[Freeipa-devel] question about permissions, etc., in groups

[David O'Brien]

Rob Crittenden wrote:
> David O'Brien wrote:
>> I read in a thread somewhere that if you deactivate a group, then all
>> members of that group are also deactivated. The exception being that if
>> a user is a member of another group that is active, then that user is
>> still active.
>>
>> 1: all users are members of ipauser, right? Can they be removed from
>> that group? If I and several hundred other users are in GroupA, GroupB,
>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>> all that's happened is you've deactivated a bunch of groups. Ah...  with
>> those groups deactivated, any permissions/delegations that were
>> associated with those groups go away too. (yes, I'm thinking out
>> loud...) Did I miss anything else?
> 
> Right, by deactivating those groups you deactivate all the users in
> those groups as well as any groups that may be a member (and thus those
> members).

So it's not what I thought?  If I'm in GroupA and GroupB and you
deactivate either one, I'm deactivated, period? I thought you stayed
active as long as you were in an active group.

> 
>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>> GroupA, which means I can edit any user in France, but not in Germany.
>> I'm also in GroupB, which says I can edit Germany but not France. Or
>> should the administrator be smarter than that?
> 
> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
> along the way of determining permission you are denied.

ok, I'll write it up as such unless I hear otherwise.

thanks

-- 

David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071204/05e6533a/attachment.sig>