[Freeipa-devel] Separating admin policy create role from deploy role
Nathan Kinder
nkinder at redhat.com
Mon Jan 26 18:13:40 UTC 2009
Karl Wirth wrote:
> Hi,
>
> With IPA v2, I think we should make it easy for an organization to set
> up the following two different admin roles:
> 1) Able to create a policy but can't deploy it
> 2) Able to check and deploy a policy but not create it.
> I think this fits with the controls many organizations have.
>
> Might it be possible to accomplish this using the DS ACIs to restrict
> access to the policies and the policy links?
We could handle this using ACIs in DS depending on how a policy is
"deployed". If we have a particular attribute that is used as a flag to
"deploy" the policy, user #2 could have write access to this one
attribute in the policy portion of the tree while being able to read the
rest of the policy for checking.
User #1 would be able to write all of the policy attributes except for
the "deploy" flag attribute.
>
> Best regards,
> Karl
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list