users can manage their tokens only.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

I'm following this too, we'd like helpdesk accounts to be able to add a new otptoken on a user's behalf.

i.e. we want a permission that allows this command sequence to work:

kinit helpdesk
ipa otptoken-add username --owner=username

We do not want the helpdesk user to be a FreeIPA admin.

We already have a mechanism for user's to retirieve their token.

Login to comment on this ticket.