[Freeipa-devel] Separating admin policy create role from deploy role

[Karl Wirth]

Hi,

With IPA v2, I think we should make it easy for an organization to set
up the following two different admin roles:
1) Able to create a policy but can't deploy it
2) Able to check and deploy a policy but not create it.
I think this fits with the controls many organizations have.

Might it be possible to accomplish this using the DS ACIs to restrict 
access to the policies and the policy links?

Best regards,
Karl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090126/684606c0/attachment.htm>