Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1273964
Description of problem: Our facility operates 24/7, and the select few users with admin privileges are not available on all shifts. I need a way for supervisors to have the permissions for create/add/delete OTP tokens. In the event a user gets a new phone or loses a token the supervisors on each shift need to be able to assist their users with making access possible. I would like to be able to assign the privilege of OTP token create/add/delete within the role based access control system similarly to how the unlock and reset password privileges can be assigned to a user group. Version-Release number of selected component (if applicable): FreeIPA, version: 4.1.4 How reproducible: Variable based on scheduling and users needs but fairly frequently with 460+ employees and very few admin privileged users. Steps to Reproduce: 1. In the interface go to Role Based Access Control > Permissions 2. Look for an option to add/modify/remove OTP tokens 3. Click Add 4. Set the type to either "Entry" or "OTP Configuration" or "User" 5. Select any attributes related to OTP tokens (I could not find any specific attributes that I would expect to allow here so I just went with add everything to see if it would even work) 6. Set granted rights to All 7. Assign new permission to a privilege and role 8. Attempt to use role on user/user group and create an OTP token for a different user. Actual results: No permission exists that I can find or create for managing OTP tokens on other users. Expected results: Ability to find a permission or create one that allows for a user to manage other users OTP tokens. Additional info: My understanding based on what information I could find searching for answers is that OTP token management is hard coded to the admin group, and individual users can manage their tokens only.
Setting managedBy to a group might be sufficient, see https://bugzilla.redhat.com/show_bug.cgi?id=1273964#c4
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
I'm following this too, we'd like helpdesk accounts to be able to add a new otptoken on a user's behalf.
i.e. we want a permission that allows this command sequence to work:
~~~~ kinit helpdesk ipa otptoken-add username --owner=username ~~~~
~~~~
We do not want the helpdesk user to be a FreeIPA admin.
We already have a mechanism for user's to retirieve their token.
Login to comment on this ticket.