[Freeipa-devel] question about permissions, etc., in groups

Rob Crittenden rcritten at redhat.com
Tue Dec 4 14:00:18 UTC 2007 

David O'Brien wrote:
> Rob Crittenden wrote:
>> David O'Brien wrote:
>>> I read in a thread somewhere that if you deactivate a group, then all
>>> members of that group are also deactivated. The exception being that if
>>> a user is a member of another group that is active, then that user is
>>> still active.
>>>
>>> 1: all users are members of ipauser, right? Can they be removed from
>>> that group? If I and several hundred other users are in GroupA, GroupB,
>>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>>> all that's happened is you've deactivated a bunch of groups. Ah...  with
>>> those groups deactivated, any permissions/delegations that were
>>> associated with those groups go away too. (yes, I'm thinking out
>>> loud...) Did I miss anything else?
>> Right, by deactivating those groups you deactivate all the users in
>> those groups as well as any groups that may be a member (and thus those
>> members).
> 
> So it's not what I thought?  If I'm in GroupA and GroupB and you
> deactivate either one, I'm deactivated, period? I thought you stayed
> active as long as you were in an active group.

No, like deny, inactive wins. We'll need to test this but hit should work.

User U is member of Groups A and B. Group A is inactive.

Mark the user as active (this should override everything)

This should override the group inactivity.

>>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>>> GroupA, which means I can edit any user in France, but not in Germany.
>>> I'm also in GroupB, which says I can edit Germany but not France. Or
>>> should the administrator be smarter than that?
>> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
>> along the way of determining permission you are denied.
> 
> ok, I'll write it up as such unless I hear otherwise.
> 
> thanks
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071204/056bc501/attachment.bin>

More information about the Freeipa-devel mailing list