[Freeipa-devel] Access control
Richard Megginson
rmeggins at redhat.com
Tue Sep 11 18:44:26 UTC 2007
Karl MacMillan wrote:
> I started a page on access control for v1 at
> http://freeipa.org/page/AccessControl. Not a whole lot there right now -
> just some use cases and initial thoughts.
>
> I have some questions:
>
> How do we control which users / groups a user can modify or read? The
> FDS ACI allow all sorts of control over which entry a user can access
> (by DN, ldap search, etc.). I'd like to present enough power while
> keeping things simple.
>
Fedora DS implements support for the Get Effective Rights control. But
I don't know if it does everything you want to do from a GUI
standpoint. You also want to know what attributes are marked
NO-USER-MODIFICATION, which ones are virtual and cannot be edited
directly, etc. See
https://www.redhat.com/archives/fedora-directory-devel/2006-November/msg00000.html
> How can we determine what access a user has without trying an action?
> This is needed for presenting editing forms that don't allow you to make
> modifications of entries you're not allowed to edit.
>
> Should we show blank fields if the user can't read an attribute or just
> omit the field altogether?
>
> Karl
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070911/ea1d0c7e/attachment.bin>
More information about the Freeipa-devel
mailing list