[Freeipa-devel] question about permissions, etc., in groups
David O'Brien
david.obrien at redhat.com
Tue Dec 4 01:04:10 UTC 2007
Rob Crittenden wrote:
> David O'Brien wrote:
>> I read in a thread somewhere that if you deactivate a group, then all
>> members of that group are also deactivated. The exception being that if
>> a user is a member of another group that is active, then that user is
>> still active.
>>
>> 1: all users are members of ipauser, right? Can they be removed from
>> that group? If I and several hundred other users are in GroupA, GroupB,
>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>> all that's happened is you've deactivated a bunch of groups. Ah... with
>> those groups deactivated, any permissions/delegations that were
>> associated with those groups go away too. (yes, I'm thinking out
>> loud...) Did I miss anything else?
>
> Right, by deactivating those groups you deactivate all the users in
> those groups as well as any groups that may be a member (and thus those
> members).
So it's not what I thought? If I'm in GroupA and GroupB and you
deactivate either one, I'm deactivated, period? I thought you stayed
active as long as you were in an active group.
>
>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>> GroupA, which means I can edit any user in France, but not in Germany.
>> I'm also in GroupB, which says I can edit Germany but not France. Or
>> should the administrator be smarter than that?
>
> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
> along the way of determining permission you are denied.
ok, I'll write it up as such unless I hear otherwise.
thanks
--
David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071204/05e6533a/attachment.sig>
More information about the Freeipa-devel
mailing list