[Freeipa-devel] Access control
Richard Megginson
rmeggins at redhat.com
Tue Sep 11 20:13:18 UTC 2007
Karl MacMillan wrote:
> On Tue, 2007-09-11 at 12:50 -0700, Pete Rowley wrote:
>
>> Karl MacMillan wrote:
>>
>>> I have some questions:
>>>
>>> How do we control which users / groups a user can modify or read? The
>>> FDS ACI allow all sorts of control over which entry a user can access
>>> (by DN, ldap search, etc.). I'd like to present enough power while
>>> keeping things simple.
>>>
>> The model is the members of group X can do Y to the members of group Z.
>> That is the simplification and the reason for the memberof plugin (there
>> was no way to express "to the members of group Z" prior to that).
>>
>>
>
> I don't think that is sufficient as it prevents things like letting
> manager Dave change attribute foo of all of his employees.
>
>
>>> How can we determine what access a user has without trying an action?
>>> This is needed for presenting editing forms that don't allow you to make
>>> modifications of entries you're not allowed to edit.
>>>
>>>
>>>
>> I have a bug open for Get Effective Rights control to address
>> deficiencies in that control when trying to find out what the user is
>> allowed to do (can't get to bugzilla right now).
>>
>>
>
> What are the args to get effective rights and what does it return? The
> docs at
> http://directory.fedoraproject.org/wiki/Get_Effective_Rights_Design are
> a little hard core for an LDAP newb like me.
>
I don't think there is a whole lot of user oriented material for this
feature.
http://www.redhat.com/docs/manuals/dir-server/release-notes/ger.html
> Karl
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070911/3e347908/attachment.bin>
More information about the Freeipa-devel
mailing list