Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1273964
Description of problem:
Our facility operates 24/7, and the select few users with admin privileges are
not available on all shifts.
I need a way for supervisors to have the permissions for create/add/delete OTP
tokens. In the event a user gets a new phone or loses a token the supervisors
on each shift need to be able to assist their users with making access
I would like to be able to assign the privilege of OTP token create/add/delete
within the role based access control system similarly to how the unlock and
reset password privileges can be assigned to a user group.
Version-Release number of selected component (if applicable):
FreeIPA, version: 4.1.4
Variable based on scheduling and users needs but fairly frequently with 460+
employees and very few admin privileged users.
Steps to Reproduce:
1. In the interface go to Role Based Access Control > Permissions
2. Look for an option to add/modify/remove OTP tokens
3. Click Add
4. Set the type to either "Entry" or "OTP Configuration" or "User"
5. Select any attributes related to OTP tokens
(I could not find any specific attributes that I would expect to allow here so
I just went with add everything to see if it would even work)
6. Set granted rights to All
7. Assign new permission to a privilege and role
8. Attempt to use role on user/user group and create an OTP token for a
No permission exists that I can find or create for managing OTP tokens on other
Ability to find a permission or create one that allows for a user to manage
other users OTP tokens.
My understanding based on what information I could find searching for answers
is that OTP token management is hard coded to the admin group, and individual
users can manage their tokens only.
Setting managedBy to a group might be sufficient, see https://bugzilla.redhat.com/show_bug.cgi?id=1273964#c4
Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
I'm following this too, we'd like helpdesk accounts to be able to add a new otptoken on a user's behalf.
i.e. we want a permission that allows this command sequence to work:
ipa otptoken-add username --owner=username
We do not want the helpdesk user to be a FreeIPA admin.
We already have a mechanism for user's to retirieve their token.
to comment on this ticket.