[Freeipa-devel] question about permissions, etc., in groups

David O'Brien david.obrien at redhat.com
Tue Dec 4 15:26:47 UTC 2007 

Simo Sorce wrote:
> On Tue, 2007-12-04 at 11:04 +1000, David O'Brien wrote:
>> Rob Crittenden wrote:
>>> David O'Brien wrote:
>>>> I read in a thread somewhere that if you deactivate a group, then all
>>>> members of that group are also deactivated. The exception being that if
>>>> a user is a member of another group that is active, then that user is
>>>> still active.
>>>>
>>>> 1: all users are members of ipauser, right? Can they be removed from
>>>> that group? If I and several hundred other users are in GroupA, GroupB,
>>>> etc., as well as in ipausers, and you deactivate all but ipausers, then
>>>> all that's happened is you've deactivated a bunch of groups. Ah...  with
>>>> those groups deactivated, any permissions/delegations that were
>>>> associated with those groups go away too. (yes, I'm thinking out
>>>> loud...) Did I miss anything else?
>>> Right, by deactivating those groups you deactivate all the users in
>>> those groups as well as any groups that may be a member (and thus those
>>> members).
>> So it's not what I thought?  If I'm in GroupA and GroupB and you
>> deactivate either one, I'm deactivated, period? I thought you stayed
>> active as long as you were in an active group.
> 
> No, it wouldn't make sense.
> Think how difficult would be to be sure all members of a specific group
> are inactivated if your reasoning were true.

Yes, it makes sense to have it the way it's been explained above. I was
attempting to follow up on what I read (obviously not well enough) in
another thread.

> 
>>>> 2: If I'm in two groups with conflicting permissions, who wins? I'm in
>>>> GroupA, which means I can edit any user in France, but not in Germany.
>>>> I'm also in GroupB, which says I can edit Germany but not France. Or
>>>> should the administrator be smarter than that?
>>> I believe that deny overrules allow in FDS ACIs. So if you hit any deny
>>> along the way of determining permission you are denied.
>> ok, I'll write it up as such unless I hear otherwise.
> 
> Inactivation is prevalent, unless you specifically override the
> attribute manually on the specific user.
> 

I'll make sure I include this when documenting active and inactive users
and groups.

> (As others have said, we need to test, but if this is not what we get we
> need to raise a bug)
> 
I'll try to do my bit while documenting. Who's on the testing team
anyway, apart from Suzanne of the questionable wrists?  ;-)

-- 

David O'Brien <mailto:daobrien at redhat.com>
RHCT
PGP-KeyID: 0x443CBA7B


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071205/c292bed1/attachment.sig>

More information about the Freeipa-devel mailing list