[Freeipa-devel] Access control
Simo Sorce
ssorce at redhat.com
Tue Sep 11 20:15:53 UTC 2007
On Tue, 2007-09-11 at 16:08 -0400, Karl MacMillan wrote:
> On Tue, 2007-09-11 at 12:50 -0700, Pete Rowley wrote:
> > The model is the members of group X can do Y to the members of group Z.
> > That is the simplification and the reason for the memberof plugin (there
> > was no way to express "to the members of group Z" prior to that).
> I don't think that is sufficient as it prevents things like letting
> manager Dave change attribute foo of all of his employees.
No, it just means all of his employees will be in the group
"employees-of-Dave".
Simo.
More information about the Freeipa-devel
mailing list