[Freeipa-devel] question about permissions, etc., in groups
Rob Crittenden
rcritten at redhat.com
Tue Dec 4 14:00:18 UTC 2007
David O'Brien wrote:
> Rob Crittenden wrote:
>> David O'Brien wrote:
>>> I read in a thread somewhere that if you deactivate a group, then all
>>> members of that group are also deactivated. The exception being that if
>>> a user is a member of another group that is active, then that user is
>>> still active.
>>>
>>> 1: all users are members of ipauser, right? Can they be removed from
>>> that group? If I and several hundred other users are in GroupA, GroupB,
>>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>>> all that's happened is you've deactivated a bunch of groups. Ah... with
>>> those groups deactivated, any permissions/delegations that were
>>> associated with those groups go away too. (yes, I'm thinking out
>>> loud...) Did I miss anything else?
>> Right, by deactivating those groups you deactivate all the users in
>> those groups as well as any groups that may be a member (and thus those
>> members).
>
> So it's not what I thought? If I'm in GroupA and GroupB and you
> deactivate either one, I'm deactivated, period? I thought you stayed
> active as long as you were in an active group.
No, like deny, inactive wins. We'll need to test this but hit should work.
User U is member of Groups A and B. Group A is inactive.
Mark the user as active (this should override everything)
This should override the group inactivity.
>>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>>> GroupA, which means I can edit any user in France, but not in Germany.
>>> I'm also in GroupB, which says I can edit Germany but not France. Or
>>> should the administrator be smarter than that?
>> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
>> along the way of determining permission you are denied.
>
> ok, I'll write it up as such unless I hear otherwise.
>
> thanks
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071204/056bc501/attachment.bin>
More information about the Freeipa-devel
mailing list