[Freeipa-devel] Access control
Karl MacMillan
kmacmill at redhat.com
Tue Sep 11 20:08:21 UTC 2007
On Tue, 2007-09-11 at 12:50 -0700, Pete Rowley wrote:
> Karl MacMillan wrote:
> >
> > I have some questions:
> >
> > How do we control which users / groups a user can modify or read? The
> > FDS ACI allow all sorts of control over which entry a user can access
> > (by DN, ldap search, etc.). I'd like to present enough power while
> > keeping things simple.
> The model is the members of group X can do Y to the members of group Z.
> That is the simplification and the reason for the memberof plugin (there
> was no way to express "to the members of group Z" prior to that).
>
I don't think that is sufficient as it prevents things like letting
manager Dave change attribute foo of all of his employees.
> > How can we determine what access a user has without trying an action?
> > This is needed for presenting editing forms that don't allow you to make
> > modifications of entries you're not allowed to edit.
> >
> >
> I have a bug open for Get Effective Rights control to address
> deficiencies in that control when trying to find out what the user is
> allowed to do (can't get to bugzilla right now).
>
What are the args to get effective rights and what does it return? The
docs at
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_Design are
a little hard core for an LDAP newb like me.
Karl
More information about the Freeipa-devel
mailing list