While Kanidm exists to make authorisation decisions on behalf of other services, internally it must make decisions about writes operations to the entries within its database. To make these choices, Kanidm has an internal set of access controls which are the rules describing who may perform what actions.
The project ships default access controls which are designed to limit and isolate the privileges of accounts whenever possible.
This separation is the reason why
idm_admin exist as separate accounts. There are two
distinct access silos within Kanidm. Access to manage Kanidm as a service (such as application
integrations and domain naming) and access to manage people and groups. This is to limit the
possible harm that an attacker may make if they gain access to these roles.
A number of types in Kanidm allow permission delegation such as groups and service accounts. This allows entries to be assigned an entry manager who has write access to that entity but not all entities of the same class.
Kanidm has a special group called
idm_high_privilege. This acts as a "taint" on its members to
indicate that they have an elevated level of access within Kanidm or other systems.
This taint flag exists to prevent lateral movement from other roles that have higher levels of privilege.
An example is
idm_service_desk which has the ability to trigger credential resets for users. This
is an important aspect of the service desk role. However, a member of the service desk should not be
able to modify the credentials of their peers, nor should they be able to escalate by accessing the
credentials of users in a role such as
both tainted with
idm_high_privilege then this lateral movement is not possible. Only high
privileged roles are able to then reset the accounts of high privilege users.
You may add other groups to
idm_high_privilege to achieve the same taint effect for other
Kanidm ships with default permission groups. You can use these to enable accounts to perform certain tasks within Kanidm as required.
|modify the name of this domain
|write access controls
|modify account policy requirements for user authentication
|create and modify groups
|create and modify oauth2 integrations
|create and modify persons
|create (but not modify) persons. Intended for use with service accounts
|allow read to personally identifying information
|allow self-modification of the mail attribute
|read user radius secrets. Intended for use with service accounts
|create and reset user radius secrets, and allow users to access radius
|modify and restore entries from the recycle bin
|add and modify elements of schema
|create and modify service accounts
|enable posix attributes on accounts and groups
Kanidm ships with 3 high level permission groups. These roles have no inherent permissions, they are created by being members of the default permission groups.
|manage persons and their groups
|assist persons with credential resets or other queries
|manage the operation of Kanidm as a database and service